Silent, easily made Android rootkit shown at Black Hat
updated 06:45 pm EDT, Fri July 30, 2010
Security experts make silent Android malware
SpiderLabs showed a rootkit at the Black Hat conference today that could compromise an Android phone without its owner's knowledge. The exploit, handed out on DVD at the hacking and security meetup, would let the wielder get complete control and personal data from an Android phone without triggering alerts. Team lead Nicholas Percoco said the app took just two weeks to build and would affect even modern Android 2.1 devices such as the HTC Desire and Legend.
The attack was made in an example of "ethical hacking" and was designed to pressure Google into closing the hole that made the root possible. Percoco didn't provide details of how the code worked, but he was expected to provide more details on Saturday. Rooting is increasingly common in Android as a whole as it gives more control over what apps and features can run.
Google hadn't commented on SpiderLabs' discovery as of Friday evening.
The hacking tool's creation comes just on the heels of concerns about Android Market apps also obtaining private data without the user's consent. As a platform, Android has been complimented for its freedom of choice but has also raised security issues as apps often have more control over core functions than they do on iOS or webOS. Google has been given similar mixed treatment for its app approval policies, as it intervenes significantly less in the submission process than Apple but has also been accused of letting a larger number of questionable apps reach the public.
Except for most AT&T devices, Android also has an option of allowing non-Market apps to install that could pose more of a risk, but the feature is turned off by default and warns users of the possible dangers. Similar permission isn't an option on the iPhone and requires a jailbreak.
Fresh-Faced Recruit
Joined: Aug 2001
Double Standard
Picture, for a moment, the headlines on even non-tech news sites tomorrow morning if this rootkit had been for iOS. I would bet money it'd be up there on CNN.com, et al. I would also bet money this won't see any play outside tech sites, and considerably less interest at those.
I don't have anything against Android, and I actually don't think this speaks too much to the security or insecurity of either platform (apart from the fact that iOS, by its more closed nature, is harder to get something to the user on). Just saying that it's a major double standard when it comes to how issues are reported, inside and outside the tech media.
And "It's because Apple is the biggest" isn't much of an excuse, given that if you only count phones Android devices are outselling iPhones, no matter how you look at it iPhones do not constitute a majority of in-use smartphone-class devices (there are a lot of Blackberries and old WinCE things floating around), and if you count phones overall Apple has something like a 3% share. Apple is not a monopoly, isn't even much of a majority unless you're very selective about what you count, and currently there are no signs that Apple will become either.