back to article Security boffins brew devilish Android rootkit

Computer scientists have identified a weakness in the Android mobile operating system that allows users to be tricked into silently installing hidden malware. A research team led by Xuxian Jiang at North Carolina State University discovered that they could redirect a fandroid's touchscreen taps - a technique known as …


This topic is closed for new posts.
  1. jake Silver badge

    These thingies are called "smart phones" ...

    ... why, exactly?

    They sure don't seem to increase the intelligence of the folks who flock to them. Sheeple, go figure ...

    1. Anonymous Coward
      Anonymous Coward

      Re: These thingies are called "smart phones" ...

      So if someone had been educated without computers, had a PHD in mathematics and had never used a smartphone, used one for the first time but ran a trojan then you would call them stupid?

      This is nothing to do with intelligence, this is all about trust levels and experience of the device you are using. The person who has never used a device before won't know what is a normal prompt and what is a dubious one. If anything, Android's differing GUI front ends makes this a little more likely as there isn't one uniform interface.

      1. Anonymous Coward
        Anonymous Coward

        Re: These thingies are called "smart phones" ...

        @AC - I think Jake's point is that a lot of people go for the shiny-shiny without thinking. They then run the risk of discovering the drawback of not having thought properly about security, and get stung one way or another.

        Whereas a smart guy might stop and think about it in the first place, realise that the shiny-shiny is just low grade unimaginative zero-intellect artificial psuedo-cool of the sort that anyone with a few hundred bucks can buy (how un-cool is that?), and choose something else with a better underlying pedigree.

        The trick that Samsung and Apple have pulled is to realise that they don't care how cool / uncool their customers actually are just so long as they can fluff their egos for long enough to actually go and buy one. MS are trying the same trick but are inherently uncool (after all there's very little about Steve Balmer that anyone would find appealing). Whereas RIM are stubbornly sticking to what they do best (security, enterprise, messaging) with a thin veneer of shiny-shiny on top. Admirable, but currently not very profitable.

    2. Anonymous Coward
      Anonymous Coward

      Re: These thingies are called "smart phones" ...

      If only the same could be said for "Dumb" phones

  2. JaitcH

    Hey, Xuxian Jiang, Googles on the phone ...

    they want to know if you want a job?

    1. BHal

      Re: Hey, Xuxian Jiang, Googles on the phone ...

      If you refuse, we have other methods

  3. PM.
    Big Brother

    Was Mr Xuxian's research

    by chance sponsored by People's Liberation Army ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Was Mr Xuxian's research

      Well if it was, I doubt they would broadcast it all over the bloody Internet.

      Chinese name != Commie terrorist (although Fox news would have you believe otherwise)

  4. amanfromMars 1 Silver badge
    Black Helicopters

    Fundamental Correction added ..... I Kid U Not?

    "Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these," he [Xuxian] added.

    Now can one begin to invisibly exploit the opportunity, Mr Xuxian.

    You know it makes perfect sense. Such is the nature of the beast that feeds the greedy follies of mankind. And IT is a Super MkUltraSensitive Weapon, is IT not, which does not allow fools and their tools at the helm or really active controls, or in the engine bay.

    Hence the spooky black helicopter icon, for it is bound to be bug of interest to the likes of a DARPA/IARPA/Station X

  5. Andrew Jones 2


    That looks pretty serious.

  6. Anonymous Coward

    ... which is why...

    It's a FAIL to use your smartphone to enter banking details, credit card numbers etc.

    Any data which could potentially be used to defraud you - whether via rootkit, or losing your phone (or having it nicked) - should *never* be there in the first place.

    Small transactions - sure, fine. Login to an App store, coupla quid, no information about your banking details should ever change hands in these transactions - unless your signing up - which shouldn't be done on your phone :)

    Yes, I'm paranoid - it's *real* easy to lose a phone. It's also *real* easy for people to wijack you, unless your aware.

    1. Anonymous Coward
      Anonymous Coward

      Re: ... which is why...

      If the manufacturers were doing a proper job there would be no greater risk in ebanking on a mobile than there is on a PC or a MAC.

      The fact that Android has no really effective defences against malware just illustrates how bad an OS it is. Google really made a mess of it. Taking Linux as a starting point should have led to a reasonably secure Android, but somehow all the goodness leaked away. What were they thinking?

      I take issue with your dismissal of the entire smartphone genre. For example the security model in Blackberries is well thought out and seemingly well respected. That's why it is/was the phone of choice for corporate users. With it's enforced data separation, strict software signing, remote wiping, etc. one could argue that ebanking on a Blackberry is safer than it is on a PC or MAC. WinPhone and iOS have similar pretensions, any may or may not be as successful in this regard as RIM.

      1. Charlie Clark Silver badge
        Thumb Down

        Re: ... which is why...

        there would be no greater risk in ebanking on a mobile than there is on a PC or a MAC.

        If that is suppose to reassure people using PCs and Macs for online banking then it shouldn't. They are just as vulnerable to clickjacking as this attack.

        100 % safe isn't possible with online banking but using hardware encryption like HBCI which separates authentication entirely from the OS, is reasonable.

  7. Alex.Red

    Am I the only one?

    From quick overlook of Android API a year or two ago I remember that there was an API that allows you to read whatever is typed on a keyboard.

    I was looking into this thinking that sometime I might get time to write my own keyboard.

    Did the guy used API? If so, it does not look a hack to me...

    Another thought - Samsung in its *wisdom* decided that people in US are speaking either American English or Spanish, hence my SGS II on Sprint does not have any other language installed, hence I am using the Go keyboard.

    As soon as I installed 3rd party app with access to keyboard - no banking for me.

  8. dssf

    It iS rather annoying that Korean keyboards ar not on USA-localized phones.

    This is a huge hallyu wave opportunity being wasted.

  9. Tezfair
    Thumb Up

    wow - a useful rootkit

    It got rid of angrybirds wayhay, where do I get it???

  10. Anonymous Coward
    Anonymous Coward


    used linux.

    This is what happens when lusers choose Micro$haft.



    1. Anonymous Coward

      Re: Shudda

      Right. Because of a bug in the Android Framework running on top of linux, you are now blaming linux. Makes about as much sense as blaming Microsoft for bugs in Adobe Flash.

      1. Anonymous Coward
        Anonymous Coward

        Re: Shudda

        Sense of humour failure from the Linux fanbois...

        Now I know that Linux is merely a kernel that when packaged up with a bunch of other stuff can become a fairly secure operating system with a lot of good features that is very commonly called 'Linux', but a large majority of the other 6 billion people on the planet don't. Given this unavoidable misattribution of the name one has to consider the damage slack outfits such as Google with their crummy frameworks do to the 'Linux' brand and what can be done about it. Regrettably the answer to that is nothing, unless Linus and chums decide to take the kernel code out of GPL and make it purely proprietary thus enabling them to prevent cowboy outfits such as Google using the damn thing in the first place in their poorly thought out attempts to profit from the hard work that has been put into the kernel source code by the splendid and highly skilled volunteers that are the kernel devs.

        Parsed that OK?

  11. sabroni Silver badge


    Who'd've thought a thread about a massive security problem on a popular smartphone OS would be so quiet? No Google fanboys willing to put their hands up in support of their favourite company?

  12. Mike Judge


    for Microsoft or Apple sponsored FUD..

    1. sabroni Silver badge

      Re: Yay

      Ah, there you are! What took you so long? Too busy running round with your fingers in your ears going "la la la, can't hear you!!!"?

This topic is closed for new posts.

Other stories you might like