Researchers at NC State University have found a weakness in the Android framework (meaning the Android GUI and services, not the underlying Linux kernel) which has allowed them to create a proof-of-concept prototype rootkit that can alter which apps are launched when an icon is tapped. The result is that malware could easily install fake apps which look and feel the same as normal apps but which steal information off the phone.

The example given by Xuxian Jiang, who led the research team, shows how malware could hide the smartphone’s built-in browser and replace it with a browser that looks and acts the same but steals banking information and login credentials as the phone’s owner uses the web. Malware writers can include the rootkit in an app of their choosing and then sneak it into the various apps stores or use social engineering to get Android users to download it. Once on the phone, the rootkit opens up a whole range of possibilities for the malware writer to install fake apps and hide the original ones. Because the vulnerability is with the Android launcher and not the kernel, the phone doesn’t need to be rooted for this to work. In the demo video Xuxian uses an unaltered Galaxy Nexus S.

The bad news

According to Xuxian, “This would be a more sophisticated type of attack than we’ve seen before, specifically tailored to smartphone platforms.” He also mentioned that the rootkit was not that difficult to develop, and worse still that no existing mobile security software is able to detect it.

To make matters worse, this vulnerability is in Android 4.0.4 which is the latest publicly available version of Android. Once Android 4.1 Jelly Bean is released you can be sure that the NC State team will test that as well. It isn’t clear if the weakness can also be found in Android 2.x and 3.x. But even if it isn’t present in those versions, the increasing use of Android 4.0.4 and the sales of phones like the Samsung Galaxy S III mean that a growing number of Android devices are susceptible.

The other bit of bad news is that once Google fixes this error, it could take a long time to filter through to users. Android 4.0.4 hasn’t been released as open source and since Google will now be forced to issue Android 4.0.5, the question remains if it will release it as open source so that lesser manufacturers than Samsung and Asus can get their hands on it and close this hole in devices.

The good news

There is however some good news. First, the details of this vulnerability haven’t been released publicly. The NC State University isn’t interested in writing malware, in fact the research team wants to find problems in Android before the malware writers do. This also means that there are no known malware apps today which use this technique.

Secondly, now that the weakness has been discovered the various security companies like Lookout and Avast can include detection in their anti-malware apps. As Xuxian put it, “Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”

Gary Sims
Gary has been a tech writer for over a decade and specializes in open source systems. He has a Bachelor's degree in Business Information Systems. He has many years of experience in system design and development as well as system administration, system security and networking protocols. He also knows several programming languages, as he was previously a software engineer for 10 years.
  • GBGamer

    It’s not a Galaxy Nexus S. It is a Google Nexus S.

    • EddieT

      actually, if you want to be technical.. it is a Samsung Google Nexus S
      some press reports do call it a Galaxy Nexus.. however, it is not really in the same Samsung Galaxy family, since it is a virgin Google device

      • @EddieT, Thanks for the reply, as I mentioned in a reply to another comment there does seem to be some confusion over the naming. Google refer to it as the Galaxy Nexus on their website, but as you say it is made by Samsung who also use the word Galaxy for naming their other phones, so confusion all round.

        This search turns up quite a few Nexus phones actually!!!!

    • @GBGamer, See my reply above for clarification.

  • GBGamer

    Wow. How did this story filter through with all the bad writing? It’s not a “Galaxy Nexus S”, and 4.0.4 has DEFINITELY been released as source, (

    • GBGamer
    • @GBGamer, “all the bad writing” – don’t you think that is a little harsh!

      First of all, there seems to be some confusion of the name, but if you go to you will see that Google refer to the Galaxy Nexus.

      With regards to the second point, yes you are right, my mistake. But as a wise man once said “let he who is without sin cast the first stone…”

      But I promise I will try harder in the future and stay after class for extra study!


      • GBGamer

        I am so sorry. I didn’t really mean any of that, I was just a bit annoyed at something else, and was taking it out on you.

        • @GBGamer,

          No problem. We all have days like that! I appreciate you taking the time to reply.

          All the best. Gary.

          • GBGamer

            Thank you for being so gracious. I usually filter these comments, but, again, I was annoyed(I don’t even remember at what!). Anyways, the thing is that the Nexus S is the second Nexus phone, and the Galaxy Nexus is the third. (The Nexus One is the first).

  • GP

    “Android 4.0.4 hasn’t been
    released as open source”

    I’m sorry, what? I’ve been building and modifying nonexistent code for MONTHS?!?

    It’s the other way around. Since the launcher (if that’s where the exploit is) is open source, we can have the bug fixed within hours. However, I’m not expecting every android user to know how to install APKs, so we’ll probably wait two weeks until 4.1 is released.

    • @GP,

      Sorry about the 4.0.4 source code mistake. My bad. I promise to do better in the future.

      With regards to a fix, the problem is a little more complicated, first the details of the problem haven’t been made public yet and disclosing them now will endanger all Android 4 users. Assuming that the team tell Google and it gets fixed, again untimely disclosure will cause more harm than good.

      Also just because it is fixed in the source code that doesn’t mean that a new build will become available for devices any time soon.The carriers and the manufacturers have a very long and sordid history about updating the firmware on their devices.

      Finally, waiting for Jelly Bean won’t make any difference. Let’s say it is fixed in Jelly Bean. Great. But then will devices get it? Not for a long time, it took manufacturers 8 months to rollout ICS, I wouldn’t hold your breath for a big Jelly Bean rollout any day soon.

  • GP

    Also, what is it with this:

    “There is however some good news. First, the details of this
    vulnerability haven’t been released publicly. […] This also means
    that there are no known malware apps today which use this technique.”

    Totally inaccurate! We simply do -not know- how many apps today may be using this technique. We also have no clue what the actual exploit it, so no means to prevent it (even if Android is open source, we need to know where the exploit is first to write a fix for it).

    • @GP,

      You are right and that is why I wrote “there are no KNOWN malware apps”. Of course this could be a zero day vulnerability which has been exploited previously but normally with zero day exploits researchers find the apps that exploit the vulnerability and then discover the vulnerability (by analysing the malware). I don’t think it happens often (if at all) the other way around.