Researchers at NC State University have found a weakness in the Android framework (meaning the Android GUI and services, not the underlying Linux kernel) which has allowed them to create a proof-of-concept prototype rootkit that can alter which apps are launched when an icon is tapped. The result is that malware could easily install fake apps which look and feel the same as normal apps but which steal information off the phone.
The example given by Xuxian Jiang, who led the research team, shows how malware could hide the smartphone’s built-in browser and replace it with a browser that looks and acts the same but steals banking information and login credentials as the phone's owner uses the web. Malware writers can include the rootkit in an app of their choosing and then sneak it into the various apps stores or use social engineering to get Android users to download it. Once on the phone, the rootkit opens up a whole range of possibilities for the malware writer to install fake apps and hide the original ones. Because the vulnerability is with the Android launcher and not the kernel, the phone doesn't need to be rooted for this to work. In the demo video Xuxian uses an unaltered Galaxy Nexus S.
According to Xuxian, “This would be a more sophisticated type of attack than we’ve seen before, specifically tailored to smartphone platforms.” He also mentioned that the rootkit was not that difficult to develop, and worse still that no existing mobile security software is able to detect it.
To make matters worse, this vulnerability is in Android 4.0.4 which is the latest publicly available version of Android. Once Android 4.1 Jelly Bean is released you can be sure that the NC State team will test that as well. It isn't clear if the weakness can also be found in Android 2.x and 3.x. But even if it isn't present in those versions, the increasing use of Android 4.0.4 and the sales of phones like the Samsung Galaxy S III mean that a growing number of Android devices are susceptible.
The other bit of bad news is that once Google fixes this error, it could take a long time to filter through to users. Android 4.0.4 hasn't been released as open source and since Google will now be forced to issue Android 4.0.5, the question remains if it will release it as open source so that lesser manufacturers than Samsung and Asus can get their hands on it and close this hole in devices.
There is however some good news. First, the details of this vulnerability haven't been released publicly. The NC State University isn't interested in writing malware, in fact the research team wants to find problems in Android before the malware writers do. This also means that there are no known malware apps today which use this technique.
Secondly, now that the weakness has been discovered the various security companies like Lookout and Avast can include detection in their anti-malware apps. As Xuxian put it, “Now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”