Reputation: 41
Identifying Android rootkits
Currently involved in a University project and could use any help from members regarding rootkits designed for Android.
I have little knowledge of Android malware and the project so far has got us decompiling apks to view the java class files (if readable) and the AndroidManfiest.xml file. I have also managed to root a phone in the uni lab using various adb commands and pushing files over to it.
What I would like to know is if it's relatively easy to spot malicious rootkit code within a class file? Is there something I can look out for? Is it a case of getting su status or does it involve adding users? Assume to next stage would be to then contact a server so the developer has remote access..
Also, is there a system or service that can process an apk to spot if it contains a rootkit (not just malicious)?
reply:
hi sorry about late reply - tried responding immediately but wasn't allowed as I'm new, but then forgot!
Thanks for the info! I appreciate that I may sound naive, but I guess I have to be seeing as I don't know anything about rootkits or the way they work..
You're right, they are not asking about 3rd party scanners, that was just my interest. So on that topic, are you saying there are scanners out there that specifically look for rootkits in a sample? Or is this detection all part of the overall AV service they offer.. If specific to rootkits alone, then I would really like to know which ones, so i can research them..
Also, with regards to exploitation of a bug - I assume you mean a bug within the Android OS? Would this mean that when patch updates are pushed out from Google then the rootkit is unable to function?
Thanks
Upvotes: 0
Views: 2653
Answers (1)
Reputation: 64419
A mallicious rootkit tries its best to get certain access, secretly. So any generalisations you make about how it does its business will probably be already worked around by any good rootkit.
"setting su status" is hardly worthy of being called a 'rootkit', that's just 'using root permissions' that you seem to have given the app. A rootkit would look for a way to actually get this without permission, by exploiting some sort of bug.
Systems of services that spot those things are commonly called virus and/or mallware scanners. Yes they exist.
Not to be negative, but this seems like a naive post about the subject, and probably not a good start for a project: I'd say using a 3rd party malware scanner is probably not wat is asked?
You could, for instance, look for known exploit-methods. One that for some reason comes to mind is the overflow, but that's just a random thing. Read up on rootkits, their methods, heuristics to find them etc.
Upvotes: 1
Related Questions
- Root detection Implementation can be bypassed using Magisk hide : Android App vulnerability
- Discover emulators without adb
- How to find out the AD Junk present in the device?
- Decompiling APK to find how it checks for root
- Find process attempting to connect to Android Device
- Root detection methodology in android which cannot be bypassed
- Find the APK names for /system/app
- Android Dev: What type of tool is this?
- Android exploit dalvik classes: Preferences
- detect ADB from mobile Android