Android clickjacking rootkit attack is more mischievous than malicious at the moment

There’s security news of a new clickjacking rootkit floating around; it attacks Android Ice Cream Sandwich (Android 4.0.4) as well as older Android platforms that could be exploited by clickjacking rootkits. Luckily this one is “a proof-of-concept prototype rootkit.”


What is clickjacking? It is a malicious technique that tricks users and is often used to take over computers, web cams, or snag confidential info that is revealed by users who thinks they are on an innocent webpage. In this case, it can attack Android and hijack apps. Ethical hacking techniques asked, “Will answering simple math quiz delete your Social Network account? If your answer is ‘No’, then check this news Linkedin Clickjacking Vulnerability and come back. Will visiting a website turn on your webcam? The answer is ‘Yes’.” In this case, it’s all about tricking Android users.

Xuxian Jiang heads up the research team at North Carolina State University that developed the proof-of-concept prototype rootkit and he said it “attacks the Android framework, rather than the underlying operating system kernel. The rootkit could be downloaded with an infected app and, once established, could manipulate the smartphone.” He called it a “more sophisticated type of attack” that is "specifically tailored to smartphone platforms." What’s more, there is "no existing mobile security software is able to detect it." That’s the bad news, but Jiang said the good news is “now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”

“We’ve developed an Android rootkit that, unlike other rootkits for the platform, can function without a restart and without deep modification of the underlying firmware,” the demonstrator stated in the video. “But it can still do all the things that a rootkit wants to do such as hide apps or redirect apps to an attacker's functionality. Much like a web clickjacking attack, the user thinks that they are giving permission to do something different than what the device is actually doing.”

The video shows how the rootkit can be used to hide the app icons for the calculator and Angry Birds even though the apps are still on the device. The rootkit manager was used to unhide the apps, but every app on the device could be hijacked if an attacker wished to do so. This rootkit has a delay in showing the hiding process which allows us to see the apps “winking” out.  In this demo, when the user attempts to run the browser, it instead runs the “secret” Angry Birds functionality. While that is not overly malicious, it could be used with a malicious rootkit exploit so that if a user clicks on what appears to be the browser icon, it could steal sensitive information like banking credentials or session keys. To sum it up, “this has the potential to cause some real mischief.”

The demo is shown on a non-rooted Android. It does not actually perform a privilege escalation, but is a “UI (user interface) readdressing attack,” Jiang explained in the comments to someone wanting the real dirt on what the rootkit was doing as opposed to the PR release. There are also “Likejackingattacks via Facebook and cursorjacking attacks, but this newest clickjacking attack is unique, according to Jiang. “The UI re-addressing is done by hijacking the launcher, which is completely different from earlier overlaying-based approaches,” Jiang replied to a comment asking how this was new or different from other tapjacking [PDF] or hijacking attacks on Android devices.

A clickjacking Flash exploit to take over a webcam camera and microphone made it into the 2011 “Big List” of Jeremiah Grossman’s top hacking techniques. Grossman tweeted that the clickjacking rootkit for Android was a “damn powerful and simple attack.” I mention him because Grossman has talked about and demonstrated clickjacking attacks in the past. In fact, “the term ‘clickjacking’ was coined by Jeremiah Grossman and Robert Hansen in 2008.

Jiang and his team continue to find and exploit Android and this was the 26th Android mobile security alert listed within the last year. In fact, North Carolina State University Department of Computer Science has announced the Android Malware Genome Project that focuses “on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families.” Why? Because Android is “especially popular” and “there is a pressing need” to develop effective defense solutions. In the past, Jiang said that “ads in mobile apps aren’t just annoying – they’re risky too.”

Copyright © 2012 IDG Communications, Inc.

Shop Tech Products at Amazon