Android rootkit poisons apps that give users root control

DKFBootKit takes title as most-insidious Android malware, raises level of malignancy for whole market

Researchers at U.S.-based mobile security vendor NQ Mobile claim to have discovered the first rootkit designed to insert malicious apps into the install routines of legitimate software to give them malware the same root privileges as utility apps.

DKFBootKit installs itself as part of the boot sequence of Android itself, replacing several utility programs with its own versions, which mimic the same functions but give the rootkit the ability to install what it wants, according to NQMobile's security research blog.

That allows it to load itself and malware payloads early enough in the boot cycle that neither Android nor third-party security apps are able to stop it or, often, even detect it.

Like DroidDream, previous record-holder for most-insidious Android malware, DKFBootKit operates in full stealth mode while installing itself, replacing system software and phoning home to a command-and-control server for orders on what to do next.

Unlike DroidDream, which begins its cycle as a Trojan Horse before going on to greater things, DKFBootKit doesn't rely on Android flaws that have already been patched in the 2.3 Gingerbread version of the OS.

Instead, the rootkit attaches itself to apps that require root access to function – primarily apps designed to either give users root access to their own phones, or to manage phones that have already been rooted. That lets it avoid the need to establish its own unlimited access by adopting privileges given surreptitiously by users to software designed to run off-piste.

to give users root access so they can manage and install their own apps rather than rely on those from carriers.

DKFBootKit was found most often infecting apps such as ROM Manager, ES File Manager, game unlockers and license keys for commercial apps – most often illegal versions of those files, downloaded from pirate-content sites.

DKFBootKit adds a background service to the apps it infects that launches when the infected app is installed, checking to be sure it has root access. If not, it terminates.

" Otherwise, it mounts the  system partition as writable, copies itself into the  /system/lib directory, replaces several commonly-used utility programs (e.g., ifconfig and  mount), and alters related daemons (e.g.,  vold and  debuggerd) and bootstrap-related scripts," according to NQMobile's analysis.

Though it could be considered just one more bit of Android malware, the availability of a root kit that can be used to infect almost any application and carry any malware payload is a significant step up in malignant capabilities.

NQMobile claims its security software can identify and eliminate DKBootKit; Lookout Security & AntiVirus is able to detect DroidKungFu, on which DKFBootKit is partially based, so it has a good chance of detecting the rootkit as well, though that's far from certain.

Best advice on other sites, including those of security vendors, is to not download pirate apps from pirate sites if you plan to install them with root access, which is definitely throwing the baby out with the bathwater.

Carrier-approved editions of Android software are so packed with vendor cross-promotions, ads, tracking software and limitations, there's a good case to be made that all those limitations take away much of the value of the phone itself.

Some people root their phones so they can build free MiFi LANs using the phones as a hub, or run other apps and services that violate service agreements, copyrights or ethical boundaries.

Most do it just to be able to control their own bookmarks and delete some of the junk carriers lard on the phones.

That's why rooting is so popular, not because everyone with an Android phone wants to turn it into a portable hacker portal.

Not rooting anything just to avoid one rootkit is an overreaction. Not installing anything unless you're reasonably sure it's clean and came from a reliable source is just prudent.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon