Rutgers professors Vinod Ganapathy and Liviu Iftode presented their group’s findings today at the International Workshop on Mobile Computing Systems and Applications (HotMobile 2010) in Annapolis, Md. The group, comprising the two professors and three students, was able to install a rootkit on a smart phone operating system, providing them with the capability to eavesdrop on calls made from the devices.
In addition, the complex malware installed on the smart phone permitted the team to call up the phone’s location by tapping into its GPS application; they were also able to run software on the phone that rapidly drained device’s battery.
The two Rutgers researchers told Infosecurity that smart phones could be infected by a rootkit via the same methods used to compromise other traditional desktop and laptop systems. They said this is because many smart phones are nothing more than portable mini-computers, and these devices are becoming ever-more sophisticated.
“More complex means more vulnerabilities,” said Ganapathy.
The study did not discover flaws in a smart phone operating system, but it did provide proof that rootkits could be deployed on these devices. “We didn’t exploit any flaw in the operating system”, Ganapathy told Infosecurity. “We simply installed the rootkit on the operating system.” However, the researcher does believe that a rootkit could be installed on a smart phone much the same way as on a traditional computer, whether it is via a browser exploit or by visiting sites that load malicious code.
Both Ganpathy and Iftode stressed that vulnerabilities of different smart phone operating systems were not compared in this study. In lieu of commercial smart phones, the group employed devices primarily intended for use by software developers.
“Our intention is to make the [security] community aware of these threats”, said Ganapathy, adding that his group’s future objective will be to research potential defenses to these smart phone security threats, along with the ability to detect them.