Covert Android Rootkit Detection: Evaluating Linux Kernel Level Rootkits on the Android Operating System
Abstract
This research developed kernel level rootkits for Android mobile devices designed to avoid traditional detection methods. The rootkits use system call hooking to insert new handler functions that remove the presence of infection data. The effectiveness of the rootkit is measured with respect to its stealth against detection methods and behavior performance benchmarks. Detection method testing confirms that while detectable with proven tools, system call hooking detection is not built-in or currently available in the Google Play Android App Store. Performance behavior benchmarking showed that system call hooking affects the completion time of the targeted system calls. However, this delay's magnitude may not be noticeable by users. The rootkits implemented targets Android 4.0 on the emulator available from the Android Open Source Project (AOSP) and the Samsung Galaxy Nexus. The rootkits are compiled against both Linux kernel 2.6 and 3.0, respectively. This research shows the Android's Linux kernel is vulnerable to system call hooking and additional measures should be implemented before handling sensitive data with Android.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 14, 2012
- Accession Number
- ADA563041
Entities
People
- Robert C. Brodbeck
Organizations
- Air Force Institute of Technology