In November 2014, information about “Fakedebuggerd”—a new vulnerability used to gain root access to install files on the Android device file system—was published by Chinese antivirus company 360.
The vulnerability enables an attacker to access an area that can be accessed only with system or root permissions. It uses two known Android 4.x Privilege Escalation (PE) exploits, FramaRoot and TowelRoot, to run code under root privileges and to install a root toolkit on the device, allowing an attacker to hide the code and avoid attempts to remove the malicious apps.
This represents a serious escalation in Android malware, and is the first time we’ve seen reports of malware that uses Android 4.x PE exploit vulnerabilities to run code on an infected device. Once on the device, the malicious code collects sensitive data like unique identifiers, device versions and network connectivity data.
It also installs additional apps, like a flashlight and calendar, without any user consent and uses aggressive tactics to keep them installed. Even if removed with root privileges, these apps are reinstalled automatically.
Using these two exploits together also guarantees a high rate of infection. The Towelroot exploit is based on the futex vulnerability (CVE-2014-3153) – a Linux vulnerability most Android devices prior to Android Lollipop are exposed to.
Framaroot is a rooting tool based on several exploits for most Samsung, LG, Huawei, Asus and ZTE devices and more. Collectively, that’s a large percentage of in-market Android devices, which if used for work, could expose the enterprise to risk.
Its aggressive nature and ability to run code on infected devices make this malware very troubling, especially for enterprises trying to secure sensitive data on employee-owned devices. Even users that may notice something wrong are in for a disappointment.
Simply deleting the suspicious apps isn’t actually a solution – the malware goes to great lengths to preserve itself and the usual delete function doesn’t actually do anything.
Undetected, it can steal both personal and enterprise information from the user’s device.
Despite Fakedebuggerd being a serious threat, it has received very little attention online. The main thing we can learn from this is just how many more mobile security threats are out there. Furthermore, this is another example of mobile threats adopting tried and tested techniques from the world of PC malware, using multiple vulnerabilities as part of a larger attack, as well as implementing anti-deletion methods.
From a protection standpoint, besides adopting a dynamic, behaviour (not just signature) based threat detection platform, its recommended to stick to the cornerstones of enterprise security:
- Stay away from third-party marketplaces and only download apps from the official Google Play Store.
- As often as possible, stick with trusted and well-reviewed app developers.
- Beware fake advertisements and links on all forms of communication – SMS, email and social networks.
About the Author: Yonni Shelmerdine is the lead Mobile Security Trends Analyst at Lacoon Mobile Security. Yonni brings five years of experience in Datacom & GSM network security analysis from an elite unit in Israel’s Intelligence Corps. Yonni heads the analysis of mobile attack trends where he researches new attack vectors and identifies major mobile malware attack patterns.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. If you are interesting in contributing to The State of Security, contact us here.
The Executive’s Guide to the Top 20 Critical Security Controls Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Image courtesy of ShutterStock.