A prototype rootkit for Android has been demonstrated by researchers at North Carolina State University. The rootkit "clickjacks" users into launching malicious applications when then think they are launching legitimate applications. It is shown doing this with a proof-of-concept app which arbitrarily manipulates program shortcuts, allowing them to be hidden or to direct the user to a different application.

An attacker could, for example, post a malicious app to the Google Play store or some other marketplace, and the app could silently replace the web browser's launcher icon with one that points to an evil twin browser that would send form data to the attacker's own servers. This form of phishing could be very difficult to detect.



A researcher demonstrates how the clickjacking rootkit can manipulate program shortcuts in the Android launcher

When contacted by The H's associates at heise Security, Xuxian Jiang, one the researchers involved, said that the attack needed no root privileges. The Nexus S on which the vulnerability was demonstrated was set up with factory settings. The researchers have not looked into whether the attack works on other devices and it is also unclear if the vulnerability is closed in the next version of Android (4.1 "Jelly Bean").

(djwm)