Researchers at North Carolina State University have demonstrated a prototype rootkit for Google’s Android operating system that can “clickjack” users into launching malicious applications when they think they’re executing legitimate ones. And unlike other rootkits, this one targets Android’s application framework, and not the operating system’s kernel—making it relatively easy to develop.

The rootkit, developed by a team led by NC State computer science professor Xuxian Jiang, founder of the Android Malware Genome Project, can be installed without rebooting the phone or otherwise alerting the phone’s owner. Jiang had previously demonstrated the vulnerability when he and fellow researchers showed that permission “leaks” in standard application configurations from major Android handset vendors could let untrusted applications take over many of the features of the operating system.

Jiang said the rootkit is undetectable by current mobile security software. It could be delivered to a phone concealed within an infected application downloaded by a user from an app store, and take control of the phone without any further input from the user.

Once installed, the rootkit can hide apps on an Android device, and redirect launches of visible applications to “hidden” apps. For example, it could launch a malicious browser that intercepts user input, as described by a team member in this video: