Covert Android Rootkit Detection: Evaluating Linux Kernel Level Rootkits on the Android Operating System

Author

Robert C. Brodbeck

Date of Award

6-14-2012

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Rusty O. Baldwin, PhD.

Abstract

This research developed kernel level rootkits for Android mobile devices designed to avoid traditional detection methods. The rootkits use system call hooking to insert new handler functions that remove the presence of infection data. The effectiveness of the rootkit is measured with respect to its stealth against detection methods and behavior performance benchmarks. Detection method testing confirms that while detectable with proven tools, system call hooking detection is not built-in or currently available in the Google Play Android App Store. Performance behavior benchmarking showed that system call hooking affects the completion time of the targeted system calls. However, this delay's magnitude may not be noticeable by users. The rootkits implemented targets Android 4.0 on the emulator available from the Android Open Source Project (AOSP) and the Samsung Galaxy Nexus. The rootkits are compiled against both Linux kernel 2.6 and 3.0, respectively. This research shows the Android's Linux kernel is vulnerable to system call hooking and additional measures should be implemented before handling sensitive data with Android.

AFIT Designator

AFIT-GCO-ENG-12-14

DTIC Accession Number

ADA563041

Recommended Citation

Brodbeck, Robert C., "Covert Android Rootkit Detection: Evaluating Linux Kernel Level Rootkits on the Android Operating System" (2012). Theses and Dissertations. 1083.
https://scholar.afit.edu/etd/1083