The annual Defcon conference is one such party which usually causes headaches for security departments of almost all top IT businesses. In keeping up with the tradition, two participants of the conference this year, pointed out a security flaw in the Android OS. And in order to drive their point home, they have released a root-kit that can be used to infiltrate an Android smartphone. Once installed a user will have no idea it is there and can take full control of the device. All your data is open to being stolen and your handset is at the mercy of the hacker. The participants used HTC Corp’s Android-based Legend and Desire phones for testing the flaw.
The rootkit was then handed out on DVD to attendees at Defcon. While Google has not yet responded to the news and the distribution. This practice of releasing malicious code that can take advantage of a security flaw in publicly-used software is usually criticized by many. And even in my personal opinion, I believe it’s for the better if the relevant company – responsible for the development of the said software – is notified for the flaw and is given time to come up with a solution before going public. Otherwise, you’re only allowing hackers to have an open season, at the expense of unsuspecting consumers, until the fix is available.
One of the two security experts who created the rootkit is Nicholas Percoco from Spider Labs. He said:
It wasn’t difficult to build … There are people who are much more motivated to do these things than we are. We could be doing what we want to do and there is no clue that we are there.
Percoco will be taking the time to talk about the rootkit tomorrow at the conference. It is thought that the hack will work with all Android handsets, and has been tested successfully on a HTC Legend and Desire.
As Android becomes more popular hackers will start to target it more. Not only will Google need to stay on top of OS security, but we may all end up needing to run a security suite just to ensure our data’s safety.