HIDING BEHIND ANDROID RUNTIME (ART) presented at BlackHatAsia 2015

by Paul Vincent Sabanal,

Summary : The introduction of the new Android Runtime (ART) brings several improvements in Android. But, as with any new technology, it also brings new ways to conduct or enhance malicious activities. In this presentation, we will detail one of those ways.
Once an attacker or malware has gained access to the Android device, the next step is to find ways to hide itself and gain persistence, and this is usually achieved by installing a rootkit. The majority of these rootkits are kernel mode rootkits and the common way of achieving persistence is by modifying files in the system partition. However, recent advancements in Android security, such as verified boot, have made this increasingly difficult. This presentation will demonstrate how to go around this difficulty by taking the game out of kernel mode and out of the system partition. We will show you how to take advantage of the mechanisms of ART to create a user mode rootkit.
We will start with a discussion of past Android rootkit research and how these techniques have become increasingly difficult to use in modern Android systems. Then we will go deep into ART internals where we will discuss the file formats and mechanisms relevant to rootkit creation. After we have understood the mechanisms involved, we will then discuss methods of crafting the rootkit i.e. what to change, where to find them, and how to change them, and techniques on gaining persistence on the system. We will also examine the limitations of this approach and possible future work in this area.
The talk will conclude with a live demonstration of an ART rootkit.