| With the development of mobile Internet, more and more peoplestart to use intelligent mobile phones installed Android operating system.While the Android platform’s openness has brought severe challenge tothe system security. When Hackers get super user privileges throughsystem vulnerabilities, they can use Rootkit to control the target host onthe long-term and hide their attack behavior. The current Rootkit can begenerally divided into application-level Rootkit and kernel-level Rootkit,this paper mainly studies the attack and detection of kernel-level Rootkiton the platform of Android.This paper first introduces the basic knowledge of Android operatingsystem, including system structure and Android system kernel based onLinux and its improvement. The paper analyzes the principle and processof Android telephone subsystem and identifies the point of Rootkit attack.This paper also studies the key technology of Rootkit, including thesystem call hijacking technology, Virtual File System (VFS) layer attacksand Loadable Kernel Module (LKM) technology. These studies lay thefoundation of Rootkit tool design.Then, the paper designs and realizes a kernel-level Rootkit tool onthe platform of Android. At the case of the root privilege has beenobtained, the tool could use LKM module loaded to get into the systemkernel space. By replacing the system call function, the tool can controlthe working process of Android telephone subsystem and implement avariety of attacks. At the same time, the tool can also hide aggressivebehavior through hidding files, processes, network connections, Rootkitmodule itself and filtrating system log information. The paper alsodiscusses the implantation, loading and deficiency of the Rootkit tool. Finally, on the base of the analysis of common Rootkit detectionmethod, the paper proposes a model of Android Rootkit detection,including the detection of system call interface, LKM module andAndroid telephone subsystem attack. |
PDF Full Text Request