- Mobile ‘Rootkit’ Maker Tries to Silence Critical Android Dev
A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.
Though the software is installed on millions of Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent.
Eckhart called the software a “rootkit,” a security term that refers to software installed at a low-level on a device, without a user’s consent or knowledge in order to secretly intercept the device’s workings. Malware such as keyloggers and trojans are two examples.
He also mirrored the Mountain View, Calif. company’s training manuals he’d found on Carrier IQ’s publicly available website. The manuals provide a limited roadmap for how Carrier IQ works, Eckhart said in a telephone interview.
When Carrier IQ discovered Eckhart’s recent research and his posting of those manuals, Carrier IQ sent him a cease-and-desist notice, saying Eckhart was in breach of copyright law and could face damages of as much as $150,000, the maximum allowed under U.S. copyright law per violation. The company removed the manuals from its own website, as well.
On Monday, the Electronic Frontier Foundation announced it had came to the assistance of the 25-year-old Eckhart of Connecticut, whom Carrier IQ claims has breached copyright law for reposting the manuals.
“I’m mirroring the stuff so other people are able to read this and verify my research,” he said. “I’m just a little guy. I’m not doing anything malicious.”
The company is demanding Eckhart retract (.pdf) his “rootkit” characterization of the software, which is employed by most major carriers, Eckhart said.
The EFF says Eckhart’s posting of the files is protected by fair use under the Copyright Act for criticism, commentary, news reporting and research, and that all of Carrier IQ’s claims and demands are “baseless.” (.pdf)
Andrew Coward, Carrier IQ’s marketing manager, said in a telephone interview Tuesday that the company, not Eckhart, should be in “control” of the manuals.
“Whatever content we distribute we want to be in control of that,” he said. “I think obviously, any company wants to be responsible for the information that gets distributed.”
He said “legal matters” prohibited the 6-year-old company from discussing the Eckhart flap further.
He said the company’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”
“We’re not looking at texts. We’re counting things. How many texts did you send and how many failed. That’s the level of metrics that are being gathered,” he said.
He answered “probably yes” when asked whether the company could read the text messages if it wanted.
Marcia Hofmann, an EFF senior staff attorney, said the civil rights group has concluded that “Carrier IQ’s real goal is to suppress Eckhart’s research and prevent others from verifying his findings.”
In a Monday letter to Carrier IQ, Hofmann said Eckhart’s speech was protected by the First Amendment.
What’s more, the company is demanding that Eckhart inform Carrier IQ of the names of all persons to which Eckhart has forwarded the training material. The company also wants Eckhart to send “written retractions” to everybody who has viewed his research in hard copy or on the web.
Among other things, Carrier IQ insists that Eckhart retract his “root kit” characterization of the unremovable software, and other statements, by issuing a press release to The Associated Press.
PC Magazine describes a rootkit as this:
A type of Trojan that keeps itself, other files, registry keys and network connections hidden from detection. It enables an attacker to have “root” access to the computer, which means it runs at the lowest level of the machine. A rootkit typically intercepts common API calls. For example, it can intercept requests to a file manager such as Explorer and cause it to keep certain files hidden from display, even reporting false file counts and sizes to the user. Rootkits came from the Unix world and started out as a set of altered utilities such as the ls command, which is used to list file names in the directory (folder).
Legitimate Rootkits?
Rootkits can also be used for what some vendors consider valid purposes. For example, if digital rights management (DRM) software is installed and kept hidden, it can control the use of licensed, copyrighted material and also prevent the user from removing the hidden enforcement program. However, such usage is no more welcomed than a rootkit that does damage or allows spyware to thrive without detection.In 2005, Sony came under fire for installing a rootkit on music CDs. Security expert Bruce Schneier wrote then that “The Sony code modifies Windows so you can’t tell it’s there, a process called ‘cloaking’ in the hacker world. It acts as spyware, surreptitiously sending information about you to Sony. And it can’t be removed; trying to get rid of it damages Windows.”
In a letter to Eckhart, Carrier IQ said, “If you do not comply with these cease and desist demands within this time period, please be advised the Carrier IQ, Inc. will pursue all available legal remedies, including seeking monetary damages, injunctive relief, and an order that you pay court costs and attorney’s fees.”
The deadline expired Nov. 18, but so far Carrier IQ has not made good on its threats.
Digest powered by RSS Digest
In the command above, the server instructs the malware to delete a package called com.practical.share. We have seen other commands sent from the server such as commands to update the malware’s native code, install an APK, or open a URL. But this is the first time we’ve seen the server tell the malware to delete a package, and we’re not entirely sure why it does this routine.
The malware shows four types of notifications:
Users can check if their phones are infected by going to Settings > Applications > Running Services. Look for the service called ‘SystemConfService.’
Moreover, users can manually remove the malware from their devices by going to Settings > Applications > Manage Applications to uninstall the infected app:
The mentioned DroidKungFu and DroidDreamLight variants are detected as 
