Researcher uncovers keylogging 'rootkit' in Android phones


Earlier this month, Android developer Trevor Eckhart looked into an always-on process in his HTC Android phones called Carrier IQ, and discovered the application was actually capturing all user actions (ostensibly for the purposes of "mobile service intelligence") without providing users the ability to opt out or shut off the process.

In fact, Eckhart suggested the only option to escape the keylogging behavior of the application was for users to root their phone and install new firmware without it. For this reason, Eckhart classified Carrier IQ as a rootkit.

"Every part of the multi-headed CIQ application is embedded into low-level, locked regions of the phones, Eckhart said. "Even if you unlock your device and remove the base application with a sophisticated removal method, neutered, leftover code called from other applications will likely throw an error each time an old action is triggered."

After posting his discoveries, the company responsible for Carrier IQ hit Eckhart with a cease-and-desist order, accusing him of infringing copyrights and making false allegations about the solution. Eckhart sought protection from the Electronic Frontier Foundation, and Carrier IQ promptly withdrew its letter, and apologized to both Eckhart and the EFF.

The company said, "Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain."

"Here’s what our software does:
- Our software makes your phone work better by identifying dropped calls
and poor service.
- Our software identifies problems that impede a phone’s battery life.
- Our software makes customer service quicker, more accurate, and more
efficient.
- Our software helps quickly identify trending problems to help mobile
networks prevent them from becoming more widespread."

The problem with this explanation, of course, is that Carrier IQ logs all activities, even when the user is disconnected from the network or using Wi-Fi, and it continues to work even after a user's contract has expired. Eckhart demonstrates what Carrier IQ does in the video we've embedded below, using both an in-contract and out-of-contract Sprint phone.

Carrier IQ has solutions on a number of mobile platforms, including BlackBerry and Nokia devices, but Eckhart's research focuses on the Android platform. His ongoing efforts can be followed on his blog.

20 Responses to Researcher uncovers keylogging 'rootkit' in Android phones

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.