Two computer scientists from Rutgers University, Vinod Ganapathy and Liviu Iftode, along with support from the National Science Foundation, tasked graduate students with developing malware for smart phones that would escape the notice of the user.
The method used by the researchers is described below:
“The team decided to inject software components known as rootkits into the phone’s operating system. Rootkits are a particularly devious threat to a computer, because they attack the operating system itself. Traditional antivirus software, therefore, may not be able to detect them because they don’t appear to be stand alone applications or viruses. Most desktop computers are protected from rootkits by something known as virtual machine monitor, but because of their limited size and limited energy resources, smart phones don’t deploy these monitors, making it very difficult to know a rootkit attack has taken place.”
“Once the rootkits were in place, the researchers were able to hijack a smart phone by simply sending it a text message. This allowed them to do things like quietly turn on the device’s microphone, enabling them to hear what was going on in the room where the phone had been placed. Another attack trained the phone to use its GPS capabilities to report the phone’s exact location without the user’s knowledge. By turning on various high-energy functions, the team was even able to rapidly drain the phone’s batteries, rendering it useless. The Rutgers team presented the results of their attempts to hack and hijack smart phones at the International Workshop on Mobile Computing Systems and Applications (HotMobile 2010).”