Uncloaking rootkits on mobile devices with a hypervisor-based detector

Abstract

Cell phones have evolved into general purpose computing devices, which are tightly integrated into many IT infrastructures. As such, they provide a potential malware entry point that cannot be easily dismissed if attacks by determined adversaries are considered. Most likely, such targeted attacks will employ rootkit technologies so as to hide their presence for as long as possible. We have designed a rootkit detector that will allow to inspect the complete state of a smart phone, turning up a rootkit if present. Our solution draws on the strong isolation provided by virtualization to protect our detector from attempts to disable it. In comparison to mainstream hypervisors such as Xen and KVM, our hypervisor consist of only 7.000 SLOC, allowing for systems with a small trusted computing base. We implemented a full prototype using a low-cost embedded board and a full Android stack and validated its effectiveness against an exemplary rootkit that employs advanced countermeasures. Also, various benchmark measurements of the prototype proved that the performance degradation incurred by our design, while noticable, is not prohibitive.