Xuxian Jiang, along with his research team at North Carolina State University, has cooked up a proof-of-concept "clickjack rootkit" which targets Android. The rootkit is unique not only in that it can function without a device restart, but also in that it targets Android's framework, not requiring deep modifications to the underlying firmware or kernel.
Clickjacking, for those unfamiliar, is a malicious technique typically used on the web to "trick" users into handing over control of their device or confidential information.
The researchers' rootkit, which can itself manipulate an infected device, works by hiding apps on a device, and redirecting app launches to said hidden apps. An easy example, described in the video below, would be redirecting a user to a malicious browser that would intercept and exploit user input.
The video above shows a non-rooted device, and Jiang explains that the exploit does not need a privilege escalation, but instead relies on UI redressing, executed by hijacking the launcher, "which is completely different from earlier overlaying-based approaches."
Jiang also explains that "no existing mobile security software is able to detect" the exploit, and that the rootkit targets Android 4.0.4 and earlier devices.
The news isn't all bad, though. The best news is that this exploit was developed by a research team, meaning the risk of consumer devices being infected is pretty low. The good news, Jiang says, is “now that we’ve identified the problem, we can begin working on ways to protect against attacks like these.”