A rootkit for Android. Based on "Android platform based linux kernel rootkit" from Phrack Issue 68
Switch branches/tags
Nothing to show
Clone or download
Latest commit 27b595e Jun 15, 2015
Failed to load latest commit information.
LICENSE Updating README Jun 15, 2015
Makefile added license and documentation Feb 5, 2015
README.md Updating README Jun 15, 2015
sys_call_table.c Cleaning up the code Jun 15, 2015



A rootkit for Android. Based on Android platform based linux kernel rootkit from Phrack Issue 68

Part of ISA 673 a class project. Adding it here just because there is not just enough documentation out there to do this for Android

I appreciate any pull requests as long as they extend functionality and dont do harm

Kernel Build Specs

  • Using kernel tree from here

  • Using ROM image from here

  • Using Android NDK toolchain 4.4.3 from Google.

  • Tried and tested on HTC Bravo running kernel version

Module Information

Filename: sys_call_table.ko Desciption: This rookit is developed to intercept the following calls


Author: Hitesh Dharmdasani hdharmda@gmu.edu

License: GPL v2

Depends: Android NDK, Kernel source tree of target

Vermagic: preempt mod_unload ARMv7

Other details

  • The source tree will not complile to give you a zImage that you should use. A hack around it was to just use a pre built rom with the same specs
  • If you are facing vermagic issues. Fix them by the obvious.
    • Fix entry in utrelease.h
    • Fix entry in kernel.release
    • DO NOT 'make' the kernel source tree after you do this
  • Edit the makefile to suit your paths for the NDK and the kernel source tree for your Android Operating system
  • The rootkit compiles as a kernel object and needs to be run on the phone.
    • # insmod sys_call_table.ko
    • # ./sys_call_table_inst
  • Use dmesg to debug