A rootkit for Android. Based on "Android platform based linux kernel rootkit" from Phrack Issue 68
C Makefile
Switch branches/tags
Nothing to show
Latest commit 27b595e Jun 15, 2015 @hiteshd Updating README
Failed to load latest commit information.
LICENSE Updating README Jun 15, 2015
Makefile added license and documentation Feb 5, 2015
README.md Updating README Jun 15, 2015
sys_call_table.c Cleaning up the code Jun 15, 2015



A rootkit for Android. Based on Android platform based linux kernel rootkit from Phrack Issue 68

Part of ISA 673 a class project. Adding it here just because there is not just enough documentation out there to do this for Android

I appreciate any pull requests as long as they extend functionality and dont do harm

Kernel Build Specs

  • Using kernel tree from here

  • Using ROM image from here

  • Using Android NDK toolchain 4.4.3 from Google.

  • Tried and tested on HTC Bravo running kernel version

Module Information

Filename: sys_call_table.ko Desciption: This rookit is developed to intercept the following calls


Author: Hitesh Dharmdasani hdharmda@gmu.edu

License: GPL v2

Depends: Android NDK, Kernel source tree of target

Vermagic: preempt mod_unload ARMv7

Other details

  • The source tree will not complile to give you a zImage that you should use. A hack around it was to just use a pre built rom with the same specs
  • If you are facing vermagic issues. Fix them by the obvious.
    • Fix entry in utrelease.h
    • Fix entry in kernel.release
    • DO NOT 'make' the kernel source tree after you do this
  • Edit the makefile to suit your paths for the NDK and the kernel source tree for your Android Operating system
  • The rootkit compiles as a kernel object and needs to be run on the phone.
    • # insmod sys_call_table.ko
    • # ./sys_call_table_inst
  • Use dmesg to debug