Could your Android smartphone be used against you?

The answer is yes --at least theoretically. "We have developed a kernel-level Android rootkit in the form of a loadable kernel module," two security researchers from Trustwave, Nicholas Percoco and Christian Papathanasiou, recently announced via the Def Con website. Once the rootkit was running on a Linux-based Android smartphone, an attacker could call using a "trigger number" to then gain "full root access on the Android device" via TCP.

The researchers said they will exploit an Android smartphone live at next month's Def Con conference. This attack is only a proof of concept and has not been seen in the wild. Even so, the threat of getting one's smartphone "owned" makes for some unpleasant possibilities.

For example, said the researchers, "an attacker can proceed to read all SMS messages on the device [or] incur the owner with long-distance costs, even potentially pinpoint the mobile device's exact GPS location."

Those threats square with research into smartphone rootkits released in February by two Rutgers professors. One particular security problem, they said, is that while PCs often run virtual machines to detect rootkits, smartphones don't currently have the processing chops to run such software.

As a result, smartphones remain vulnerable to a variety of attacks, should the right malware be in place. For eavesdropping on conversations, for example, an attacker could use a text message to make the phone silently call a designated number and leave the connection open. Or a location-based attack could use a text message to make the smartphone forward its GPS coordinates to a designated email address.

"We're showing that people with general computer proficiency can create rootkit malware for smartphones," professor Liviu Iftode said in a statement at the time. "The next step is to work on defenses."

Speaking of defenses, how might attackers actually get the malware on your phone?

"The easiest way would probably be for the bad guys to have managed to get their evil mitts on your smartphone, and secured physical access to the device," said Graham Cluley, senior technology consultant for Sophos, on the company's blog. "But cybercriminals could also try to exploit an unpatched security vulnerability in the Android operating system, or use a social engineering trick to fool you into installing the malicious code."

Hawking fake software via the Android Market application store would be another attack avenue, he said, though the attackers would have to get around any safeguards that Google has in place, or else only target users who install non-Market applications.

InformationWeek has published an in-depth report on compliance with the PCI Data Security Standard. Download the report here (registration required).