Windows CE/Mobile Rootkits
If you Google for either "Windows CE", "Windows Mobile" along with "rootkits"   you don’t find anything on the subject. Back in the early part of this year I started a little skunk-works project (which resulted in an internal whitepaper) to understand the techniques that could be employed in rootkitting Windows Mobile devices, and how you would detect them if the bad guys got nasty and started doing so.
The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.
The caveat about some of these methods and techniques is that your process needs to be fully trusted in order to weave its magic. So in a properly configured one-tier device that requires signing, or a two-tier device that requires signing, there may be a hurdle to overcome, which is that you have to find a vulnerability to exploit in order to elevate privileges or gain access to the device. But that, as they say, is simply a bump in the road – and I hope from my other rants (errr, sorry, blog posts) on the subject, you’ll see this is not going to be overly difficult for the determined attacker to overcome.
Anyway, the summary from the aforementioned internal whitepaper is as follows:
“This paper has shown the current state of the art with regards to Windows CE hooking techniques and how these techniques can be detected with ease to enhance the protection of Windows CE devices today. This paper has also shown how techniques used on the desktop can be applied to Windows CE with relative ease while again showing how they can be detected with only moderate effort.
What is clear from this research is that rootkits can pose a significant threat to Windows CE-based devices in a similar way they do to their desktop cousin today. If an attacker wishes to rootkit a device, there are many avenues available to them. It is clear that should attackers shift from the desktop to the mobile device that very similar issues, techniques, and vectors will be used with equal effect.”
So in short, it's going to happen one day and we’ve already thought about it.