Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Malware Attacks Custom ROMs

Posted by timothy on from the now-that's-offsides-innit dept.

drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."

5 of 146 comments (clear)

  1. Once again... by Daetrin · · Score: 5, Insightful

    The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

    Of course hopefully this isn't news to people who are already computer savy.

    --
    This Space Intentionally Left Blank
    1. Re:Once again... by gweihir · · Score: 4, Insightful

      That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Once again... by zonky · · Score: 3, Insightful

      Mainly because handset makes are lying, deceptive bastards who don't maintain devices.

    3. Re:Once again... by tooyoung · · Score: 2, Insightful

      Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

      Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?

  2. Re:Incompetent key handling. No surprise. by rwven · · Score: 4, Insightful

    That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."