Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Malware Attacks Custom ROMs

Posted by timothy on from the now-that's-offsides-innit dept.

drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."

19 of 146 comments (clear)

  1. Once again... by Daetrin · · Score: 5, Insightful

    The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

    Of course hopefully this isn't news to people who are already computer savy.

    --
    This Space Intentionally Left Blank
    1. Re:Once again... by MobileTatsu-NJG · · Score: 2

      The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs...

      Heh. You should look into why people flash their own ROMs.

      --

      "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

    2. Re:Once again... by gweihir · · Score: 4, Insightful

      That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    3. Re:Once again... by errandum · · Score: 4, Informative

      No, half of what you said is completely wrong.

      Flashing a 2.3 ROM will allow you to get the latest security fixes on those mobile phones that are no longer supported by the manufacturer. Even 2+ year old phones get the latest versions from cyanogen, so it extends the life of your device way beyond that of an iPhone.

      Furthermore, unlike apple, that seems to abandon a device when they decide it is too hard to update for it, most of the custom ROMs are made from people that actually own the device, so they simply strip down some features and/or add alternatives so that everyone ends up with the latest fixes.

      The only truth on what you said was, try not to install apps that didn't come from the Android Market and/or reputable sources. Just because you have the choice of installing something else, doesn't mean you should trust everyone.

    4. Re:Once again... by zonky · · Score: 3, Insightful

      Mainly because handset makes are lying, deceptive bastards who don't maintain devices.

    5. Re:Once again... by hedwards · · Score: 2

      I don't know, I think that people who aren't computer literate aren't likely to know that they can. But some of the apps out there will handle it for you, with little interaction on your part.

    6. Re:Once again... by tooyoung · · Score: 2, Insightful

      Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

      Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?

    7. Re:Once again... by artor3 · · Score: 4, Informative

      Nice flamebait, but Android phones can leave the walled garden with a simple checkbox in the options menu. Flashing your own ROM is something else entirely.

    8. Re:Once again... by Eric(b0mb)Dennis · · Score: 2

      It's weird but I've experienced the opposite...

      People who are very illiterate with computers ask me about 'hacking' their device constantly, for free stuff.

      --
      Excuse me, I don't mean to impose, but I am the ocean
  2. Incompetent key handling. No surprise. by gweihir · · Score: 4, Interesting

    Those that do not understand how Public Key Crypto works should not use it.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Incompetent key handling. No surprise. by rwven · · Score: 4, Insightful

      That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."

  3. Re:first post! by ColdWetDog · · Score: 2

    4chan down again?

    --
    Faster! Faster! Faster would be better!
  4. Re:What % of 3rd party installed ROM base is non-C by Anonymous+Psychopath · · Score: 2

    Of the ROM-installing community, what percentage is NOT using CM 7.0.3?

    Everyone using a custom ROM on a device that CM does not support. I'm not sure how many that is, but it includes the HTC Thunderbolt users.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.

  5. Re:Why are you talking about Apple? by errandum · · Score: 3, Interesting

    And I speak from experience because I did own an original iPhone that stopped being supported long long ago.

    And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.

    That means 2 years support (as I said) is the norm. Compare that to the 7 years of support windows XP had and you'll get my point.

  6. Re:What % of 3rd party installed ROM base is non-C by namalc · · Score: 2

    Those on devices where the CM 7.0.3 port is still very much a (buggy) work in progress, such as the LG Optimus.

  7. Re:What % of 3rd party installed ROM base is non-C by rrossman2 · · Score: 3, Interesting

    A lot. I was using's Doc's Rom Kitchen as it had a lot better support for my SGS. I ended up trying a CM7 nightly for my SGS, it was alright, but the cameras were too dark to be functional, and my ability to text went out the window. Reverted to a stock ROM, and while I can receive texts, I still can't send (which is more so confusing to me than anything as I really don't text).

    I'm now using the Insanity CM GalaxyS ROM (which is based on CM7, but is very stripped down and lite.. I love it). Also flashed the 2.6.35_7_Glitch Insane Edition V10 ROM for the i9000, which is freakin sweet!

  8. Not wanting to start a GLP flame war but... by nickovs · · Score: 2

    ... while the code for Android is GPLv2, the move of various other projects towards GPLv3 is only going to make this sort of problem worse. The 'anti-Tivoisation' clause basically demands that some authorised signing key gets distributed with any GPLv3 code that needs to be signed in order to run, and that the available signing key grants all the rights necessary for that code to function. While it is of course possible for users to completely rebuild the trust hierarchy with their own keys, very few people will be willing to do so. As a result it seems likely that any GPLv3 project will be unable to make effective use of signing as a mechanism for preventing the execution of rogue code, even if the license allows for it in theory.

    --
    If intelligent life is too complex to evolve on its own, who designed God?
  9. Re:Why are you talking about Apple? by errandum · · Score: 2

    That's the whole point of the original argument (that fanboys modded down)

    While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.

    Saying "ohh, don't install custom roms or you might get viruses" is stupid because those custom roms will give you access to the latest version on most phones when it comes out (with all the security features).

    You don't depend on a company (Apple or HTC or Samsung) to get your updates. If you want them, you can do it yourself.

    PS:2 years, 2.5, what's the point? It's limited support and, sometimes, crappy (if you have a 3G you know that iOS 4 kind of made it... crap - hanging a lot etc).

    So, to sum up, no, ROM's aren't evil and if you still take care with the places you get apps from there is no problem whatsoever.

  10. Re:Why are you talking about Apple? by colinnwn · · Score: 2

    It is only $30 if you are careful to never miss an upgrade cycle. If you do, the cheap upgrade disks disappear from availability, and you have to call 800-i-fanboi to be told the upgrade will now set you back something like $180. Found that out the hard way after my aunt purchased an iPhone against my recommendation, then she discovered she couldn't sync it to her only computer, a PowerPC Mac.