Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Android Malware Attacks Custom ROMs

Posted by timothy on from the now-that's-offsides-innit dept.

drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."

9 of 146 comments (clear)

  1. Once again... by Daetrin · · Score: 5, Insightful

    The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

    Of course hopefully this isn't news to people who are already computer savy.

    --
    This Space Intentionally Left Blank
    1. Re:Once again... by gweihir · · Score: 4, Insightful

      That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Once again... by errandum · · Score: 4, Informative

      No, half of what you said is completely wrong.

      Flashing a 2.3 ROM will allow you to get the latest security fixes on those mobile phones that are no longer supported by the manufacturer. Even 2+ year old phones get the latest versions from cyanogen, so it extends the life of your device way beyond that of an iPhone.

      Furthermore, unlike apple, that seems to abandon a device when they decide it is too hard to update for it, most of the custom ROMs are made from people that actually own the device, so they simply strip down some features and/or add alternatives so that everyone ends up with the latest fixes.

      The only truth on what you said was, try not to install apps that didn't come from the Android Market and/or reputable sources. Just because you have the choice of installing something else, doesn't mean you should trust everyone.

    3. Re:Once again... by zonky · · Score: 3, Insightful

      Mainly because handset makes are lying, deceptive bastards who don't maintain devices.

    4. Re:Once again... by artor3 · · Score: 4, Informative

      Nice flamebait, but Android phones can leave the walled garden with a simple checkbox in the options menu. Flashing your own ROM is something else entirely.

  2. Incompetent key handling. No surprise. by gweihir · · Score: 4, Interesting

    Those that do not understand how Public Key Crypto works should not use it.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:Incompetent key handling. No surprise. by rwven · · Score: 4, Insightful

      That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."

  3. Re:Why are you talking about Apple? by errandum · · Score: 3, Interesting

    And I speak from experience because I did own an original iPhone that stopped being supported long long ago.

    And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.

    That means 2 years support (as I said) is the norm. Compare that to the 7 years of support windows XP had and you'll get my point.

  4. Re:What % of 3rd party installed ROM base is non-C by rrossman2 · · Score: 3, Interesting

    A lot. I was using's Doc's Rom Kitchen as it had a lot better support for my SGS. I ended up trying a CM7 nightly for my SGS, it was alright, but the cameras were too dark to be functional, and my ability to text went out the window. Reverted to a stock ROM, and while I can receive texts, I still can't send (which is more so confusing to me than anything as I really don't text).

    I'm now using the Insanity CM GalaxyS ROM (which is based on CM7, but is very stripped down and lite.. I love it). Also flashed the 2.6.35_7_Glitch Insane Edition V10 ROM for the i9000, which is freakin sweet!