Hackers Get Lazy, Build Trojan On Top of Android Rooting Utility (softpedia.com)

← Back to Stories (view on slashdot.org)

Hackers Get Lazy, Build Trojan On Top of Android Rooting Utility (softpedia.com)

Posted by samzenpus on Sunday December 6, 2015 @04:39AM from the easy-crimes dept.

An anonymous reader writes: Instead of creating their own exploits, some lazy Chinese hackers took the Root Assistant Android rooting toolkit and remodeled it into a trojan, which they packed inside copies of legitimate apps (distributed via unofficial app stores). Until now, only seven apps were repackaged, and only 600 users infected. A weird thing: there's a XML file in the trojan that prevents it from infecting Chinese users.

53 comments

Min score:

Reason:

Sort:

Build It! They Will Come! by Anonymous Coward · 2015-12-06 04:41 · Score: 0

And die!
If you are a chinese hacker. by queazocotal · 2015-12-06 04:55 · Score: 2

If you hack systems in china, it is much easier to prosecute. (I would assume)
1. Re:If you are a chinese hacker. by benjfowler · 2015-12-06 05:00 · Score: 1
  
  Like Russian cybercrooks -- they are sensible enough to not shit where they eat.
  Less trouble from law enforcement that way, and less chance of ending up getting a 7.62×39mm brain haemorrage, if you know what I mean...
2. Re:If you are a chinese hacker. by Anonymous Coward · 2015-12-06 05:00 · Score: 0
  
  Check out the big brain on Brad!
3. Re:If you are a chinese hacker. by Ungrounded+Lightning · 2015-12-06 05:11 · Score: 2
  
  If you hack systems in china, it is much easier to prosecute. (I would assume)
  Other possible motivations:
  The malware developers don't want to become infected by their own malware, so they make it avoid some aspect of their configuration. (Language selection is an easy one to pick, if the target set is not in your language group anyhow.)
  The malware developers may be trying to confine the malware to particular target sets, and avoiding certain countries, languages, etc. is a first, coarse, sieve.
  
  --
  Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
4. Re:If you are a chinese hacker. by Anonymous Coward · 2015-12-06 05:36 · Score: 1
  
  If you hack systems in china, it is much easier to prosecute. (I would assume)
  Not necessarily, I think that XML file is a strong indication that it is not Chinese hackers, but instead the Chinese military.
5. Re: If you are a chinese hacker. by Anonymous Coward · 2015-12-06 07:25 · Score: 1
  
  For those of us who don't know what you mean, what do you mean? Is that a common bullet size or something? Since bullets typically move, wouldn't they hemorrhage a much larger volume? Why did you give only two dimensions? Was one of them a radius?
6. Re:If you are a chinese hacker. by Wootery · 2015-12-06 07:31 · Score: 2
  
  Not the first time we've seen something like this: an early version of Conficker would detect Ukrainian computers and wouldn't infect them.
7. Re:If you are a chinese hacker. by Anonymous Coward · 2015-12-06 07:39 · Score: 0
  
  Actually I could think the Chinese would want to target domestic area as well.
8. Re: If you are a chinese hacker. by davester666 · 2015-12-06 08:37 · Score: 0
  
  In Russia, as both a cost-saving measure and an extra deterrent, instead of firing the bullet into your head, they get an already-used bullet, and press it into your head with a vise.
  
  --
  Sleep your way to a whiter smile...date a dentist!
9. Re: If you are a chinese hacker. by Anonymous Coward · 2015-12-06 11:02 · Score: 1
  
  Since no-one seems interested in your apparently serious question, I'll pipe in... Yes, the 7.62x39 is a common (some will argue the most common) ammunition designator for the cartridge used by Soviet Block weapons to include the AK-47, SKS and many other variants worldwide. The 7.62 (mm) is the diameter of the bullet (actual projectile portion of the cartridge) and the 39 (mm) is the length of the cartridge case. Many people will refer to a 7.62mm cartridge as a "30 caliber" because the bullet has a diameter of .308". If someone refers to a ".308" without any other qualifiers, they are typically referring to a 7.62x51 which is the NATO standard, and identical to/interchangeable with the .308 Winchester.
10. Re: If you are a chinese hacker. by CrankyFool · 2015-12-06 14:41 · Score: 2
  
  Actually, as of 1974 the USSR (and later Russians) have been replacing their 7.62x39 weapons and ammo with 5.45x39mm weapons and ammo (e.g. the AK-74). More at https://en.wikipedia.org/wiki/...
11. Re:If you are a chinese hacker. by Anonymous Coward · 2015-12-06 17:03 · Score: 0
  
  You don't shit where you eat....
  I do, it's fantastic.
12. Re: If you are a chinese hacker. by kelemvor4 · 2015-12-06 17:08 · Score: 1
  
  It's the bullet that is used by the world's most popular rifle; the AK-47.
13. Re: If you are a chinese hacker. by malditaenvidia · 2015-12-07 02:04 · Score: 1
  
  That's the weirdest "In Soviet Russia" joke I've ever read.
14. Re:If you are a chinese hacker. by Anonymous Coward · 2015-12-07 19:59 · Score: 0
  
  That's a common practice everywhere.
  At Khao San Road, Bangkok you can buy any kind of fake id (including FBI badges) from all over the world expect Thai id's, since faking those would be illegal :-)
Not weird at all. by Anonymous Coward · 2015-12-06 05:00 · Score: 1

Many trojans/worms/etc have an inbuilt list of friendlies (languages), that they won't infect. For example, take a look at Cryptolocker 3/4 untouchables: Belarus, Ukraine, Russia, Kazakhstan, Armenia, Serbia, Iran.
Source: http://slashdot.org/comments.pl?sid=8429047&cid=51052519 - Page 26
And this is why... by davidshewitt · 2015-12-06 05:04 · Score: 1

I root my devices manually.
I'd rather unlock the bootloader myself (Nexus/OnePlus) and install the su binary I downloaded directly from ChainFire than run some utility written by someone whose reputation I don't know. I also download the su binary directly - not off of a fileshare or forum post. I don't take any chances when I'm gaining root to a machine.
1. Re:And this is why... by tepples · 2015-12-06 05:07 · Score: 1
  
  The unlocked bootloader method will wipe your device, and a lot of people don't already have good backup software installed.
2. Re:And this is why... by Anonymous Coward · 2015-12-06 05:13 · Score: 0
  
  All tutorials I've found for rooting contained either a detailed part about backups, or at the very least warnings and basic directions.
3. Re:And this is why... by drinkypoo · 2015-12-06 08:00 · Score: 1
  
  The unlocked bootloader method will wipe your device, and a lot of people don't already have good backup software installed.
  If you're unlocking your bootloader as part of the process to get root, you can't reasonably do a proper backup anyway... so just let Google back up your phone, and then do the install. Anyone paranoid enough to think Google will sell out all their secret plans to rule the world isn't keeping them on their phone, so who cares about the privacy implications anyway?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:And this is why... by Anonymous Coward · 2015-12-06 08:15 · Score: 0
  
  not off of a fileshare or forum post. I don't take any chances when I'm gaining root to a machine.
  The real problem is that there are still vendors with locked bootloaders, which means end users must go outside the ecosystem and trust someone to use the exploit for good, not for evil. (cf. dreck like KingRoot used as a means of getting the bootlocker unlocking utility up to speed, then installing TWRP and wiping the whole thing to start from scratch/restore from backups.)
5. Re:And this is why... by tepples · 2015-12-06 09:06 · Score: 1
  
  so just let Google back up your phone
  Wouldn't this likely cause you to run out of space on your Google drive?
6. Re:And this is why... by drinkypoo · 2015-12-06 10:36 · Score: 2
  
  Wouldn't this likely cause you to run out of space on your Google drive?
  Not if you've had the foresight to buy a phone with a card slot, and saved your music etc. there. The apps don't get backed up, they just get reinstalled. Anything the user has sideloaded can be sideloaded again later; anything the user has installed from the Play store will be reinstalled.
  I've used the tactic successfully, but then, I've got card slots. So perhaps this technique is not for everyone.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 05:06 · Score: 5, Informative

The term is Trojan Horse.
I'd like to be able to discuss security without thinking of condoms, thanks very much!
1. Re:Can we please stop calling them 'Trojans'? by U2xhc2hkb3QgU3Vja3M · 2015-12-06 06:49 · Score: 1
  
  We will not stop calling them "Trojans". So basically, you're fucked.
  /KnowWhatIMeanNudgeNudgeWinkWinkSayNoMore
2. Re:Can we please stop calling them 'Trojans'? by drinkypoo · 2015-12-06 07:58 · Score: 3
  
  The term is Trojan Horse.
  No, the term is trojan. We're not talking about a horse, and the term in this context was coined my nerds, so it was kept simple. Trojan. Done.
  FWIW, "A trojan" by default would refer to a resident of Troy, not a condom. The term for that is "Trojan condom"
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
3. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 08:44 · Score: 1
  
  You mistake the famous historical story for proper definitions. The occupants of Troy were Trojans. This is separate from the horse. The computer security term was coined from Trojan horses, however it was shortened to make communication easier and faster, to Trojan. thus, both of you are correct, as were it not for an oddity of slang, it would make no sense to call it a Trojan, however the term in common use is in fact exactly that.
4. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 09:10 · Score: 0
  
  "Trojan" is still short for "Trojan horse," the point is that stinkypoo doesn't understand WHY it's called that.
5. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 11:01 · Score: 1
  
  The problem there is that we are the trojans... whereas the software under discussion is the horse. When you get simple things like that wrong, it shows that you don't know what you are saying, and when you don't know what you are saying, that shows you don't know what's going on.
6. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 11:59 · Score: 0
  
  But... I really want to have something to be upset about.
7. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 16:38 · Score: 0
  
  > The problem there is that we are the trojans...
  That's correct. It's not hard to understand: we ARE the Trojans, in the sense that we are being infiltrated by what we believe to be a 'gift' (in the guise of a useful program) which is actually a malicious invading force (the Greeks).
  It's called a Trojan horse because it convinces us to open our gates to it, unlike a virus or worm which needs no user authorization.
  Remember what happened to the people of Troy -- don't let a Trojan horse catch you off guard.
  Hope that's clear now.
8. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 19:04 · Score: 0
  
  No he/she/it did and explained why. You have poor reading comprehension, from an AC not otherwise involved in this thread.
9. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-06 21:13 · Score: 0
  
  Trojan brand condom.
10. Re: Can we please stop calling them 'Trojans'? by brokie · 2015-12-07 07:52 · Score: 1
  
  I make poopie in your shoe... There, unhappy now?
11. Re:Can we please stop calling them 'Trojans'? by Anonymous Coward · 2015-12-07 18:54 · Score: 0
  
  He is wrong in the explanation, the term was NOT coined as "Trojan" by itself to "keep it simple." He's also wrong about why, saying "the Trojans were not the invaders." That's why it's a TROJAN HORSE, which held the invading Greeks.
  Sheesh, your reading comprehension AND your ability to interpret historical context both suck.
Just good software-engineering practice by gweihir · 2015-12-06 05:18 · Score: 4, Interesting

Do not re-invent the wheel, re-use what is already there. What we are seeing here is a transition from the "genius" hacker (in reality often not even reasonably smart, but very persistent and focused) to normal engineers (engineers without morals to be sure, but history is full of them). The thing that allows this transition is the abysmally bad state of software and device security, which seems to be getting worse, not better.
Drivers here are classical greed and stupidity, and fascist fantasies of being able to snoop on everybody anywhere, anytime. There are only two outcomes: Security gets fixed (which is a major, major undertaking and requires a cultural change) or we will see a rather drastic end of the advantages of the information age for most people with just a few small elites still profiting.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
1. Re: Just good software-engineering practice by __aagigi1968 · 2015-12-06 06:55 · Score: 0
  
  And another part of the problem is devices beingblicked up tighter and tighter,so even if you buy a device out right,what you get is a half crippled handful of spare parts,that you then have to unlock,root,etc etc yourself to get the spare parts to work as their meant to,devices that are locked should come at half the price,cos they only half work !!! Am going back to an old HTC hd2,cos it's the only device ever marketed(that sold more than 3) that is totally unlockable and is therefore 100% usable...
The Best Code by Anonymous Coward · 2015-12-06 06:38 · Score: 0

The best code is the code that you copy paste.
1. Re:The Best Code by niftydude · 2015-12-06 12:25 · Score: 1
  
  Yep - code reuse is best practice, not laziness.
  
  --
  You can never know everything, and part of what you do know will always be wrong. Perhaps even the most important part.
2. Re:The Best Code by Anonymous Coward · 2015-12-07 02:12 · Score: 0
  
  Maybe I enjoy reinventing the wheel, you insensitive clod.
Why is Slashdot so Anti-Chinese, so biased? by Anonymous Coward · 2015-12-06 07:33 · Score: 0

You typical foreign filth disgust me. Stick to your own problem and stay away from China. Why are you surprised by the article? It is a fact: Chinese aren't violent like you and will protect China. Most of the hack accusations are not justified and are usually just Chinese justice for the foreign countries stealing from Chinese people and not giving respect.
1. Re: Why is Slashdot so Anti-Chinese, so biased? by Anonymous Coward · 2015-12-06 08:12 · Score: 0
  
  Xenophobic for business or pleasure?
2. Re:Why is Slashdot so Anti-Chinese, so biased? by Anonymous Coward · 2015-12-06 16:38 · Score: 0
  
  I hope you are trolling but if you are not then deal with this observation.
  "Chinese justice for the foreign countries stealing from Chinese people" China has been stealing technology from not only the US but from any other countries who have advanced technology. China is one of the top countries using industrial espionage. They catch on average 20 Chinese nationals a year trying to smuggle bits and pieces of technology out of the US. One of the more notable examples was when a Chinese national got busted for trying to steal EMP hardened computer processors and memory chips. And the Chinese Party Leaders are the ones stealing from the Chinese people. How in the hell does a self proclaimed communist government produce some of the richest people on the planet?
3. Re: Why is Slashdot so Anti-Chinese, so biased? by brokie · 2015-12-07 07:58 · Score: 1
  
  You typicir foreign firth disgust me. Stick to your own probrem and stay away from China. Why are you surplised by the articur? It a fact: Chinese aren't viorent rike you and wirr protect China. Most of the hack accusations are not justified and are usuarry just Chinese justice for the foreign countries stearing from Chinese people and not giving respect. There ftfy :-)
600 people learned now? by Anonymous Coward · 2015-12-06 13:52 · Score: 1

Anything non mainstream you should do your research before you install. Everybody reading here surely knows about xda-developers forums etc.
And it is not news that you can install [any code] and run it if you mean to.
1. Re:600 people learned now? by KGIII · 2015-12-06 16:52 · Score: 1
  
  I'd wager that fewer than 6 learned anything specific and long-term from this. Out of those 600 infected devices, I bet they're owned by people who will have infections again in the near future because they failed to change their practices. Were there a way to prove this, I'd be willing to place money on it.
  
  --
  "So long and thanks for all the fish."
Lazy?? by bloodhawk · 2015-12-06 22:52 · Score: 1

They may be bastards exploiting people. But Lazy??? WTF! reusing code that works is the sign of excellent development practices not lazy.