Forgot your password?
typodupeerror
Android Handhelds Hardware Hacking Security IT

New Android Malware Attacks Custom ROMs 146

Posted by timothy
from the now-that's-offsides-innit dept.
drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."
This discussion has been archived. No new comments can be posted.

New Android Malware Attacks Custom ROMs

Comments Filter:
  • Once again... (Score:5, Insightful)

    by Daetrin (576516) on Thursday June 16, 2011 @05:36PM (#36468410)
    The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.

    Of course hopefully this isn't news to people who are already computer savy.
    • by MobileTatsu-NJG (946591) on Thursday June 16, 2011 @05:42PM (#36468494)

      The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs...

      Heh. You should look into why people flash their own ROMs.

    • Re:Once again... (Score:5, Insightful)

      by gweihir (88907) on Thursday June 16, 2011 @05:43PM (#36468504)

      That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.

    • Re:Once again... (Score:5, Informative)

      by errandum (2014454) on Thursday June 16, 2011 @05:57PM (#36468640)

      No, half of what you said is completely wrong.

      Flashing a 2.3 ROM will allow you to get the latest security fixes on those mobile phones that are no longer supported by the manufacturer. Even 2+ year old phones get the latest versions from cyanogen, so it extends the life of your device way beyond that of an iPhone.

      Furthermore, unlike apple, that seems to abandon a device when they decide it is too hard to update for it, most of the custom ROMs are made from people that actually own the device, so they simply strip down some features and/or add alternatives so that everyone ends up with the latest fixes.

      The only truth on what you said was, try not to install apps that didn't come from the Android Market and/or reputable sources. Just because you have the choice of installing something else, doesn't mean you should trust everyone.

      • by Brannon (221550) on Thursday June 16, 2011 @06:03PM (#36468704)

        This is an Android story.

        And since when does Apple not support software on 2+ year old phones? Can you name a single vulnerability for any version of iPhone which doesn't have an available Apple-supported patch?

        Any single one. Dating back to the original iPhone from 4 or so years ago. Go ahead, I'll wait.

        • by errandum (2014454) on Thursday June 16, 2011 @06:10PM (#36468780)

          http://support.apple.com/kb/HT4291 [apple.com]

          where is the original iphone in the sentence:

          "Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later

          I haven't read, just searched google for "iPhone security updates"

          There, you can stop waiting. That too the grand total of 2 minutes to find.

        • by errandum (2014454) on Thursday June 16, 2011 @06:16PM (#36468838)

          And I speak from experience because I did own an original iPhone that stopped being supported long long ago.

          And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.

          That means 2 years support (as I said) is the norm. Compare that to the 7 years of support windows XP had and you'll get my point.

          • by peragrin (659227) on Thursday June 16, 2011 @08:20PM (#36469886)

            true but Android handset manufactures only give you 6 months, of bug fixes, and maybe 18 months if it was a really popular handset,

            Apple gives you 30 months(my iphone 3G is updated to 4.1 ) Then again apple doesn't let the battery to be easily changed. so after 3 years the battery life is drastically reduced. With proper care they can still be good(I still get 2-3 days out of mine) but I take care to turn off wifi and bluetooth when not in use.

            Windows Phone only gives you bug fixes if the carriers approve taking 2-6 months longer than MSFT, so no emergency bug fixes will be pushed through.

            All that said I have to go root my nook color soon. The built in web browser and email client are beginning to annoy me.

            • by errandum (2014454) on Thursday June 16, 2011 @08:37PM (#36470030)

              That's the whole point of the original argument (that fanboys modded down)

              While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.

              Saying "ohh, don't install custom roms or you might get viruses" is stupid because those custom roms will give you access to the latest version on most phones when it comes out (with all the security features).

              You don't depend on a company (Apple or HTC or Samsung) to get your updates. If you want them, you can do it yourself.

              PS:2 years, 2.5, what's the point? It's limited support and, sometimes, crappy (if you have a 3G you know that iOS 4 kind of made it... crap - hanging a lot etc).

              So, to sum up, no, ROM's aren't evil and if you still take care with the places you get apps from there is no problem whatsoever.

              • by peragrin (659227) on Friday June 17, 2011 @06:43AM (#36472472)

                Actually my 3G never suffered from iOS 4 problems for some reason. it doesn't hang, it doesn't do anything that was complained about. in deed now that it has been running a while it is moving as fast as it ever did.

                then again I don't play a lot of games on my phone so I might not have stressed it enough to notice.

                my only problem is if the android community doesn't care to upgrade your phone for you it never will be. How come Apple gets blasted for not supporting a phone for 20 years but android manufacturers gets off the hook for not doing it for 6 months. Double standards piss me off.

              • by wkcole (644783) on Friday June 17, 2011 @01:06PM (#36476592)

                That's the whole point of the original argument (that fanboys modded down)

                While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.

                Not so much, or at least not always.

                For some phones (e.g. the Samsung Moment, released November 2009) you MUST have a real Windows machine (i.e. not even a VM ) to replace the manufacturer's deathgrip firmware. See, the "USB" port is shaped right and everything and often acts much like a real USB port, but when it comes to flashing the devices, well, it isn't. It's something that you need special drivers to talk to, and unless you want to go writing almost-USB drivers for some other system, you are stuck needing Windows running on bare metal. I sure wish I'd known that in 2009... It's not that I would have bought an iPhone (AT&T signal is zero where I am sitting) but it definitely would have made me more careful. Based on what I've read, Motorola and HTC have also worked to make it difficult to reflash their handsets. I'm not sure that there's a device running Android that is worth having once you eliminate the makers who have worked to close the mythical openness of Android.

                I think that's what has essentially ruined any sort of advantage Android might have had over other platforms based on its "openness." It's a myth that come very close to fraud, missing only because the real evangelists of the myth are fanboys rather than anyone selling anything. It would be easier for me to jailbreak an iPhone than to flash my Moment with Android 2.2, even if I did have a Windows machine to do so with. For most users, a phone OS is not usefully "open" if their device manufacturer and carrier want it to be closed, as is the case for the biggest device manufacturers and all of the major US carriers. Making that worse, the resource demands of Android have increased so much with successive versions that I doubt it would even make sense to try 2.3. The same has not been true of iOS over the same period. The unfortunate reality is that people who bought the latest iOS devices in the second half of 2009 (i.e. iPhone 3GS and 3rd gen. Touch) are still able to run the latest iOS rather painlessly, whereas most people who bought Android devices during the same period are probably never going to see anything later than 2.1 in a form that is easy to install and even those who do get 2.2 will probably not be happy with what they get. It's enough to make me miss Palm...

          • by simmonsjeffreya (2259752) on Thursday June 16, 2011 @11:13PM (#36470880)
            The way Apple does updates is a non-issue for most Mac users and makes sense to drop support for older versions.

            A.) It keeps most people on a similar OS version, making it easier for Apple and I'd suspect most developers appreciate this as well. It's no fun trying to support a million different OS configurations, which is the case with Windows.
            B.) They still support even the oldest Intel Macs with the latest OS, no one is being left out. This again allows everyone to be on a similar OS, making it easier for them.
            C.) Unlike Windows where upgrading costs hundreds, even for a laptop that may have only cost $400, an OS X full system upgrade is only $30. If you paid $1,500-$5,000 for a system, $30 shouldn't be making you cringe, and personally, the features added are well worth the $30.
            D.) It minimizes the amount of users who, for one reason or another, choose to stick with an OS that is over ten years old. Again, this is an issue for developers, who have to support all these configurations or lose out on a good portion of potential sales.

            IMO, Apple is doing things the right way, and if I were in charge of a tech company that produced one of the major consumer operating systems, I would much rather go the route they chose, than the route Microsoft chose. All of these reasons apply to OS X as well as iOS.
          • by teh kurisu (701097) on Friday June 17, 2011 @03:48AM (#36471996) Homepage

            And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.

            Generally I find that it's support from app developers that starts to disappear first, as they start to take advantage of new OS features. Apple security updates for a given version of OS X are usually the last to dry up.

      • by dudpixel (1429789) on Thursday June 16, 2011 @11:58PM (#36471084)

        wait, you're comparing apple with custom rom makers now?

        I love android but this is not an apples to apples comparison, pun intended.

        How much support does Google give you for your phone software updates?
        How much support does the manufacturer of your phone give?

        I'd say Apple supports their hardware AND software a lot better than either of the above.

        Its great that Android is open source, but you cant compare the efforts of ROM makers with an actual manufacturer. If Apple released their source code, do you not think the jailbreak community would have something equally as good?

        Lets not make this story into something it isn't.

        What we do have with Android is greater freedom which brings greater responsibility. "Look before you leap" definitely applies when flashing custom ROMs on your phone AND when installing apps on your phone.

        I use Lookout Mobile security on my phone (no I dont work for them) since I'm a bit paranoid, and it doesn't slow down the phone.

        • by errandum (2014454) on Friday June 17, 2011 @06:59AM (#36472514)

          Oh god.

          No, I was answering to the person who said using custom roms was dangerous and half way to get a virus. Unlike what was said, they let you have the latest fixes for a long time after it stops being supported.

          I said that in a way it was an advantage over apple because, even though they support your phones for 2 years, after you're abandoned, either you buy a new one, or you're stuck with what you get.

    • by TehDuffman (987864) on Thursday June 16, 2011 @05:58PM (#36468646) Journal

      Of course hopefully this isn't news to people who are already computer savy.

      Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

      • by hedwards (940851) on Thursday June 16, 2011 @06:02PM (#36468694)

        I don't know, I think that people who aren't computer literate aren't likely to know that they can. But some of the apps out there will handle it for you, with little interaction on your part.

      • Re:Once again... (Score:3, Insightful)

        by tooyoung (853621) on Thursday June 16, 2011 @06:13PM (#36468806)

        Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

        Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?

        • Re:Once again... (Score:5, Informative)

          by artor3 (1344997) on Thursday June 16, 2011 @06:19PM (#36468880)

          Nice flamebait, but Android phones can leave the walled garden with a simple checkbox in the options menu. Flashing your own ROM is something else entirely.

        • by znerk (1162519) on Thursday June 16, 2011 @07:20PM (#36469372)

          I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone.

          I have to assume you're an idiot who can't be bothered doing a few seconds of research to see just how incredibly inaccurate that statement is.

          Yes, some companies (hi, Sprint) lock their android devices down nice and tight, preventing the user from removing the stock apps, etc... others (such as AT&T) have a system that is remarkably open, and you wouldn't feel the need to root your device unless you were trying to circumvent specific things (the lack of wi-fi hotspot capability unless you pay an exorbitant fee, for example).

          I bought an Atrix, and my Sprint/Cricket-using friends were all amazed when I showed them that I can uninstall/reinstall the stock AT&T-branded apps at will, with no flashing or rooting required.

        • by thegarbz (1787294) on Thursday June 16, 2011 @08:57PM (#36470196)

          Vendors don't load phone with crapware, carriers do. Also carriers only have one lockdown feature available which is the standard carrier lock on all phones.

          But even looking at the worst vendor, Motorola, there is no additional lockdown in the functionality of the phone. Your Motorola Droid is every bit as functional as a Google Nexus S operating system wise. The only additional locks some dodgy vendors put in the system is one that prevents the kind of tinkering that allows you to play with custom ROMs or flashing the bootloader. The Droid is as locked down as the iPhone. It's also not very popular.

          But again that's just one vendor. Pick another if you don't like it. For the major tinkerer who likes to play with things such as Cyanogen mod the Samsung Galaxy S for instance you hold down 3 buttons and it puts you into download mode. Run a tool on the computer and you can flash whatever the hell you want to the phone.

          • by Kalriath (849904) on Thursday June 16, 2011 @10:07PM (#36470602)

            Actually, that's wrong. Carriers can also lockdown Android to not allow installation of non-market apps. AT&T used to.

            • by thegarbz (1787294) on Friday June 17, 2011 @01:59AM (#36471574)

              Actually it's still right. But you're right too. This is the result of the strange relationship vendors have with specific carriers rather than a result of the carriers themselves. Carriers can add CSCs to Android which do things like push the aforementioned bloatware, but they can NOT disable features of the OS. They rely on vendors creating a specific handset for the carrier with specific firmware modifications if they wish to do that. e.g. There are two HTC Arias in circulation. One has an AT&T logo on it and comes with the restriction you mention. This is HTC's doing, not AT&Ts, and there's nothing stopping me from getting the normal HTC Aria and signing up to a pre-paid AT&T without restrictions.

              The way your mobile vendors and carrier work together to bring the same product with a different logo on it is incredible to say the least. The example I used before the Samsung Galaxy S there are:
              Samsung Captivate - AT&T
              Samsung Vibrant - T-Mobile
              Samsung Fascinate - Verizon
              Samsung Epic - Sprint
              Samsung Galaxy S - The rest of the bloody world.

              These phones are so close to identical that you can cross load the firmwares between them. They have minor differences in buttons but are all a Samsung Galaxy S underneath.

              In comparison in Australia you get
              Samsung Galaxy S with the OPS CSC - Optus
              Samsung Galaxy S with the VAU CSC - Vodaphone
              Samsung Galaxy S with the XSA CSC - Telstra

              All the same phone with CSCs just as intended by the Android system. All phones have an identical feature set save for the added bloatware.

        • In the world of "custom rom with one possible problem as a result that's been fixed in cyanogen" vs "stock rom that never gets updated with security fixes two years later", I'll take my chances with the first.

      • by ColdWetDog (752185) on Thursday June 16, 2011 @06:13PM (#36468812) Homepage

        Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

        Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you.

        There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.

        • by TehDuffman (987864) on Thursday June 16, 2011 @09:32PM (#36470416) Journal

          Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.

          Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you. There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.

          Apparently your reading level is elementary school -1...

          We aren't talking about rooting or jail breaking a phone here. This is completely changing the operating system on your phone. It requires quite a bit more time and effort than rooting your phone. Most people who are changing the ROMs on their phones know what they are doing. Only something like 500k use CM which is a tiny fraction of the android user base.

      • by Daetrin (576516) on Thursday June 16, 2011 @07:08PM (#36469300)
        Please note the "and/or" in the original statement. I don't know how many people flash new ROMs who aren't as computer savy as they think they are (though i suspect it's a non-zero number) but installing "unapproved" apps is pretty easy to do.
      • by AvitarX (172628) <me AT brandywinehundred DOT org> on Friday June 17, 2011 @01:22AM (#36471390) Journal

        I'd be willing to bet plenty of the "computer literate" type do. It's not that hard to follow step by step directions.

        I suspect many do it for free/reduced price apps from shady sources even.

        The type of person that said ie7 was essentially Firefox at the office (they were digging the tabs, which I guess made them somewhat similar at a glance. The type with 10s of thousands of dollars of software on their computer that they don't even vaguely know how to use. Pretty much anyone with 'lite skillz would be a pretty easy target for this I bet.

        Hell, it makes me nervous to know that an app can bypass the permissions granting on my phone, it's kind of a big deal.

    • by PopeRatzo (965947) * on Thursday June 16, 2011 @06:17PM (#36468854) Homepage Journal

      The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one then Google will send its army of hackers to try to destroy your life with malware

      Fixed.

    • by syousef (465911) on Thursday June 16, 2011 @06:42PM (#36469096) Journal

      The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.
      Of course hopefully this isn't news to people who are already computer savy.

      That's the lesson you took from this? I would have thought the lesson to learn was that customer hostile bullshit, like trying to allow apps to install without their consent, is a breach of basic security principles.

    • by w0mprat (1317953) on Thursday June 16, 2011 @07:01PM (#36469248)
      Once again... it's still massively better than the desktop software ecosystem. Significant malware problems are largely absent considering the millions of devices kicking about now. Android and indeed other platforms can still be called "Virus free" as a rule, although there have been some exceptions.

      Android also has a pretty good security model in the OS. There's certainly no cause for alarm.

      Massive respect to the ROM community for releasing a security update fast.
    • by Jonner (189691) on Thursday June 16, 2011 @08:13PM (#36469818)

      It's always a really dumb idea to download random apps from anywhere as anyone who has downloaded trojans from the Google Market knows. The other important lesson from this is that you should not sign code with a well-known private key. It was a pretty dumb thing for the CM team to do.

      • by colinnwn (677715) on Friday June 17, 2011 @01:40AM (#36471486)
        I couldn't find a reference to whether CM was signing their ROM with the ASOP private key or not. Maybe they were, or maybe they weren't. This summary and the link to the CM developer comment doesn't by itself suggest CM was actually doing that dumb thing. What the CM 7.0.3 update supposedly prevents is the installation of any external apps signed with the ASOP private key. It is like how the native ActiveSync client in Android doesn't allow the use of self signed certificates anymore.
  • by gweihir (88907) on Thursday June 16, 2011 @05:41PM (#36468476)

    Those that do not understand how Public Key Crypto works should not use it.

  • by technomom (444378) on Thursday June 16, 2011 @06:09PM (#36468770)
    Of the ROM-installing community, what percentage is NOT using CM 7.0.3?
  • by nickovs (115935) on Thursday June 16, 2011 @06:38PM (#36469044)

    ... while the code for Android is GPLv2, the move of various other projects towards GPLv3 is only going to make this sort of problem worse. The 'anti-Tivoisation' [wikipedia.org] clause basically demands that some authorised signing key gets distributed with any GPLv3 code that needs to be signed in order to run, and that the available signing key grants all the rights necessary for that code to function. While it is of course possible for users to completely rebuild the trust hierarchy with their own keys, very few people will be willing to do so. As a result it seems likely that any GPLv3 project will be unable to make effective use of signing as a mechanism for preventing the execution of rogue code, even if the license allows for it in theory.

    • ... while the code for Android is GPLv2,

      No, it isn't. The kernel is GPLv2, but that's just a tiny wee bit of Android. The user-space code uses a mixture of non-copyleft licences (mostly the APL).

      the move of various other projects towards GPLv3 is only going to make this sort of problem worse.

      Much as I dislike the GPL (and especially the GPLv3), that's nonsense.

      --jch

    • While I dislike the GPL, you're wrong. The problem is not that the private key used to build the OS was publicly available, but that any app using that key was trusted implicitly. Fix that (which is what they just did), and the problem goes away. From what I've read, it sounds like Windows 7 has the same problem. I believe UAC is disabled for apps signed with Microsoft's private key. If anyone ever got their hands on that key (I wouldn't be surprised if the US and/or Chinese governments already had it), they could do a lot with it.

  • by jabberw0k (62554) on Friday June 17, 2011 @01:00AM (#36471318) Homepage Journal
    You don't have "firmwares" any more than you can have "softwares" or "hardwares" or "clothings" -- no; you have two firmware sets, two pieces of software, two pieces of hardware, and two items of clothing. These are all collective nouns.
  • by Babystrauss (2276264) on Friday June 17, 2011 @04:10AM (#36472070) Homepage
    Welcome to the new world. I am still waiting for the first virus to kill my office mobile ^^
  • by ThatsNotPudding (1045640) on Friday June 17, 2011 @07:33AM (#36472652)
    until every platform, OS, - hell, everything smarter than a toaster - is rendered insecurable.

Administration: An ingenious abstraction in politics, designed to receive the kicks and cuffs due to the premier or president. -- Ambrose Bierce

Working...