New Android Malware Attacks Custom ROMs 146
drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."
Once again... (Score:5, Insightful)
Of course hopefully this isn't news to people who are already computer savy.
Re:Once again... (Score:5, Insightful)
That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.
Re:Once again... (Score:4, Insightful)
Re:Incompetent key handling. No surprise. (Score:5, Insightful)
That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
Re:Once again... (Score:3, Insightful)
Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone. I can only assume is that the advice is to buy an Android phone from a vendor and flash it. Doesn't this open a number of non-technical people to issues like this?