New Android Malware Attacks Custom ROMs 146
drmacinyasha writes "Today Lookout disclosed a new form of Android malware found in Chinese markets which attacks third-party firmwares (ROMs). By using permissions granted to apps which are signed with the same private keys as the ROM itself, an app can update itself or install and uninstall other apps without user interaction. Most third-party ROMs use the private keys included in the Android Open Source Project, making them vulnerable to this attack. Last month's release of CyanogenMod 7.0.3 (and all subsequent builds) included an "important security fix" which a team member confirmed protects users against this vulnerability by preventing applications signed with the platform key to be installed to user or app-controlled storage."
Once again... (Score:5, Insightful)
Of course hopefully this isn't news to people who are already computer savy.
Re: (Score:3)
The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs...
Heh. You should look into why people flash their own ROMs.
Re:Once again... (Score:4, Insightful)
Re:Once again... (Score:5, Insightful)
That is not the problem (or only part of it). The problem is that if you roll your own ROM, you need to use your own private key. Using Public Key Cryptography wrong removes any security it grants.
Re: (Score:1)
Using Public Key Cryptography wrong removes any security it grants.
You can even see the problem in the original article, which refers to:
publicly available private keys
What's wrong with this picture?
Re: (Score:2)
Test-keys, probably with a strong "DO NOT USE FOR PRODUCTION" comment. That is typically fine, if the users have a minimum of knowledge, skill and diligence. Qualities sadly missing in many people fancying themselves hackers or developers.
That and OS development kit does assume a minimum of competence is perfectly fine IMO.
Re:Once again... (Score:5, Informative)
No, half of what you said is completely wrong.
Flashing a 2.3 ROM will allow you to get the latest security fixes on those mobile phones that are no longer supported by the manufacturer. Even 2+ year old phones get the latest versions from cyanogen, so it extends the life of your device way beyond that of an iPhone.
Furthermore, unlike apple, that seems to abandon a device when they decide it is too hard to update for it, most of the custom ROMs are made from people that actually own the device, so they simply strip down some features and/or add alternatives so that everyone ends up with the latest fixes.
The only truth on what you said was, try not to install apps that didn't come from the Android Market and/or reputable sources. Just because you have the choice of installing something else, doesn't mean you should trust everyone.
Why are you talking about Apple? (Score:2, Flamebait)
This is an Android story.
And since when does Apple not support software on 2+ year old phones? Can you name a single vulnerability for any version of iPhone which doesn't have an available Apple-supported patch?
Any single one. Dating back to the original iPhone from 4 or so years ago. Go ahead, I'll wait.
Re: (Score:1)
http://support.apple.com/kb/HT4291 [apple.com]
where is the original iphone in the sentence:
"Available for: iOS 2.0 through 4.0.1 for iPhone 3G and later, iOS 2.1 through 4.0 for iPod touch (2nd generation) and later
I haven't read, just searched google for "iPhone security updates"
There, you can stop waiting. That too the grand total of 2 minutes to find.
Re: (Score:2)
That's exactly my point. After a while they stop supporting them - didn't think to look in Wikipedia.
Those android versions, how do they work without the extra buttons?
Re: (Score:2)
Iffy, at best, I'd wager, but not impossible. The Autonooter ROM for the Nook Color uses "softkeys' as a passable but far-from-perfect replacement that implements the buttons in software. Cyanogenmod has a much nicer and better functional one, but unfortunately, I don't know what it is.
Re: (Score:2)
Re:Why are you talking about Apple? (Score:4, Interesting)
And I speak from experience because I did own an original iPhone that stopped being supported long long ago.
And the way every single major version of Mac OS stops being supported not too long after a major version goes out. Unless you buy the upgrade you're screwed.
That means 2 years support (as I said) is the norm. Compare that to the 7 years of support windows XP had and you'll get my point.
Re: (Score:2)
true but Android handset manufactures only give you 6 months, of bug fixes, and maybe 18 months if it was a really popular handset,
Apple gives you 30 months(my iphone 3G is updated to 4.1 ) Then again apple doesn't let the battery to be easily changed. so after 3 years the battery life is drastically reduced. With proper care they can still be good(I still get 2-3 days out of mine) but I take care to turn off wifi and bluetooth when not in use.
Windows Phone only gives you bug fixes if the carriers appro
Re: (Score:3)
That's the whole point of the original argument (that fanboys modded down)
While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.
Saying "ohh, don't install custom roms or you might get viruses" is stupid because those custom roms will give you access to the latest version on most phones when it comes out (with all the security features).
You don't depend on a company (Apple or HTC or Samsung) to g
Re: (Score:2)
Actually my 3G never suffered from iOS 4 problems for some reason. it doesn't hang, it doesn't do anything that was complained about. in deed now that it has been running a while it is moving as fast as it ever did.
then again I don't play a lot of games on my phone so I might not have stressed it enough to notice.
my only problem is if the android community doesn't care to upgrade your phone for you it never will be. How come Apple gets blasted for not supporting a phone for 20 years but android manufactu
Re: (Score:2)
You did not see the uproar on the htc page when they said 2.3 was not coming to the Desire? It seems that now it will.
No one is off the hook. But android gives you a valid alternative to the lack of support the big corporations give you.
Re: (Score:2)
That's the whole point of the original argument (that fanboys modded down)
While there is people out there that use a phone, anyone can compile the latest fixes -(or get them from someone who knows how), hence, having a very long term support.
Not so much, or at least not always.
For some phones (e.g. the Samsung Moment, released November 2009) you MUST have a real Windows machine (i.e. not even a VM ) to replace the manufacturer's deathgrip firmware. See, the "USB" port is shaped right and everything and often acts much like a real USB port, but when it comes to flashing the devices, well, it isn't. It's something that you need special drivers to talk to, and unless you want to go writing almost-USB drivers for some other system, you are stuck
Re: (Score:1)
A.) It keeps most people on a similar OS version, making it easier for Apple and I'd suspect most developers appreciate this as well. It's no fun trying to support a million different OS configurations, which is the case with Windows.
B.) They still support even the oldest Intel Macs with the latest OS, no one is being left out. This again allows everyone to be on a similar OS, making it ea
Re: (Score:3)
Re: (Score:2)
I think you're getting muddled up - Snow Leopard was the first release to be priced at around $30 (and Lion will be the second). Previously, releases cost around $130.
Both of these releases were Intel only. The last version of OS X to support PPC was Leopard, and upgrading from Tiger to Leopard would have cost $130.
Re: (Score:2)
Re: (Score:2)
It sounds incorrect to me, although I'm not infallible :)
I do distinctly remember that I didn't upgrade my PowerBook G4 to Leopard because I couldn't justify the cost. $30 I could stomach, $130 not so much.
Re: (Score:2)
From what I heard, when iPhones started needing versions of iTunes that don't run on 10.4 while 10.5 was already not available, it was possible to call in to Apple's tech support, tell them you can't find 10.5, and they'd send you 10.5 for free.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Generally I find that it's support from app developers that starts to disappear first, as they start to take advantage of new OS features. Apple security updates for a given version of OS X are usually the last to dry up.
Re: (Score:2)
Show me those 3 years please. Count the months. Most go for 2.x years. iPhone 4 might go for a lot longer simply because the iPhone 5 is nowhere to be seen. But that's it.
Even that article proves my point. That's when they announced no more updates, but the last update was 3.1.3 that got released way before the "3 years" you claim.
Re: (Score:2)
wait, you're comparing apple with custom rom makers now?
I love android but this is not an apples to apples comparison, pun intended.
How much support does Google give you for your phone software updates?
How much support does the manufacturer of your phone give?
I'd say Apple supports their hardware AND software a lot better than either of the above.
Its great that Android is open source, but you cant compare the efforts of ROM makers with an actual manufacturer. If Apple released their source code, do you not
Re: (Score:2)
Oh god.
No, I was answering to the person who said using custom roms was dangerous and half way to get a virus. Unlike what was said, they let you have the latest fixes for a long time after it stops being supported.
I said that in a way it was an advantage over apple because, even though they support your phones for 2 years, after you're abandoned, either you buy a new one, or you're stuck with what you get.
Re: (Score:1)
Of course hopefully this isn't news to people who are already computer savy.
Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
Re: (Score:3)
I don't know, I think that people who aren't computer literate aren't likely to know that they can. But some of the apps out there will handle it for you, with little interaction on your part.
Re: (Score:3)
It's weird but I've experienced the opposite...
People who are very illiterate with computers ask me about 'hacking' their device constantly, for free stuff.
Re: (Score:3, Insightful)
Well, we see a lot of posts on /. where people are advocating that their non-technical friends buy Android instead of an iPhone so that they can avoid the walled garden. I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phon
Re:Once again... (Score:5, Informative)
Nice flamebait, but Android phones can leave the walled garden with a simple checkbox in the options menu. Flashing your own ROM is something else entirely.
Re: (Score:2)
I have to assume that they aren't suggesting they stick with a stock Android phone, as the vendors load the phones with so much crap-ware and the phones are just as locked down as the iPhone.
I have to assume you're an idiot who can't be bothered doing a few seconds of research to see just how incredibly inaccurate that statement is.
Yes, some companies (hi, Sprint) lock their android devices down nice and tight, preventing the user from removing the stock apps, etc... others (such as AT&T) have a system that is remarkably open, and you wouldn't feel the need to root your device unless you were trying to circumvent specific things (the lack of wi-fi hotspot capability unless you pay an exorbi
Re: (Score:2)
Vendors don't load phone with crapware, carriers do. Also carriers only have one lockdown feature available which is the standard carrier lock on all phones.
But even looking at the worst vendor, Motorola, there is no additional lockdown in the functionality of the phone. Your Motorola Droid is every bit as functional as a Google Nexus S operating system wise. The only additional locks some dodgy vendors put in the system is one that prevents the kind of tinkering that allows you to play with custom ROMs or
Re: (Score:2)
Actually, that's wrong. Carriers can also lockdown Android to not allow installation of non-market apps. AT&T used to.
Re: (Score:2)
Actually it's still right. But you're right too. This is the result of the strange relationship vendors have with specific carriers rather than a result of the carriers themselves. Carriers can add CSCs to Android which do things like push the aforementioned bloatware, but they can NOT disable features of the OS. They rely on vendors creating a specific handset for the carrier with specific firmware modifications if they wish to do that. e.g. There are two HTC Arias in circulation. One has an AT&T logo
Re: (Score:2)
In the world of "custom rom with one possible problem as a result that's been fixed in cyanogen" vs "stock rom that never gets updated with security fixes two years later", I'll take my chances with the first.
Re: (Score:2)
Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you.
There will be some 'survival of
Re: (Score:1)
Who is flashing their phone if they aren't computer literate. I don't know anyone that has modded their phone other than me that isn't nerdy already. Mom and Pop seem pretty safe from this.
Rooting an Android phone (or an iPhone) doesn't take a whole lot of computer savvy. Basically it's script kiddie level - 1. So, you might THINK you know a lot about computers and ROMS and whatnot, but you might not keep up on the security aspect. You might not be the most discerning of people when it comes to a 'neat' app. Further, as the malware designers get more sophisticated, it will be harder to tease out a reputable developer from some jackass trying to screw you. There will be some 'survival of the fittest' selection here and the vast majority of users that don't root their phones won't have many problems, but there the malware authors think there is enough of a market to spend the time to hack at the platform.
Apparently your reading level is elementary school -1...
We aren't talking about rooting or jail breaking a phone here. This is completely changing the operating system on your phone. It requires quite a bit more time and effort than rooting your phone. Most people who are changing the ROMs on their phones know what they are doing. Only something like 500k use CM which is a tiny fraction of the android user base.
Re: (Score:2)
Re: (Score:1)
I'd be willing to bet plenty of the "computer literate" type do. It's not that hard to follow step by step directions.
I suspect many do it for free/reduced price apps from shady sources even.
The type of person that said ie7 was essentially Firefox at the office (they were digging the tabs, which I guess made them somewhat similar at a glance. The type with 10s of thousands of dollars of software on their computer that they don't even vaguely know how to use. Pretty much anyone with 'lite skillz would be a p
Re: (Score:2)
Fixed.
Re: (Score:2)
The lesson that everyone needs to draw from this is that it's great that Android is open and allows you to do pretty much whatever you want. However if you start flashing your own ROMs and/or using markets other than the official Google one (and possibly Amazon's app store) then you better be REALLY SURE you know what you're doing and not just blindly download any random app from any random source that strikes your fancy.
Of course hopefully this isn't news to people who are already computer savy.
That's the lesson you took from this? I would have thought the lesson to learn was that customer hostile bullshit, like trying to allow apps to install without their consent, is a breach of basic security principles.
Re: (Score:1)
Re: (Score:2)
Android also has a pretty good security model in the OS. There's certainly no cause for alarm.
Massive respect to the ROM community for releasing a security update fast.
Re: (Score:2)
It's always a really dumb idea to download random apps from anywhere as anyone who has downloaded trojans from the Google Market knows. The other important lesson from this is that you should not sign code with a well-known private key. It was a pretty dumb thing for the CM team to do.
Re: (Score:2)
Re: (Score:2)
Yes, the platform that at one point (a year ago) let you root your phone by visiting a website is better.
FTFY.
Re: (Score:2)
I stand corrected.
Incompetent key handling. No surprise. (Score:5, Interesting)
Those that do not understand how Public Key Crypto works should not use it.
Even better... (Score:2)
Re: (Score:2)
Indeed. Maybe they thought it was a "Private's" key as opposed to an Officer's key?
Re: (Score:2)
You have to understand that most of the people doing ROMs are hobbyists with no idea about the fundamentals of a lot of stuff. They have some programming skills and follow a tutorial on how to get things to work... and that's about it.
There isn't that much information going around about what keys or how they should be used in relation to Android :\
Re: (Score:2)
Nothing more dangerous than a little knowledge, eh?
Re: (Score:2)
But Cyanogen Mod is a pretty big project by now, isn't it? I can't believe nobody involved in it has any basic knowledge of public key encryption.
How can people who know enough about encryption to root a phone, not know about public key encryption? I completely fail to understand the world today.
Re: (Score:2)
it looks like some do, so they fixed it. CM is not vulnerable.
Re: (Score:2)
I understand that. But these people need to understand that they or their users have zero right to complain about insecurities caused because of lack of understanding of basic security mechanisms. Public Key Crypto is not an Android concept, but a very basic crypto mechanism.
Re:Incompetent key handling. No surprise. (Score:5, Insightful)
That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
Re: (Score:1)
That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be rekeying locks."
Re: (Score:2)
No... That would be like saying "Those that do not reverse engineer Public Key Crypto should not use it."
Re: (Score:1)
That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be rekeying locks."
No, it's like saying, "Those who don't know how a locking mechanism works shouldn't be removing their own appendix with a rusty sardine can".
(Kids these days, couldn't lance a pimple without an electric vibrating scalpel with automatic drain and suture).
Re: (Score:1)
Re: (Score:2)
but they shouldn't trust it fully.. no one should.. unless they understand it.
Honestly a lot of people are surprised that locksmiths can make them a new key by just having the VIN of the car..
If you understand it then you can trust it as much as you are willing based on that understanding.. sadly there is this blip on the curve when it comes to "security" where most people who know nothing about a method will trust it because they don't understand it and don't want to bother to.
Re: (Score:2)
Yes, but it's completely unreasonable to develop everyday end-user systems and then say that "unless a person as a CS degree and understands the underpinnings of the software, they shouldn't be using it." The OP posted a shortsighted, ego-ridden comment that is completely ridiculous in any real-world context.
Re: (Score:2)
Your right about the OP - and i agree with you on that..
I feel the problem is in peoples lack of taking the time to understand the basics of the tools they are using and are relying on.. it doesn't take a CS degree to understand the basics.
Re: (Score:2)
And same to you. Rather obviously my posting was about developers, not users. If you had any effective intelligence, you would immediately have seen that. Instead you have a big mouth and throw around insults. Pretty pathetic.
Re: (Score:2)
i've met people who've been shocked at how quickly standard pin tumbler locks can be picked by an expert (i.e., as fast as you can open a slightly stuck lock with its own key).
if that's your level of understanding, you shouldn't be choosing the locks for a new building....
Re: (Score:2)
agreed - people who do not understand things should not be in charge of them..
Re: (Score:2)
That's like saying "Those who don't know how a locking mechanism works shouldn't use their car keys."
No. "Those who don't understand how a lock is operated shouldn't use a car that requires keys"
"How public key crypto works" is a basic cryptography topic; at the same level as knowing that you turn a key to open a lock.
Re: (Score:2)
Saying public key crypto is a basic cryptography topic is one thing. Righteously expecting the average joe to understand "basic cryptography" is egotistical bullcrap.
Re: (Score:2)
This isn't about average Joes. It's about people who create OS distribution (not something the average Joe does), and then sign them with a private key that's not private.
Any programmer worth his salt should know at least the very basics of public key encryption, especially if he's actually going to make use of it. Why would you sign software when you don't even know why you're signing it?
Re: (Score:2)
Re: (Score:2)
Are we still talking about the people who roll out custom Android firmware?
I was. Seems quite a few people here are not and then blame me for their misconceptions. Pathetic, really.
Re: (Score:2)
More like "Those who don't know how a locking mechanism works shouldn't be the ones installing locks."
Re: (Score:2)
This is the winner.
Keeping your private key non-private is the same as giving everybody access to your car key.
Re: (Score:2)
I didn't understand your post. Could you send me your private key so that I can decode it?
Re: (Score:2)
Those that do not understand how Public Key Crypto works should not use it.
In other news, gweihir has announced that he will no longer be accessing any website via HTTPS.
(The number of people who understand the whole of a public key crypto system and deployment is vanishingly small. The underlying math is difficult. The programming is easy to make errors in. The way to use it, not all that obvious either going by the massive quantities of misinformation I see here and elsewhere on the 'net. Public key crypto is only practical to use if you don't understand it all; fortunately, the
Re: (Score:2)
Look at story: "Custom ROMs insecure because of public key reuse". Where these ROMs made by ordinary users? No. Then why do you assume I commented on ordinary users? Plain old stupidity? Overagression? Had a bad day at work?
And for your information, I do know how PKK works, including the mathematics behind it. How dare you assume otherwise?
Re: (Score:2)
Seems this level of clarity is necessary here. Of course that is what I said, "use" as in "use" do develop or modify.
To many big egos with very small attached minds here.
What % of 3rd party installed ROM base is non-CM7? (Score:2)
Re: (Score:3)
Of the ROM-installing community, what percentage is NOT using CM 7.0.3?
Everyone using a custom ROM on a device that CM does not support. I'm not sure how many that is, but it includes the HTC Thunderbolt users.
Re: (Score:2)
Those on devices where the CM 7.0.3 port is still very much a (buggy) work in progress, such as the LG Optimus.
Re:What % of 3rd party installed ROM base is non-C (Score:4, Interesting)
A lot. I was using's Doc's Rom Kitchen as it had a lot better support for my SGS. I ended up trying a CM7 nightly for my SGS, it was alright, but the cameras were too dark to be functional, and my ability to text went out the window. Reverted to a stock ROM, and while I can receive texts, I still can't send (which is more so confusing to me than anything as I really don't text).
I'm now using the Insanity CM GalaxyS ROM (which is based on CM7, but is very stripped down and lite.. I love it). Also flashed the 2.6.35_7_Glitch Insane Edition V10 ROM for the i9000, which is freakin sweet!
Re: (Score:2)
Of the ROM-installing community, what percentage is NOT using CM 7.0.3?
anyone with a samsung galaxy s/s2 phone for a start.
Re: (Score:2)
I didn't realize there were more than one. Thanks for the big list. I will have to check how many support the color nook.
Not wanting to start a GLP flame war but... (Score:3)
... while the code for Android is GPLv2, the move of various other projects towards GPLv3 is only going to make this sort of problem worse. The 'anti-Tivoisation' [wikipedia.org] clause basically demands that some authorised signing key gets distributed with any GPLv3 code that needs to be signed in order to run, and that the available signing key grants all the rights necessary for that code to function. While it is of course possible for users to completely rebuild the trust hierarchy with their own keys, very few people will be willing to do so. As a result it seems likely that any GPLv3 project will be unable to make effective use of signing as a mechanism for preventing the execution of rogue code, even if the license allows for it in theory.
Re: (Score:2)
... while the code for Android is GPLv2,
No, it isn't. The kernel is GPLv2, but that's just a tiny wee bit of Android. The user-space code uses a mixture of non-copyleft licences (mostly the APL).
the move of various other projects towards GPLv3 is only going to make this sort of problem worse.
Much as I dislike the GPL (and especially the GPLv3), that's nonsense.
--jch
Re: (Score:2)
The GPL bothers me too. If I had the choice to utilize an open source project that was GPL licensed and BSD/Apache/MIT licensed, I'd pick the less restrictive license and still release my changes. The GPL is simply something I'd rather not deal with because it imposes restrictions on code that the project does not own.
LGPL is fine, although I do find it to be a problem when in a proprietary project and on platforms where dynamic linking isn't possible. In that specific case, LGPL essentially becomes the GPL
Re: (Score:2)
While I dislike the GPL, you're wrong. The problem is not that the private key used to build the OS was publicly available, but that any app using that key was trusted implicitly. Fix that (which is what they just did), and the problem goes away. From what I've read, it sounds like Windows 7 has the same problem. I believe UAC is disabled for apps signed with Microsoft's private key. If anyone ever got their hands on that key (I wouldn't be surprised if the US and/or Chinese governments already had it), the
Grammar nitpick (Score:2)
Re: (Score:2)
It started simpel (Score:1)
I'll put my money on five years (Score:2)
Re: (Score:2)
I have a theory that cloud AV is the way for mobile phones. Just insert a layer before install that will check signatures of what you have, report a positive/negative if it knows the file, and upload for checking if it doesn't.
That way you'd save on batter and computing power and, lets face it, if you're installing something from the internet, it means you have it, so no harm done.
Permanent AV protection is not needed in a mobile phone, I think.
Re: (Score:3)
Re: (Score:1)
Give me a phone platform with only open source apps and stop thinking that you will be rich by selling stupid nonsense apps.
*gives fellow AC Maemo*
(It's OK, Nokia wasn't using it anyway. They're too busy setting their Meego platform on fire so they can jump off it.)
Really, it's basically what you describe. We have a community open-source repository with an automated build system. Submit your Debian source package, it builds, and the deb shows up in "extras-devel"; if you like it, you (the developer) can promote it to "extras-testing", and after a community testing process (n people have to rate it as ready for promotion), it's a
Re: (Score:2)
I often wonder what people mean by "ROM" when they're talking about Android distributions (because that's what they are). I've always hoped it meant something other than "read-only memory". But if Android modders get even that basic bit of computer terminology wrong, it's no surprise they don't understand public key encryption either.
But does that mean there are really no competent Android modders? I was actually expecting a bit more from that community.