5,596,784 Members 48,068 Now Online
XDA Developers Android and Mobile Development Forum

Can Virus survive Stock ROM flash from ODIN?

Tip us?
 
klau1
Old
(Last edited by klau1; 17th December 2013 at 01:03 AM.)
#1  
Senior Member - OP
Thanks Meter 336
Posts: 1,579
Join Date: Jan 2008
Default Can Virus survive Stock ROM flash from ODIN?

I just discovered a new permission request "Android System" UID System User 1000 in SuperSU .

I can't explain where this comes from.

So I did the following:

1.) Factory Wipe
2.) ODIN and simply flashed the Stock ROM with 1 file ROM in PDA slot

One thing I didn't do was Format the System Partition

But the next time I install SuperSU the permission request appears again.


So I want to know, does ODIN flash and Factory Wipe, truly wipe everything?

Please Thanks if it helped!






Tablet:
OS:
Kernel Version:
Build number:
Modifications:
 
LordManhattan
Old
#2  
LordManhattan's Avatar
Senior Member
Thanks Meter 5432
Posts: 14,498
Join Date: Oct 2007
Location: Kepler-34b
You didn't wipe everything. You didn't wipe the system partition where the su request came from.
 
I DO NOT RUN A SUPPORT LINE THROUGH PERSONAL MESSAGES,
SO PLEASE DO NOT PM ME ABOUT HELP (*COUGH* UNLESS I KNOW YOU *COUGH*).

THANK YOU, AND PLEASE HAVE A COOKIE ON YOUR WAY OUT.


The Following User Says Thank You to LordManhattan For This Useful Post: [ Click to Expand ]
 
klau1
Old
#3  
Senior Member - OP
Thanks Meter 336
Posts: 1,579
Join Date: Jan 2008
Thanks, I thought the TAR.MD5 Odin ROMs clear out everything in the system partition before writing.

Please Thanks if it helped!






Tablet:
OS:
Kernel Version:
Build number:
Modifications:
 
klau1
Old
#4  
Senior Member - OP
Thanks Meter 336
Posts: 1,579
Join Date: Jan 2008
Weird, even after going into Touch CWM and doing the following:

1.) Factory Wipe
2.) Clear Cache
3.) Clear Davlik Cache
4.) Mounts and Storage > Format /System
5.) Reboot to Bootloader
6.) Loaded ROM via ODIN N8010XXUCMK2 http://www.android-hilfe.de/original...ml#post6823310

7.) Loaded Touch CWM
8.) Installed SuperSU zip

Upon the second restart, it again requests for root from Android System UID User 1000

Please Thanks if it helped!






Tablet:
OS:
Kernel Version:
Build number:
Modifications:
 
LordManhattan
Old
(Last edited by LordManhattan; 17th December 2013 at 05:37 PM.)
#5  
LordManhattan's Avatar
Senior Member
Thanks Meter 5432
Posts: 14,498
Join Date: Oct 2007
Location: Kepler-34b
Huh.. strange. You wiped everything this time so that's weird. I've never seen a su request from Android System (the android system has root as default, as an OS should have). I'll dig a little and i'll be back soon.

UPDATE: I think i cracked the case. It's Xposed that does this on Samsung devices. If you do not use Xposed, it could be SuperSU. Be sure to have the latest version installed.
 
I DO NOT RUN A SUPPORT LINE THROUGH PERSONAL MESSAGES,
SO PLEASE DO NOT PM ME ABOUT HELP (*COUGH* UNLESS I KNOW YOU *COUGH*).

THANK YOU, AND PLEASE HAVE A COOKIE ON YOUR WAY OUT.


 
klau1
Old
#6  
Senior Member - OP
Thanks Meter 336
Posts: 1,579
Join Date: Jan 2008
If you are referring to this:
Quote:
Current Superuser/SuperSU releases have security holes that allow any application to execute commands as root without the user's permission (even apps with no permissions). Please upgrade immediately to SuperSU >= v1.69 or another patched release.
The device is on one of the latest SuperSUs 1.80 and then updated to 1.85, and never on SuperSU =< v1.69





Regarding the System User Request, Is below what you are referring to?

Quote:
Originally Posted by cernekee View Post
On a rooted Android <= 4.2.x device, /system/xbin/su is a setuid root binary which performs a number of privilege checks in order to determine whether the operation requested by the caller should be allowed. If any of these checks fail, the denial is recorded by broadcasting an intent to the Superuser app through the Android Activity Manager binary, /system/bin/am. /system/bin/am is invoked as root, and user-supplied arguments to the "su" command can be included on the "am" command line.

On a rooted Android >= 4.3 device, due to changes in Android's security model, /system/xbin/su functions as an unprivileged client which connects to a "su daemon" started early in the boot process. The client passes the request over a UNIX socket, and the daemon reads the caller's credentials using SO_PEERCRED. As described above, /system/bin/am is called (now from the daemon) to communicate with the app that implements the user interface
If I understand this properly, it's saying SuperSU accesses some functions as the System User 1000 on Android devices previous to OS version 4.3

On Android 4.3 and newer, SuperSU access those same functions without using System User 1000.

This would explain why this permission request does not appear on my Android 4.3 device, but it does on my Android 4.1.2 device.

Is this the correct understanding?

Please Thanks if it helped!






Tablet:
OS:
Kernel Version:
Build number:
Modifications:
 
cernekee
Old
#7  
Senior Member
Thanks Meter 281
Posts: 143
Join Date: Jun 2013
Quote:
Originally Posted by klau1 View Post
If I understand this properly, it's saying SuperSU accesses some functions as the System User 1000 on Android devices previous to OS version 4.3
Internally, Superuser/SuperSU can switch UIDs to execute different subprocesses with different user credentials. But these do not generate requests that you would see on the screen.

To track down the source of the request, can you run these commands from a PC while the SuperSU dialog for "Android System" is on the screen, then paste the results?

Code:
adb shell busybox ps -Tl
adb shell ps
The Following User Says Thank You to cernekee For This Useful Post: [ Click to Expand ]
 
klau1
Old
(Last edited by klau1; 17th December 2013 at 08:04 PM.)
#8  
Senior Member - OP
Thanks Meter 336
Posts: 1,579
Join Date: Jan 2008
Here it is:

Attached


The command output of "adb shell ps" is also inside, just search for "adb shell ps" in an txt editor to jump to it.
Attached Files
File Type: txt adb shell ps log.txt - [Click for QR Code] (126.1 KB, 5 views)

Please Thanks if it helped!






Tablet:
OS:
Kernel Version:
Build number:
Modifications:
 
giannism13
Old
#9  
Member
Thanks Meter 7
Posts: 68
Join Date: Nov 2013
Location: Skyros
Although, I'm a noob I will try to help. If I mind correctly , If you go supersu > setting is a checkbox that says something about "system processes" or similar, make sure that is unchecked. You could also try emailing to the developer of supersu, your rom and kernel

Sent from my Xperia Mini using XDA Premium 4 mobile app
 
klau1
Old
#10  
Senior Member - OP
Thanks Meter 336
Posts: 1,579
Join Date: Jan 2008
I know that, but just indiscriminately "trusting" the user doesn't make it safer. Just like keeping your doors open so you won't hear anyone break in doesn't stop the actual breakin from happening.

And it's also a stock ROM from: http://www.android-hilfe.de/original...ml#post6823310

Is it possible these Stock ROM uploads are infected with malware?

Please Thanks if it helped!






Tablet:
OS:
Kernel Version:
Build number:
Modifications:

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


XDA PORTAL POSTS

Sony Xperia Z, ZL, ZR, and Tablet Z to Receive Official KitKat Update in May

It’s no secret that although Sony is one of the most … more

Force Translucent Status Bar in KitKat ROMs with Xposed

It’s been a while since Android 4.4KitKat wasreleased, and we’re slowly … more

Fix the Ambient Light Issues on Your Google Nexus 5 using Xposed

The Google Nexus 5 is a great and rather popular device. This LG-produced … more