Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

[Patch]Malware Exploit for all pre-Gingerbread phones

OP Rodderik

2nd March 2011, 08:20 PM   |  #1  
Rodderik's Avatar
OP Recognized Developer
Thanks Meter: 1,311
 
1,300 posts
Join Date:Joined: Sep 2010
Donate to Me
More
[Patch][Rom]Malware Exploit for all pre-Gingerbread phones
Who is affected? All phones pre-gingerbread
Who should act? Users and developers using pre-gingerbread roms
How do I fix? Flash attached .zip at the bottom of this post or use one of the alternate methods down there
What if I think I was infected? Completely wipe your device, format sdard, go back to stock and re-apply rom, then flash the attached .zip (before installing any apps)
Why should I care? read below...

http://www.androidpolice.com/2011/03...open-backdoor/

Quote:

Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.

Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the "rageagainstthecage" root exploit – binary contains string "CVE-2010-EASY Android local root exploit (C) 2010 by 743C". Don’t know what the apps actually do, but can’t be good.

I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice.

EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://184.105.245.17:8080/GMServer/GMServlet, which seems to be located in Fremont, CA.

I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.

Quote:

The offending apps from publisher Myournet:

* Falling Down
* Super Guitar Solo
* Super History Eraser
* Photo Editor
* Super Ringtone Maker
* Super Sex Positions
* Hot Sexy Videos
* Chess
* 下坠滚球_Falldown
* Hilton Sex Sound
* Screaming Sexy Japanese Girls
* Falling Ball Dodge
* Scientific Calculator
* Dice Roller
* 躲避弹球
* Advanced Currency Converter
* App Uninstaller
* 几何战机_PewPew
* Funny Paint
* Spider Man
* 蜘蛛侠

http://www.androidpolice.com/2011/03...-more-details/

Quote:

Now, on to some more details of the virus. We should point out that this vulnerability was patched with Gingerbread, meaning any device running Android 2.3+ should be fine. In other words, if you’re looking to play the blame game (which I’m not, but having read all the comments on the original post, many people are), then there’s plenty to go around. The hole was fixed by Google, but it’s relatively useless since many phones aren’t yet running a version of Android that is protected. It’s noteworthy that some manufacturers released updates that patched the exploit for devices without updating to Gingerbread; unfortunately, it appears that minority is quite a small one.

Perhaps most important is the question of what infected users can do about their situation; unfortunately, the answer is not much of anything. Because the virus opens up a backdoor and can bring in new code at any time, the only way to really rid an infected device of any damage is to completely wipe the device – not exactly the optimal solution, but it looks like the only one available, at least for now.

Finally, Justin notes that ROM developers working with pre-Gingerbread versions of Android can prevent the virus from backdooring in code by putting a dummy file at /system/bin/profile.


As you can see androidpolice.com reports on this backdoor and roots and steals personal information. The apps are removed from the market but that doesn't mean they got them all. Attached is a flashable fix as suggested by androidpolice.com

So users can flash this .zip or simply create a blank file called profile and place it in /system/bin/ (developers are encouraged to include this file in future releases. A blank file is not going to affect performance at all)

Alternate methods:

Using 'adb shell' or terminal emulator (should work on any ROOTED phone) as suggest by xaueious here
Code:
$ su
su
# remount rw
Remounting /system (/dev/stl9) in read/write mode
# touch /system/bin/profile
# chmod 644 /system/bin/profile
#
Alternate 2:
Download blank profile file from here (or create one and name it profile)
Use a program like Root Explorer to copy it to /system/bin/
Then longpress on it and check the permissions should be read/write for user, read for group, and read for others.

Alternate 3:
cyansmoker has put together an apk for the patch here https://market.android.com/details?i...oiddreamkiller

Thanks for pointing this out photoframd and androidpolice.com for investigating and reporting!

UPDATE: I renamed the .zip file and reuploaded it (350 hits wow). Also in the edify scripted version I added 644 permissions to the file (but if you already flashed it then it should have defaulted to that). I also added a pre-edify version of the patch thanks to xaueious for people using a recovery that does not yet understand edify.
Last edited by Rodderik; 5th March 2011 at 04:24 AM.
The Following 53 Users Say Thank You to Rodderik For This Useful Post: [ View ]
2nd March 2011, 08:27 PM   |  #2  
k0nane's Avatar
Recognized Developer
Flag 127.0.0.1
Thanks Meter: 3,768
 
3,981 posts
Join Date:Joined: Feb 2008
More
Rodderik - very useful, thanks much. This will be in SyndicateROM Frozen 1.0.1.

EDIT: Between this and CIQ removal, we devs have malware removal/prevention covered.
The Following 2 Users Say Thank You to k0nane For This Useful Post: [ View ]
2nd March 2011, 08:31 PM   |  #3  
mattallica76's Avatar
Senior Member
Flag Hanover, Pa
Thanks Meter: 321
 
2,339 posts
Join Date:Joined: Jun 2010
More
Does Superuser provide a layer of protection against this exploit also?

Sent from my SPH-D700 using Tapatalk
2nd March 2011, 08:34 PM   |  #4  
Rodderik's Avatar
OP Recognized Developer
Thanks Meter: 1,311
 
1,300 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by mattallica76

Does Superuser provide a layer of protection against this exploit also?

Sent from my SPH-D700 using Tapatalk

i wouldn't count on it...i've tried to root the epic using rageagainstthecage without the use of a computer and got no where with it because the only exploit that works for root is an adb bug (that doesn't mean it cannot be done!!!). but it is technically possible that malicious software once installed can install a modified version of superuser or do anything else it want's without the user's knowledge...so I wouldn't count on superuser protecting you.
2nd March 2011, 09:01 PM   |  #5  
Senior Member
Thanks Meter: 48
 
135 posts
Join Date:Joined: Jun 2007
So, let me understand this.

Are the Apps you download from the official Google app store stored by google or the developers?

If it's stored by Google, how in the world can they not be automating checking for apps like this?

This sounds kind of lame for a company with $11billion dollars in the bank.

Unless apps aren't stored by Google? And if they aren't, why doesn't Google tell you that when you download an app?
2nd March 2011, 09:08 PM   |  #6  
Rodderik's Avatar
OP Recognized Developer
Thanks Meter: 1,311
 
1,300 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by DAvid_B

So, let me understand this.

Are the Apps you download from the official Google app store stored by google or the developers?

If it's stored by Google, how in the world can they not be automating checking for apps like this?

This sounds kind of lame for a company with $11billion dollars in the bank.

Unless apps aren't stored by Google? And if they aren't, why doesn't Google tell you that when you download an app?

apps are stored by google but i dont blame them for stuff like this. google doesn't dissect every single piece of code that gets pushed to the market. it wouldnt be very cost effective for them or motivational for software developers....after all we dont want the android market becoming like apple's store do we?
2nd March 2011, 09:15 PM   |  #7  
Senior Member
Thanks Meter: 9
 
250 posts
Join Date:Joined: Sep 2010
So this patch (zip) can be applied via CWM3 just like anything else, right?
2nd March 2011, 09:16 PM   |  #8  
Rodderik's Avatar
OP Recognized Developer
Thanks Meter: 1,311
 
1,300 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by brickwall99

So this patch (zip) can be applied via CWM3 just like anything else, right?

correct

10char
2nd March 2011, 10:19 PM   |  #9  
Senior Member
SLC, UT
Thanks Meter: 112
 
781 posts
Join Date:Joined: Nov 2010
More
I'm pretty sure I'm in the clear, but this should prevent some future attacks, correct?

And any idea of phone compatibilities, ie MT4G? If you don't know I can flash it and let you know, but if it doesn't work there's no point in trying. Thanks in advance!

Edit: I guess it doesn't matter anyways, I could just create the blank folder. My bad... but thanks.

Sent from my HTC Glacier (Rooted, Stock ROM, Faux123's Kernel) using XDA App
Last edited by eliasadrian; 2nd March 2011 at 10:29 PM.
2nd March 2011, 10:25 PM   |  #10  
Rodderik's Avatar
OP Recognized Developer
Thanks Meter: 1,311
 
1,300 posts
Join Date:Joined: Sep 2010
Donate to Me
More
Quote:
Originally Posted by eliasadrian

I'm pretty sure I'm in the clear, but this should prevent some future attacks, correct?

And any idea of phone compatibilities, ie MT4G? If you don't know I can flash it and let you know, but if it doesn't work there's no point in trying. Thanks in advance!

Sent from my HTC Glacier (Rooted, Stock ROM, Faux123's Kernel) using XDA App

from what i understand it applies to all pre-gingerbread phones that are exploitable by rageagainstthecage (but possibly others) it doesn't hurt anything to put an empty file called profile in /system/bin/ if it prevents the current malware from doing it's damage just to be safe

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes