Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,741,924 Members 45,423 Now Online
XDA Developers Android and Mobile Development Forum

[Patch]Malware Exploit for all pre-Gingerbread phones

Tip us?
 
pulser_g2
Old
#61  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10691
Posts: 19,244
Join Date: Nov 2009
Quick technical question...

I presume this is to prevent the malware from making an infected binary called profile, which is the Trojan itself?

If so, what's to stop a future attack from using a differently named, or self mutating, file?

Just curious as to how effective this is, given the fact we are talking about root exploits, which can be programmed to overcome most limitations like this.

Or am I missing something here? (reading from my phone so I could have missed a bit of something)


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
 
pixeldotz
Old
#62  
pixeldotz's Avatar
Senior Member
Thanks Meter 104
Posts: 197
Join Date: Dec 2009
out curiosity how do you know who the publisher of a certain app is? is it the name the appears right under the app in the market place?

the reason i ask is because i have chess for android and pewpew but neither say anything about Myournet being the publisher.
 
musclehead84
Old
#63  
musclehead84's Avatar
Senior Member
Thanks Meter 970
Posts: 4,337
Join Date: Nov 2010
Location: Falling Waters, WV
Yes the name.under the apologize is the developer

Quote:
Originally Posted by pxldtz View Post
out curiosity how do you know who the publisher of a certain app is? is it the name the appears right under the app in the market place?

the reason i ask is because i have chess for android and pewpew but neither say anything about Myournet being the publisher.


Sent From My Evo Killer!
"If you cant live large look big in the coffin"
Competitive powerlifter and member of Metal Militia Virginia Chapter! Currently ranked in the top 10!
Goals: Squat- 1,000-1,050 Bench 715-800 Deadlift- 650-715.


When my ass leaves the breaking floor,
Lifting weight of such amount
That no mortal eye can count,
All of sudden on top I soar
And Realize:
To happiness there's no such bind
As a PR that's left behind!
Squat! Squat! Squat!
 
overground
Old
#64  
overground's Avatar
Moderator & Developer Committee / Recognized Developer - xxxda-developers Founder
Thanks Meter 1168
Posts: 5,236
Join Date: Apr 2009
Location: Oxnard, CA Likes: Los Angeles Lakers Dislikes: Heavy petting zoos
Quote:
Originally Posted by pulser_g2 View Post
Quick technical question...

I presume this is to prevent the malware from making an infected binary called profile, which is the Trojan itself?

If so, what's to stop a future attack from using a differently named, or self mutating, file?

Just curious as to how effective this is, given the fact we are talking about root exploits, which can be programmed to overcome most limitations like this.

Or am I missing something here? (reading from my phone so I could have missed a bit of something)
I'm fairly sure this particular fix is just for this particular strain. I highly doubt it will thwart any pre-existing, alternate malware nor any futures.
 
T-mobile SDA, T-mobile G1 (bronze) Rooted, Nexus One Rooted 4.0.4, T-mobile G2x Rooted, Viewsonic G-tab 10.1", HTC OneX (SOLD), Kindle Fire Rooted, T-mobile SGS3 rooted, Note 10.1 rooted / GDE=360s of fun!! / pinkventure.com
Quote:
Originally Posted by dumfuq View Post
That is correct. Or you cold use the escape sequence instead of quotes.
Code:
sh /system/sd/bart.sh Double\ post -d -u -m -f -u -q knockeduphooker9.1.1Full10-26-09
Buy me some meds
 
MaluNoPeleke
Old
#65  
Senior Member
Thanks Meter 64
Posts: 673
Join Date: Jan 2011

 
DONATE TO ME
Can my phone (HTC Desire Z with 1.82 firmware) be infected?
I don't have root and even with the psneuter temproot method I cannot create the blank profile file.
Thanks
 
fsc137
Old
#66  
Member
Thanks Meter 1
Posts: 31
Join Date: Feb 2011
Location: Cambridge MA
Niggling technicality:

Using 'adb shell' or terminal emulator (should work on any phone)

Using 'adb shell' or terminal emulator (should work on any ROOTED phone)

Isn't that right? Can't "su" without rooting. (Can you "su" from adb shell without rooting?)

(In fact, as an old Unix guy, I'm nervous about this whole "su with null password" business in Android. Seems to me that exploits like this could be prevented by installing a root password.)
 
pulser_g2
Old
#67  
pulser_g2's Avatar
Developer Admin / Senior Recognized Developer
Thanks Meter 10691
Posts: 19,244
Join Date: Nov 2009
Quote:
Originally Posted by fsc137 View Post
Niggling technicality:

Using 'adb shell' or terminal emulator (should work on any phone)

Using 'adb shell' or terminal emulator (should work on any ROOTED phone)

Isn't that right? Can't "su" without rooting. (Can you "su" from adb shell without rooting?)

(In fact, as an old Unix guy, I'm nervous about this whole "su with null password" business in Android. Seems to me that exploits like this could be prevented by installing a root password.)
Most devices I know of can open adb shell after enabling usb debugging. No su or remount unless ro.secure=0.

You cannot su from adb shell without root, as you need root to reflash boot.img to set ro.secure=0.

Root password wouldn't help IMHO, as the suid could still be set, AND... root exploit grants you root, regardless of the length of said password.


Having trouble getting an answer? | What is XDA about? | How to ask for help?

if [ $PM.incoming.type = $type.question.ROM.how_to_use ] || [ $PM.incoming.type = $type.question.ROM.silly_question ]; then mv $PM.incoming /.trash; PM.response($responsetype.ignore); $PM.sender.ignore_in_future=true; init.sequence($boy_who_cried_wolf); fi;

BTC: 1K2fpDsRHkirWmk3PKiqtzhVHKUJCWPWnN
PGP: 0x260F4FDEF258E3C4
 
fsc137
Old
#68  
Member
Thanks Meter 1
Posts: 31
Join Date: Feb 2011
Location: Cambridge MA
It seems to me that the whole "outside developers" idea is, at present, based on the existence of a root exploit, so if all the root exploits were fixed, these wonderful ROMs would not be available.

A better way to go, in the long term, would be to fix the root exploits and then have the outside developer software loaded (at least initially) through Odin. That would be more secure, requiring that someone actually hold down "1" while rebooting, rather than allowing root to ever be achieved through software.
 
Rodderik
Old
#69  
Rodderik's Avatar
Recognized Developer - OP
Thanks Meter 1312
Posts: 1,300
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by fsc137 View Post
Niggling technicality:

Using 'adb shell' or terminal emulator (should work on any phone)

Using 'adb shell' or terminal emulator (should work on any ROOTED phone)

Isn't that right? Can't "su" without rooting. (Can you "su" from adb shell without rooting?)

(In fact, as an old Unix guy, I'm nervous about this whole "su with null password" business in Android. Seems to me that exploits like this could be prevented by installing a root password.)
You're right! I have updated the OP to clarify that. Thanks.

Quote:
Originally Posted by pulser_g2 View Post
Most devices I know of can open adb shell after enabling usb debugging. No su or remount unless ro.secure=0.

You cannot su from adb shell without root, as you need root to reflash boot.img to set ro.secure=0.

Root password wouldn't help IMHO, as the suid could still be set, AND... root exploit grants you root, regardless of the length of said password.
root permissions do not get called from any password based authentication on android
Devices: EVO 4G LTE (pre-ordered), Epic 4g, Sprint 7" Galaxy Tab, HP TouchPad (CM9), Nook Color (CM7), Transform, Intercept

Epic 4G Kernel: Genocide EC05 Kernel v2.0|1.4GhzOC|RomManager|CustomUV|DUALBOOT
Galaxy Tab: [SPRINT][CDMA]Samsung Galaxy Tab (SPH-P100) Mega Development Starter Thread

http://devphone.org
 
Rodderik
Old
#70  
Rodderik's Avatar
Recognized Developer - OP
Thanks Meter 1312
Posts: 1,300
Join Date: Sep 2010

 
DONATE TO ME
Quote:
Originally Posted by fsc137 View Post
It seems to me that the whole "outside developers" idea is, at present, based on the existence of a root exploit, so if all the root exploits were fixed, these wonderful ROMs would not be available.

A better way to go, in the long term, would be to fix the root exploits and then have the outside developer software loaded (at least initially) through Odin. That would be more secure, requiring that someone actually hold down "1" while rebooting, rather than allowing root to ever be achieved through software.
Correct again! Developers could easily extract, modify, inject, and release a hacked up initramfs with root built-in an Odin .tar (or any stock image flashing program). On the same note though not much is going to prevent a malicious apk from reflashing the kernel of unsuspecting users and then on reboot have a go at the info they want. I guess my point is anything is possible given the time and determination.
Devices: EVO 4G LTE (pre-ordered), Epic 4g, Sprint 7" Galaxy Tab, HP TouchPad (CM9), Nook Color (CM7), Transform, Intercept

Epic 4G Kernel: Genocide EC05 Kernel v2.0|1.4GhzOC|RomManager|CustomUV|DUALBOOT
Galaxy Tab: [SPRINT][CDMA]Samsung Galaxy Tab (SPH-P100) Mega Development Starter Thread

http://devphone.org

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes