FORUMS
Remove All Ads from XDA

Let's get to the bottom of kingo. (Owned)

16 posts
Thanks Meter: 35
 
By krazylary, Junior Member on 26th January 2014, 08:23 AM
Post Reply Email Thread
30th January 2014, 04:32 AM |#11  
OP Junior Member
Thanks Meter: 35
 
More
Yes
Quote:
Originally Posted by bftb0

I suppose you should always be worried about any advice that begins with

"hey, download this unknown executable from the internet and run it on your Virus Hosting Platform^B^B^B^B^B^B^B^B^B^B^B^B^B^B^BWindows Machine"

But that applies to even things like "Odin v3.09". Or "Android Phone rooting toolkits". They are also just executables, and certainly just as capable of hosting malware installed (even unknowingly) by persons that re-upload it.

But in particular, the thing that got everybody's hackles up was that it bears all the "hallmarks" of malware:

- published by an author with an inscrutable monetization strategy*
- by its intended purpose, is authored by folks skilled in software exploits (but... blackhat or whitehat)?
- uses an "attack server" architecture. (Downloads payloads off the internet in order to run to completion)
- closed source
- contacts multiple sites on the internet during setup and/or operation
- uploads to the internet information gleaned from host and target systems
- at runtime uses code obfuscation procedures that are typical of malware


What the OP is currently after is a way to replace it with something that will still root the phone, but do so in a way that seems less suspicious - for instance has no need to ever contact remote machines on the internet, and no need to even use a PC, either. But let's be honest - any time you turn your device over to a piece of software that has the objective of rooting either a remote host or the one it is running on, you are implicitly handing that device over to that software if it succeeds. If it is completely open source, and you compile it, install it, and run it yourself - after having looked through the code to judge it's safety... well, you might be able to say with confidence that "this looks pretty safe".

OTOH, doing that (open source) also makes it pretty darn easy for defenders (e.g. Samsung or Google if it is an Android kernel exploit) to patch the hole directly without doing the corresponding exploit discovery themselves.

I'm not saying that Kingo is malicious though; I really don't know. I can think of very compelling reasons why it operates exactly the way it does:

1) Rooting methods vary by device, carrier, and software release version. That means that a "universal" and static Android rooting tool with encyclopedic knowledge of all current rooting methods would have to bundle in a single download package an enormous collection of exploit vectors. Hundreds and hundreds of megabytes of stuff ... per handset. Live device detection eliminates the need for that - and the bill from the server hosting company for excessive bandwith usage.

2) Rooting methods come and go. A client-server attack method can determine immediately if something it tried succeeded or failed - on every single attempt. And collect reliable information about software release versions, model numbers, carrier in use, etc. Compare that to a piecemeal, scarce, non-uniform and unreliable method of trying to intuit that information by hand out of forum reports written by folks who many times have no computer skills at all. It's light-years better in reliability and breadth.

I was going to also say "Open Source of an attack reduces it's effectiveness", but that opens a whole can of worms, as the position one takes on that particular statement probably is the bright line dividing the white hat and black hat ethical spheres.



*hey wait a minute - isn't that everybody on XDA?



What he said


I would like to add that the coders of kingo have gone above and beyond trying to hide there exploits methods and everything around it. i would do the same if i had a exclusive exploit like this... Exploits cost money if you want to use them. nothing is free nothing. They get something out of it. Or they would not return emails or update the software Would you? It sure as **** is not advertising on there site.

fyi one of the files that is download from kingos servers is called root_kit_base.sbin
 
 
30th January 2014, 04:36 AM |#12  
christianpeso's Avatar
Senior Member
Thanks Meter: 535
 
More
Why blur out the program you are using?
30th January 2014, 06:31 AM |#13  
OP Junior Member
Thanks Meter: 35
 
More
personal
here are the programs

colasoft caspa enterprise 7
ida pro 6.5 arm hex rays
wireshark
cascade pilot enterprise
burp suite pro

just like to not have personal info exposed.. habit i guess.

Quote:
Originally Posted by christianpeso

Why blur out the program you are using?

The Following 5 Users Say Thank You to krazylary For This Useful Post: [ View ] Gift krazylary Ad-Free
30th January 2014, 02:26 PM |#14  
Digital DJ's Avatar
Senior Member
Flag Virginia Beach
Thanks Meter: 58
 
More
Thanks for the info guys, that was a well thought out Super long answerand I read it all. ..twice. It doesn't "seem"like I need to worry though. My root with kingo went well, took less than 5 minutes if I remember and my device seems better because of it. Is There anything I should keep an eye out for?

Sent from my SM-N900V using xda app-developers app
31st January 2014, 08:27 AM |#15  
mlin's Avatar
Senior Member
Thanks Meter: 1,231
 
More
I'm confused, did you actually find something malicious or is that where chainfire comes in?
31st January 2014, 12:54 PM |#16  
Senior Member
Thanks Meter: 1,043
 
More
There is an .apk availkable with a closely related name and having the same md5 sig. Google is your friend. It also was on the Google market for a while until it was removed/banned. So I doubt it is much of a secret from Google.

Seems as if the same .apk is/was used by the vroot tool as well.

It's manifest indicates network connectivity privileges, so probably it shouldn't be installed/run by folks who are paranoid. Too bad it is not fully self-contained.

I suppose it could be kanged with smali/backsmali to remove privileges from the Android manifest for live evaluations, or the app's armeabi JNI lib could be reversed with IDA/Hexrays*. I would try some of this, but I am away from a dev station for a week or so.

It appears to use both the camera and some activity from the android terminal emulator (jackpal).

As far as the title of the OP is concerned, I'm not convinced that a conclusive proof of maliciousness has been obtained. Nor has it been ruled out, either.

But it sure would be far more comfortable to have a phone-only rooting app with almost no app privileges... even if that only lasts until the next release.
The Following 2 Users Say Thank You to bftb0 For This Useful Post: [ View ] Gift bftb0 Ad-Free
31st January 2014, 05:52 PM |#17  
mlin's Avatar
Senior Member
Thanks Meter: 1,231
 
More
Quote:
Originally Posted by bftb0

There is an .apk availkable with a closely related name and having the same md5 sig. Google is your friend. It also was on the Google market for a while until it was removed/banned. So I doubt it is much of a secret from Google.

Seems as if the same .apk is/was used by the vroot tool as well.

It's manifest indicates network connectivity privileges, so probably it shouldn't be installed/run by folks who are paranoid. Too bad it is not fully self-contained.

I suppose it could be kanged with smali/backsmali to remove privileges from the Android manifest for live evaluations, or the app's armeabi JNI lib could be reversed with IDA/Hexrays*. I would try some of this, but I am away from a dev station for a week or so.

It appears to use both the camera and some activity from the android terminal emulator (jackpal).

As far as the title of the OP is concerned, I'm not convinced that a conclusive proof of maliciousness has been obtained. Nor has it been ruled out, either.

But it sure would be far more comfortable to have a phone-only rooting app with almost no app privileges... even if that only lasts until the next release.

Is it possible that information is needed on a per device basis in order to implement the exploit? Thus network connectivity would be essential for a universal rooting tool?

Sent from my SM-N900V using Tapatalk
11th February 2014, 12:18 AM |#18  
Senior Member
Thanks Meter: 23
 
More
Any updates on getting to the bottom of Kingo? Perhaps your investigation maybe had "something to do with" the apparent Kingo servers being "down"....
12th February 2014, 02:45 AM |#19  
Junior Member
Thanks Meter: 2
 
More
bump

Sent from my SM-N900V using Tapatalk
12th February 2014, 09:25 AM |#20  
Senior Member
Thanks Meter: 1,043
 
More
Quote:
Originally Posted by kenneu

Any updates on getting to the bottom of Kingo? Perhaps your investigation maybe had "something to do with" the apparent Kingo servers being "down"....

Kinda wondered that myself. Nothing materially changed on the device end of things for the VZW GN3 ... and all of a sudden a bunch of new reports that Kingo no longer works on that (unchanged) device... ?

Could be mere coincidence ... or could be that Kingo didn't want folks looking under the hood... hard to know.
18th March 2014, 02:38 PM |#21  
DrPhant0m's Avatar
Senior Member
Thanks Meter: 262
 
More
bump

I'm still on MI9, and I used the original Root De La Vega technique to do so. However, I'd like to know what's "under the hood" with Kingo before Verizon releases a kitkat update... in hopes that kingo's reputation will be cleared and also that kingo will be able to keep root on my phone when I update to kit kat. (Both tall orders, I know)

If I can throw in my two cents of paranoia... I realize that thousands of users have "used kingo and have not realized any issues" so my concern is not for popups or adware or anything that a user would realize. Besides, wiping the phone and installing a fresh ROM would probably fix that. Root access is a two-way street. Perhaps there's a possibility that part of my bandwidth or CPU power is being sapped (through an app or skimmed info I mention later) for some kind of crowd-computing bot network with nefarious intentions. That's concerning, too. But, data and battery impact would be evident.

<tin foil hat>
But... perhaps, during that initial kingo run, the combination of ESN, IMEI, and SIM card info unique to your specific phone is stored and archived somewhere; enough to "clone" your phone elsewhere, to be used in the future for whatever purpose necessary. Is this possible? I only know what I've seen on TV and the movies. Like...

Imagine if someone at the post office skimmed everyone's credit card as they passed through the mail, and saved the info (as they did in 1992's "Mo' Money" starring Damon Wayans)... so that individual could, at any time, swipe a blank card through a magstrip writer, and "clone" any of the cards that they skimmed for their own use. (I have personally been compromised in this way - being alerted that my debit card was used to purchase high-dollar works of art from a gallery in Canada. I was 16, and attending high school in pennsylvania) Now... swap out the credit cards for cell phone info... and that's one explanation of why kingo does what they do, the way they are doing it... with no noticeable impact to the user. Yet. I don't want to sound dramatic... but, a possibility could exist for an explosive device to be triggered with a burner phone that has been cloned from someone that rooted with kingo. You receive a seemingly random text message from an unknown number... and something explodes somewhere.
</tin foil hat>
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes