[Patch]Malware Exploit for all pre-Gingerbread phones

Search This thread

Rodderik

Inactive Recognized Developer
Sep 8, 2010
1,300
1,295
devphone.org
[Patch][Rom]Malware Exploit for all pre-Gingerbread phones
Who is affected? All phones pre-gingerbread
Who should act? Users and developers using pre-gingerbread roms
How do I fix? Flash attached .zip at the bottom of this post or use one of the alternate methods down there
What if I think I was infected? Completely wipe your device, format sdard, go back to stock and re-apply rom, then flash the attached .zip (before installing any apps)
Why should I care? read below...

http://www.androidpolice.com/2011/0...your-phone-steal-your-data-and-open-backdoor/

Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.

Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the "rageagainstthecage" root exploit – binary contains string "CVE-2010-EASY Android local root exploit (C) 2010 by 743C". Don’t know what the apps actually do, but can’t be good.

I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice.

EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://184.105.245.17:8080/GMServer/GMServlet, which seems to be located in Fremont, CA.

I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.

The offending apps from publisher Myournet:

* Falling Down
* Super Guitar Solo
* Super History Eraser
* Photo Editor
* Super Ringtone Maker
* Super Sex Positions
* Hot Sexy Videos
* Chess
* 下坠滚球_Falldown
* Hilton Sex Sound
* Screaming Sexy Japanese Girls
* Falling Ball Dodge
* Scientific Calculator
* Dice Roller
* 躲避弹球
* Advanced Currency Converter
* App Uninstaller
* 几何战机_PewPew
* Funny Paint
* Spider Man
* 蜘蛛侠

http://www.androidpolice.com/2011/0...-android-nightmare-and-weve-got-more-details/

Now, on to some more details of the virus. We should point out that this vulnerability was patched with Gingerbread, meaning any device running Android 2.3+ should be fine. In other words, if you’re looking to play the blame game (which I’m not, but having read all the comments on the original post, many people are), then there’s plenty to go around. The hole was fixed by Google, but it’s relatively useless since many phones aren’t yet running a version of Android that is protected. It’s noteworthy that some manufacturers released updates that patched the exploit for devices without updating to Gingerbread; unfortunately, it appears that minority is quite a small one.

Perhaps most important is the question of what infected users can do about their situation; unfortunately, the answer is not much of anything. Because the virus opens up a backdoor and can bring in new code at any time, the only way to really rid an infected device of any damage is to completely wipe the device – not exactly the optimal solution, but it looks like the only one available, at least for now.

Finally, Justin notes that ROM developers working with pre-Gingerbread versions of Android can prevent the virus from backdooring in code by putting a dummy file at /system/bin/profile.


As you can see androidpolice.com reports on this backdoor and roots and steals personal information. The apps are removed from the market but that doesn't mean they got them all. Attached is a flashable fix as suggested by androidpolice.com

So users can flash this .zip or simply create a blank file called profile and place it in /system/bin/ (developers are encouraged to include this file in future releases. A blank file is not going to affect performance at all)

Alternate methods:

Using 'adb shell' or terminal emulator (should work on any ROOTED phone) as suggest by xaueious here
Code:
$ su
su
# remount rw
Remounting /system (/dev/stl9) in read/write mode
# touch /system/bin/profile
# chmod 644 /system/bin/profile
#

Alternate 2:
Download blank profile file from here (or create one and name it profile)
Use a program like Root Explorer to copy it to /system/bin/
Then longpress on it and check the permissions should be read/write for user, read for group, and read for others.

Alternate 3:
cyansmoker has put together an apk for the patch here https://market.android.com/details?id=com.voilaweb.mobile.droiddreamkiller

Thanks for pointing this out photoframd and androidpolice.com for investigating and reporting!

UPDATE: I renamed the .zip file and reuploaded it (350 hits wow). Also in the edify scripted version I added 644 permissions to the file (but if you already flashed it then it should have defaulted to that). I also added a pre-edify version of the patch thanks to xaueious for people using a recovery that does not yet understand edify.
 

Attachments

  • DroidDreamMalwarePatch_edify.zip
    152.9 KB · Views: 4,078
  • DroidDreamMalwarePatch_pre-edify.zip
    2.8 KB · Views: 2,149
Last edited:

Rodderik

Inactive Recognized Developer
Sep 8, 2010
1,300
1,295
devphone.org
Does Superuser provide a layer of protection against this exploit also?

Sent from my SPH-D700 using Tapatalk

i wouldn't count on it...i've tried to root the epic using rageagainstthecage without the use of a computer and got no where with it because the only exploit that works for root is an adb bug (that doesn't mean it cannot be done!!!). but it is technically possible that malicious software once installed can install a modified version of superuser or do anything else it want's without the user's knowledge...so I wouldn't count on superuser protecting you.
 

DAvid_B

Senior Member
Jun 29, 2007
343
106
So, let me understand this.

Are the Apps you download from the official Google app store stored by google or the developers?

If it's stored by Google, how in the world can they not be automating checking for apps like this?

This sounds kind of lame for a company with $11billion dollars in the bank.

Unless apps aren't stored by Google? And if they aren't, why doesn't Google tell you that when you download an app?
 

Rodderik

Inactive Recognized Developer
Sep 8, 2010
1,300
1,295
devphone.org
So, let me understand this.

Are the Apps you download from the official Google app store stored by google or the developers?

If it's stored by Google, how in the world can they not be automating checking for apps like this?

This sounds kind of lame for a company with $11billion dollars in the bank.

Unless apps aren't stored by Google? And if they aren't, why doesn't Google tell you that when you download an app?

apps are stored by google but i dont blame them for stuff like this. google doesn't dissect every single piece of code that gets pushed to the market. it wouldnt be very cost effective for them or motivational for software developers....after all we dont want the android market becoming like apple's store do we?
 

eliasadrian

Senior Member
Nov 8, 2010
835
111
SLC, UT
I'm pretty sure I'm in the clear, but this should prevent some future attacks, correct?

And any idea of phone compatibilities, ie MT4G? If you don't know I can flash it and let you know, but if it doesn't work there's no point in trying. Thanks in advance!

Edit: I guess it doesn't matter anyways, I could just create the blank folder. My bad... but thanks.

Sent from my HTC Glacier (Rooted, Stock ROM, Faux123's Kernel) using XDA App
 
Last edited:

Rodderik

Inactive Recognized Developer
Sep 8, 2010
1,300
1,295
devphone.org
I'm pretty sure I'm in the clear, but this should prevent some future attacks, correct?

And any idea of phone compatibilities, ie MT4G? If you don't know I can flash it and let you know, but if it doesn't work there's no point in trying. Thanks in advance!

Sent from my HTC Glacier (Rooted, Stock ROM, Faux123's Kernel) using XDA App

from what i understand it applies to all pre-gingerbread phones that are exploitable by rageagainstthecage (but possibly others) it doesn't hurt anything to put an empty file called profile in /system/bin/ if it prevents the current malware from doing it's damage just to be safe
 

nubecoder

Inactive Recognized Developer
Dec 5, 2010
569
556
Thanks for the info, but I don't quite understand what putting an empty file named profile in the bin folder would do.

I'm not seeing any special permissions being set or anything.

How is this fix effective? Couldn't the "malware" simply overwrite the blank file?

I don't get it.

=]

-ps I haven';t taken the time to read through the linked source, so forgive me if this has been explained.
 

britoso

Senior Member
Jan 13, 2010
2,794
302
Orlando
Anyone know exactly what that profile file flags in the OS?

edit: looks like this is a fix for this particular strain only.
 
Last edited:

Rodderik

Inactive Recognized Developer
Sep 8, 2010
1,300
1,295
devphone.org
the fix is based off of Justin's suggestions in the link...what is to stop future versions of this malware from ignoring this file in the future? nothing! but for now Justin over at andoidpolice.com has combed through the known infected apk files and provided us with this fix and info....i would read the 2 articles quote in the OP for all the goodies

the empty profile file shouldn't affect anything in the market or otherwise....i'm assuming the malware checks if that file exists and if it does then it doesn't try to run but this is speculation on my part. if i need to i can get some more information if the links in the OP don't answer your questions
 

Tortel1210

Retired Recognized Developer
Dec 3, 2010
189
392
My guess is that it tries to extract then run a file named profile, and adding the blank might prevent it from working
 

rayburne

Senior Member
Jan 14, 2011
120
35
FL
Would it be safe to assume that if you look in your system/bin directory and already have a file named profile than you have been infected?

Instead of flashing, using Root Explorer could I just create a file named "profile" in the system/bin directory for a fix?

Anyone think an android AV program like Lookout would have caught this if running when the infected app was installed?
 

Rodderik

Inactive Recognized Developer
Sep 8, 2010
1,300
1,295
devphone.org
Would it be safe to assume that if you look in your system/bin directory and already have a file named profile than you have been infected?

It is quite possible. Check and see if you installed any of the programs lately from the OP. If so then it is quite possible. It is also quite possible a rom developer put that file in there so that is not a 100% way of making sure.

Instead of flashing, using Root Explorer could I just create a file named "profile" in the system/bin directory for a fix?

Yes indeed!

Anyone think an android AV program like Lookout would have caught this if running when the infected app was installed?

Here is more from the articles I posted
Wow – from our perspective, it’s almost like the world exploded overnight. We have more information and details on the virus – which Lookout has named "DroidDream" (the word was consistently used in package names by the malware developers) – and some updates on where things stand.

So I'm assuming that means Lookout scans for or will soon scan for this malware.
 
  • Like
Reactions: rayburne

xaueious

Senior Member
Dec 17, 2009
980
176
Toronto
Does the file prevent the root exploits from running?

I am not sure if your update.zip actually works, unless you are sure that the file is created with the correct file permissions. I'll test it in a minute. I don't know if your updater script is universal either:

Code:
ui_print("**Installing**");
ui_print("**Mounting Partition**");
run_program("/sbin/mount", "/dev/block/stl9", "/system");
ui_print("**Copying System File**");
package_extract_dir("system", "/system");
ui_print("**Unmounting Partition**");
unmount("/system");
ui_print("**Installation Successful**");


Can someone elaborate more on why this works, if it works?

It takes 10 minutes to throw this into an APK fix on the Market for rooted users, which works better than update.zip.

adb remount
adb shell touch /system/bin/profile
adb shell chmod 644 /system/bin/profile
 
Last edited:

Muckrak3r

Senior Member
Sep 16, 2010
367
44
I ran the patch using clockwork, how do I know if it worked?

The only app I may have downloaded from that list is chess, but I doubt I did install that.

Most of those other apps have keywords I STAY AWAY FROM for this very reason lol!
 

xaueious

Senior Member
Dec 17, 2009
980
176
Toronto
I redid the update.zip in OP.

Forgot attachment.


Code:
show_progress 0.1 0

copy_dir PACKAGE:system SYSTEM:

show_progress 0.1 10

show_progress 0.2 0

set_perm 0 0 0644 SYSTEM:bin/profile

show_progress 0.2 10

This should work on more devices. Test signed.
 

Attachments

  • DroidDreamBackdoorPatch.zip
    2.4 KB · Views: 101
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 54
    [Patch][Rom]Malware Exploit for all pre-Gingerbread phones
    Who is affected? All phones pre-gingerbread
    Who should act? Users and developers using pre-gingerbread roms
    How do I fix? Flash attached .zip at the bottom of this post or use one of the alternate methods down there
    What if I think I was infected? Completely wipe your device, format sdard, go back to stock and re-apply rom, then flash the attached .zip (before installing any apps)
    Why should I care? read below...

    http://www.androidpolice.com/2011/0...your-phone-steal-your-data-and-open-backdoor/

    Link to publishers apps here. I just randomly stumbled into one of the apps, recognized it and noticed that the publisher wasn’t who it was supposed to be.

    Super Guitar Solo for example is originally Guitar Solo Lite. I downloaded two of the apps and extracted the APK’s, they both contain what seems to be the "rageagainstthecage" root exploit – binary contains string "CVE-2010-EASY Android local root exploit (C) 2010 by 743C". Don’t know what the apps actually do, but can’t be good.

    I appreciate being able to publish an update to an app and the update going live instantly, but this is a bit scary. Some sort of moderation, or at least quicker reaction to malware complaints would be nice.

    EDIT: After some dexing and jaxing, the apps seem to be at least posting the IMEI and IMSI codes to http://184.105.245.17:8080/GMServer/GMServlet, which seems to be located in Fremont, CA.

    I asked our resident hacker to take a look at the code himself, and he’s verified it does indeed root the user’s device via rageagainstthecage or exploid. But that’s just the tip of the iceberg: it does more than just yank IMEI and IMSI. There’s another APK hidden inside the code, and it steals nearly everything it can: product ID, model, partner (provider?), language, country, and userID. But that’s all child’s play; the true pièce de résistance is that it has the ability to download more code. In other words, there’s no way to know what the app does after it’s installed, and the possibilities are nearly endless.

    The offending apps from publisher Myournet:

    * Falling Down
    * Super Guitar Solo
    * Super History Eraser
    * Photo Editor
    * Super Ringtone Maker
    * Super Sex Positions
    * Hot Sexy Videos
    * Chess
    * 下坠滚球_Falldown
    * Hilton Sex Sound
    * Screaming Sexy Japanese Girls
    * Falling Ball Dodge
    * Scientific Calculator
    * Dice Roller
    * 躲避弹球
    * Advanced Currency Converter
    * App Uninstaller
    * 几何战机_PewPew
    * Funny Paint
    * Spider Man
    * 蜘蛛侠

    http://www.androidpolice.com/2011/0...-android-nightmare-and-weve-got-more-details/

    Now, on to some more details of the virus. We should point out that this vulnerability was patched with Gingerbread, meaning any device running Android 2.3+ should be fine. In other words, if you’re looking to play the blame game (which I’m not, but having read all the comments on the original post, many people are), then there’s plenty to go around. The hole was fixed by Google, but it’s relatively useless since many phones aren’t yet running a version of Android that is protected. It’s noteworthy that some manufacturers released updates that patched the exploit for devices without updating to Gingerbread; unfortunately, it appears that minority is quite a small one.

    Perhaps most important is the question of what infected users can do about their situation; unfortunately, the answer is not much of anything. Because the virus opens up a backdoor and can bring in new code at any time, the only way to really rid an infected device of any damage is to completely wipe the device – not exactly the optimal solution, but it looks like the only one available, at least for now.

    Finally, Justin notes that ROM developers working with pre-Gingerbread versions of Android can prevent the virus from backdooring in code by putting a dummy file at /system/bin/profile.


    As you can see androidpolice.com reports on this backdoor and roots and steals personal information. The apps are removed from the market but that doesn't mean they got them all. Attached is a flashable fix as suggested by androidpolice.com

    So users can flash this .zip or simply create a blank file called profile and place it in /system/bin/ (developers are encouraged to include this file in future releases. A blank file is not going to affect performance at all)

    Alternate methods:

    Using 'adb shell' or terminal emulator (should work on any ROOTED phone) as suggest by xaueious here
    Code:
    $ su
    su
    # remount rw
    Remounting /system (/dev/stl9) in read/write mode
    # touch /system/bin/profile
    # chmod 644 /system/bin/profile
    #

    Alternate 2:
    Download blank profile file from here (or create one and name it profile)
    Use a program like Root Explorer to copy it to /system/bin/
    Then longpress on it and check the permissions should be read/write for user, read for group, and read for others.

    Alternate 3:
    cyansmoker has put together an apk for the patch here https://market.android.com/details?id=com.voilaweb.mobile.droiddreamkiller

    Thanks for pointing this out photoframd and androidpolice.com for investigating and reporting!

    UPDATE: I renamed the .zip file and reuploaded it (350 hits wow). Also in the edify scripted version I added 644 permissions to the file (but if you already flashed it then it should have defaulted to that). I also added a pre-edify version of the patch thanks to xaueious for people using a recovery that does not yet understand edify.
    5
    This .zip is flashable for the Epic running ClockworkMod Recovery. I will include directions in the OP for other methods of getting the file there. If some one wants to put together an apk or a signed update.zip feel free to let me know and I'll make sure it gets posted.

    Also I have requested some more technical information on the malware and I will update with the new information when I get it.

    Well, these is now an .apk. Look for "DroidDreamKiller" on the market (I know it's a stupid name) or on the web: https://market.android.com/details?id=com.voilaweb.mobile.droiddreamkiller

    It's a really simple app that I quickly put together by ripping pieces of another of my apps.
    2
    Rodderik - very useful, thanks much. This will be in SyndicateROM Frozen 1.0.1.

    EDIT: Between this and CIQ removal, we devs have malware removal/prevention covered. ;)
    1
    Anyone think an android AV program like Lookout would have caught this if running when the infected app was installed?

    I suspect it would.
    1
    Would it be safe to assume that if you look in your system/bin directory and already have a file named profile than you have been infected?

    It is quite possible. Check and see if you installed any of the programs lately from the OP. If so then it is quite possible. It is also quite possible a rom developer put that file in there so that is not a 100% way of making sure.

    Instead of flashing, using Root Explorer could I just create a file named "profile" in the system/bin directory for a fix?

    Yes indeed!

    Anyone think an android AV program like Lookout would have caught this if running when the infected app was installed?

    Here is more from the articles I posted
    Wow – from our perspective, it’s almost like the world exploded overnight. We have more information and details on the virus – which Lookout has named "DroidDream" (the word was consistently used in package names by the malware developers) – and some updates on where things stand.

    So I'm assuming that means Lookout scans for or will soon scan for this malware.