+Warwagon MVC Posted July 6, 2016 MVC Share Posted July 6, 2016 Quote At least 10 million Android devices have been infected by malware called HummingBad, according to cybersecurity software maker Check Point. Check Point, which has been tracking the malware since it wasdiscovered in February, has released an analysis of the threat. For months, the number of infections were steady but they spiked sharply in mid-May. What makes HummingBad particularly interesting is the group behind it, which according to Check Point is a team of developers at Yingmob, an otherwise legitimate, multimillion-dollar advertising analytics agency based in Beijing. "Yingmob has several teams developing legitimate tracking and ad platforms," Israel-based Check Point said in the analysis released Friday. "The team responsible for developing the malicious components is the 'Development Team for Overseas Platform' which includes four groups with a total of 25 employees." HummingBad began as a "drive-by download attack," in which phones were infected when people visited websites. "The first component attempts to gain root access on a device with...rootkit [software] that exploits multiple vulnerabilities. If successful, attackers gain full access to a device," Check Point said. "If rooting fails, a second component uses a fake system update notification, tricking users into granting HummingBad system-level permissions." http://www.cnet.com/news/malware-from-china-infects-over-10-million-android-users-report-says/ This is why I like my custom rom that I update once a month with the latest Android Patch Level . Speaking of which, July should be released any moment! The lack of security updates for most OEM handsets, leaves them looking like swiss cheese when it comes to security vulnerabilities. Link to comment Share on other sites More sharing options...
adrynalyne Posted July 6, 2016 Share Posted July 6, 2016 15 minutes ago, warwagon said: http://www.cnet.com/news/malware-from-china-infects-over-10-million-android-users-report-says/ This is why I like my custom rom that I update once a month with the latest Android Patch Level . Speaking of which, July should be released any moment! The lack of security updates for most OEM handsets, leaves them looking like swiss cheese when it comes to security vulnerabilities. And is your custom rom signed by private keys? Link to comment Share on other sites More sharing options...
Buttus Posted July 6, 2016 Share Posted July 6, 2016 I can't get root access on my verizon s5 no matter what i try. if this malware can get root access, i'd love to know how.... Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 6, 2016 Author MVC Share Posted July 6, 2016 36 minutes ago, adrynalyne said: And is your custom rom signed by private keys? It's not signed with private keys, at least not the kind of keys which let you install on the vanilla recovery. Has to be flashed with custom recovery, in my case TWRP. It's a well known Custom rom. Would much rather take my risk on a custom rom, than be browsing the web on android, months or years behind on security updates. Link to comment Share on other sites More sharing options...
adrynalyne Posted July 6, 2016 Share Posted July 6, 2016 (edited) 2 hours ago, warwagon said: It's not signed with private keys, at least not the kind of keys which let you install on the vanilla recovery. Has to be flashed with custom recovery, in my case TWRP. It's a well known Custom rom. Would much rather take my risk on a custom rom, than be browsing the web on android, months or years behind on security updates. I wasn't talking about recovery flashing. If it isn't signed with private signing keys, it is just as vulnerable as those oem roms months behind on updates. I've been out of the development game for 4-5 years (look up BAMF Paradigm), but back then, 99% of the custom roms out there used test keys to sign the rom, which Google makes public in the source code. I would be shocked if the situation has changed. I know I tried out a Nexus 6 rom about a year ago and it was signed with test keys. Just ebcause the rom says release keys doesn't mean it is. That is just a build.prop string edit. They are only for example. The readme even says they are for testing only. If your rom is using test keys, and a malware writer signs their app/script/whatever with test keys, it can gain system trust without any effort at all. Talk to some of the Android security researchers out there. jcase is a good one; ask him about it on twitter. https://github.com/android/platform_build/tree/lollipop-release/target/product/security This is a mirror of aosp. See for yourself. Many "developers" do not replace these. Edited July 6, 2016 by adrynalyne Link to comment Share on other sites More sharing options...
+Warwagon MVC Posted July 6, 2016 Author MVC Share Posted July 6, 2016 9 hours ago, adrynalyne said: I wasn't talking about recovery flashing. If it isn't signed with private signing keys, it is just as vulnerable as those oem roms months behind on updates. I've been out of the development game for 4-5 years (look up BAMF Paradigm), but back then, 99% of the custom roms out there used test keys to sign the rom, which Google makes public in the source code. I would be shocked if the situation has changed. I know I tried out a Nexus 6 rom about a year ago and it was signed with test keys. Just ebcause the rom says release keys doesn't mean it is. That is just a build.prop string edit. They are only for example. The readme even says they are for testing only. If your rom is using test keys, and a malware writer signs their app/script/whatever with test keys, it can gain system trust without any effort at all. Talk to some of the Android security researchers out there. jcase is a good one; ask him about it on twitter. https://github.com/android/platform_build/tree/lollipop-release/target/product/security This is a mirror of aosp. See for yourself. Many "developers" do not replace these. Well, I asked around on the AICP google page and the response I got was Quote never heard of this.. meaning.. Compiled from cm13 source that is derived from aosp source of course... So keys are the same as for cm13. I haven't changed anything Link to comment Share on other sites More sharing options...
adrynalyne Posted July 6, 2016 Share Posted July 6, 2016 (edited) 21 minutes ago, warwagon said: Well, I asked around on the AICP google page and the response I got was That's a non-answer. Nobody and I mean nobody with a lick of sense is going to make their private key open source and if they did, it just creates the same situation. Just saying. Your rom's security is a farce and no better than the oems out there, who do sign their roma but don't kee up to date on monthly patches. These guys must be new to the scene to never heard of the issue. While the most vocal blogs from years ago are no longer out there, you can still find the info. Link to comment Share on other sites More sharing options...
Recommended Posts