Chinese language app installs rootkit on Android phones

I'm not so sure this qualifies as a major threat. But I'm writing about it because IT IS an interesting example of the things we Android owners are going to have to worry about going forward.

Lookout Mobile Security sent me a note to say it discovered a Chinese language app available for download on alternative Chinese app markets that has the ability to root an Android device.

Sign up today.

Get your morning news fix with the daily Salted Hash e-newsletter!

Here's what Lookout's Tim Strazzere had to say in his analysis:

Last week we discovered a Chinese language app available for download on alternative Chinese app markets that has the ability to root an Android device, leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities, contains a binary called zHash that attempts to root a device using the exploid exploit to break out of the Android security container – one of the same exploits used by the author(s) of DroidDream. It then leaves a backdoor root shell with the file name “zHash”, in the /system/bin directory.

There was also a version of this app available in the Android Market (same application package). However, while that version did contain the same zHash exploit binary, it did not contain the code required to invoke the exploit. However, the existence of the zHash binary leaves those phones vulnerable to future exploits. Google has removed the application from the Android Market, and has exercised the remote application removal feature to delete it from users’ phones. This only affects versions of the app downloaded through the Android market, and will not remove versions downloaded from alternative Chinese markets.

The app’s use of the backdoor shell is extremely limited and not clearly malicious, however, zHash creates a hole in the security layer of the phone, leaving it vulnerable to other applications wanting to take advantage of the device. If the device was successfully rooted by this app, any other app on the device could gain root access without the user’s knowledge.

Who is Affected?

Currently this threat mainly primarily affects Chinese Android phone owners who either downloaded the app through the Chinese app markets or the official Android Market. We believe that the number of downloads attributed to this app in the Android Market is under 5,000. All instances of the threat have been removed from the Android Market.

As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to the apps you’re downloading.

Here are a few tips to stay safe:

--Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.

--Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.

--Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.

--Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this threat.one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Obviously, Lookout wants you to use their security applications, and that's fair. They are a business, after all. And they did discover this latest threat. But for those looking for other choices, here are some:

--WaveSecure Mobile Security from McAfee

--Mobile Security (by Trend Micro)

--Antivirus app from NetQin Security

--Mobile Defense

--aFirewall Blocker

--Android AVG

More details on these apps HERE and HERE.

Good morning, and good luck.

--Bill Brenner

Join the discussion
Be the first to comment on this article. Our Commenting Policies