The Threat
Recently we discovered a new Trojan in the wild, surfacing in alternative Android markets that predominately target Chinese Android users. This Trojan, which we’ve dubbed jSMSHider due to the name used inside the APK, predominantly affects devices with a custom ROM. Custom ROMs are custom built versions of Android, which have been released by third-party groups. The manufacturer or carrier do not traditionally endorse custom ROMs. (If you do not know what a custom ROM is, and do not think you’ve downloaded a custom ROM, you are probably not affected.)
Who is Affected
To date, we have identified eight separate instances of jSMSHider and because the distribution is limited to alternative app markets targeting Chinese Android users, the severity for this threat is low. This Trojan, jSMSHider, predominantly affects devices where the owner has downloaded a custom ROM or rooted phone.
Due to where the malware was found and the limited number of devices the malware could infect, we believe the impact to be limited. All Lookout users are automatically protected from this malware.
How it works
The application follows the common pattern of masquerading as a legitimate application, though a few extra permissions have been added. At first glance, it appears like other recent Android Trojans that tries to take control over the mobile phone by rooting the phone (breaking out of the Android security container), but instead jSMSHider exploits a vulnerability found in the way most custom ROMs sign their system images. The issue arises since publicly available private keys in the Android Open Source Project (AOSP) are often used to sign the custom ROM builds. In the Android security model, any application signed with the same platform signer as the system image can request permissions not available to normal applications, including the ability to install or uninstall applications without user intervention.
Read more: Lookout security
0 comments:
Post a Comment