Please, just stop downloading apps from unofficial stores: Android users hit with 'unkillable malware' An Android malware package likened to a Russian matryoshka nesting doll has security researchers raising the alarm, since it appears it's almost impossible to get rid of. Known as xHelper, the malware has been spreading mainly in Russia, Europe, and Southwest Asia on Android 6 and 7 devices (which while old and out of date, …
Armed with its powerful root privileges....
I guess Android's security model still needs work if something can waltz in from outside and assume root privilege. I am of the opinion that the "no user has admin authority" model has an inherent flaw to it. The mechanisms of privilege escalation and control do not get exercised enough to iron the bugs out.
"and user rooted devices will block unknown apps by default"
you sure it's not the opposite (or were you being snarky)?
A normal "non-rooted" device blocks un-blessed applications by default, requiring you to jump through a hoop or two to install the potentially "dirty" ones. Some older 'droid versions were actually LESS convenient for doing this, at least on the versions I've worked with [I've had to do it for development stuff a while back, put APK up someplace, have people install it, etc.]. Newer ones have different hoops when you download, but just an extra "yes I want to do this" step rather than changing the default setting to allow 'foreign' APKs or whatever. It's been a while since I did it last... [online instructions if I forget]
But yeah any downloaded APK is a potential disaster for the person installing. The idea that a factory reset does NOT get rid of this particular malware is disturbing. Not sure how to EASILY do a complete re-flash though. It sounds like it would require more than an average tech... [maybe time to research doing that - I never went so far as to figure out how to do a complete re-flash on a 'droid device]
maybe future 'droid devices will need to ship with actual ROM (and not a potentially writable image) for a PROPER factory reset.
/me considers investigating how a debug USB cable might make this a little easier to deal with...
(I obviously STILL have a lot to learn about these things)
and yet - the absolute LAST thing we should want to see is an Apple-like (paywall and/or censor-wall) *STRANGLEHOLD* on what you can or cannot install... _ESPECIALLY_ for independent developers!
Trusted rooting implementations require apps to be whitelisted or one time authorised before they can successfully call su.
Malware on a user rooted device will need to trick the user into authorising it or find an exploit to replace the existing su. Rooting a device is pretty safe unless you're easily tricked.
"which are old and out of date"
...and clearly there are many, many devices out in the wild still, because they can't (easily) be updated and security patching stopped YEARS ago. You can't fix security by mandating that users buy new phones every year or two. The security holes may be old, but clearly they are not "out of date".
We have an Asus tablet running Android 7, but then it is only used for browsing (incl. this esteemed organ) and reading e-books. Does not get anywhere near the bank (and neither does the up to date phone).
But for that purpose it is just fine, and the risk something one can live with.
No, it has to exploit security holes in Android 6 and 7, which are old and out of date, to achieve root.
That may be the case, but I have several devices that cannot be upgraded to Android 6 or 7, let alone anything newer. Until Google mandate that all manufacturers must provide timely security fixes for older versions Android for the lifetime of the devices it's not really a defence.
The lack of software updates should never be a reason for good, working, hardware to end up in landfill.
20 years. Minimum.
No, I'm not even joking. In fact, there are lots of devices older than that in use in production environments.
OOOOHH SHINY!!!! may be good enough for consumer device replacement schedules, but some of us deal with devices that cost a fucklot of money and need to work for decades.
Even for consumer stuff a 10 year minimum supported lifespan is too short. How many decade old computers are still out there, and still perfectly adequate for the job they're doing? Even with phones, 10 years ago was the iPhone 4, which would be perfectly adequate today for a lot of peoples' needs if an OS update was available. Sure, YOU run lots of apps and surf the web on your phone like a teenager, but plenty of people read an occasional text, maybe check email, and primarily talk on the phone with it, because, you know, it's a telephone.
Flashing simply means overwriting the systems flash memory. Overwrite the partitions the OS runs from, zero the data partitions and nothing survives of any infection (unless it can run from external storage - which nowadays would require a hacked firmware).
Stock recovery mode is how you flash signed stock firmware images, often to recover a bricked or corrupt phone, or force an OS upgrade. For tinkering we flash the stock recovery partition with something more hacker friendly.
Millions of Android phones distributed by Access Wireless and Assurance Wireless as part of the government assistance "LifeLine" program install apps from unofficial app stores and cloud servers without users knowledge or intervention.
Millions of minature 'Nix devices with WiFi cards, GPS, Bluetooth and NFC running as root accepting remote commands from an adversarial country.
What can possibly go wrong?
Actually it isn't even an argument anymore. They have confirmed that so far they have never had to remove malware due to their stricter policy than google.
See the recent interview
https://forum.f-droid.org/t/f-droid-invited-to-be-on-twit-tvs-floss-weekly/8674
Confirmed. F-Droid is the safest app store.
well, I do, an will "definitely" use "unauthorised 3rd party stores". But then, I don't download any crapp.apk just because it's another "FIVE STAR RATED!!!!" junk that claims to do "everything for nothing", on 3rd party, 2nd party, or any party. And definitely NOT google-party.
It would seem to me the major issue of not being to clear out such malware is that you the OWNER of the device are not allowed your rightful root-level access. Certainly, you shouldn't be running as root in your daily usage, but Android decides to tell you that you might be the owner, bit you don't actually *OWN* your own devices.
Properly designed, you should be able to boot your device from a clean and write-protected medium (most likely a microSD, or perhaps something on an OTG adapter) and do a full wipe of the storage, and then re-load a clean install. Perhaps the system/OS storage should be on a removable chip inside the phone, where in the worst-case you could pull it out and read/reflash it from your computer (probably not microSD, I think it would probably need a specialized spec, but that's not my field of expertise).
Given Google's own preferences, I'd expect Google would prefer Android be run as an extreme exaggeration of ChromeOS, where the *only* thing on your phone is a bootloader, and anything else has to be run off the internet from their servers.
How is it that the shit-show that was MSWindows Mobile looks to have been *more* open than the supposedly FLOSS-based Android?
On a brand new device running Android 9 I can only use 3rd party stores because Google prevents the manufacturer from installing Google Mobile Services, which stops Play Store plus sign-in to most of their apps (Chrome, YouTube, etc.).
The device is a projector (Phillips Picopix Max).
Must be a pretty compelling reason for Google to block that, because think of all the app and media sales (plus harvested data) revenue they're missing out on. From a consumer point of view it's annoying and makes no sense.
From a security point of view it's annoying and makes no sense.
And to think all this time Apple caught so much flack for locking down the distribution of software used on IOS devises.
I understand wanting to be in control of a piece of kit you purchased, but too many people just clicj the accept and install button to be a menace to themselves and others.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
