Lookout Security finds trojans aimed at custom rom’d phones, uh oh!

| June 16, 2011 | Reply

Well, not quite uh oh just yet for most of us. The trojan was found over on some chinese alternative markets to the official Google Market. So not to worry just yet, but something like this was bound to happen.

A few months back now in our IRC room (#androidchat on freenode) fellow writers Tabe, Mike919 and I were discussing locked phones and bootloaders including root. One of the reasons we said that manufacturers didn’t like the idea of root access or open bootloaders was security. On a rooted phone you see, anything accessing the phone can change and take permissions and could ultimately take over your phone, or pretty much kill it. We also made the point it hadn’t happened but was completely feasible. Looks like that has happened. Here is a quote of exactly what lookout said the malware does, and its capabilities:

In the case of jSMSHider, it installs a secondary payload onto the ROM, giving it the ability to communicate with a remote server and receive commands. If a device is signed with a  same platform signer found in the AOSP, the malware can transparently install the second stage payload without user intervention.  If the signers do not match, then the application will request the root permission, which on most custom ROMs will prompt the user to grant permission to the application.

If jSMSHider successfully installs the second stage payload, we mapped the capabilities that the malware can perform, which include:

  • The ability to read, send and process incoming SMS messages (potentially for mTAN interception or fraudulent premium billing subscriptions)
  • Installing apps transparently on ROMs with a platform signer from the AOSP
  • Communication with a remote server using DES encryption and base64 encoding with a custom alphabet
  • Dynamic C&C server addresses and check-in frequency
  • Download an application from a URL and perform a silent install or update of the APK
  • Open a URL silently in the background (using the device’s default User-Agent)

To connect to its command and control server, the malware uses multiple subdomains, including:

  • xmstsv.com
  • namely srv.xmstsv.com
  • srv1.xmstsv.com
  • srv2.xmstsv.com.


As I said, no big deal right now. CM7 has already patched this hole as of now which should cover most people anyway. But just something to keep in the back of your mind the next time you load up a custom ROM from someone who may not have patched this possible exploit.

Source: Lookout Security

Tags: , , , , , , , , , , , , , , , , , , ,

Category: Android News, Mobile News

About the Author ()

Co-owner and Editor-in-Chief of GizmoNinja.com.

During the day I work in graphic design and also do photography. By night I try to play with programming and code of all different types. I love the opportunity to write for the site and hope to see it grow as time goes on.