[Patch] Malware block [3/6/11] (froyo only)

[mmmark111]

If you haven't read this, please do so.

The Mother Of All Android Malware Has Arrived: Stolen Apps Released To The Market That Root Your Phone, Steal Your Data, And Open Backdoor | Android News, Reviews, Apps, Games, Phones, Tablets, Tips, Mods, Videos, Tutorials - Android Police

Who is affected? All phones pre-gingerbread
Who should act? Users and developers using pre-gingerbread roms
What if I think I was infected? Completely wipe your device, format sdard, go back to stock and re-apply rom, then flash the attached .zip (before installing any apps)

The offending apps from publisher Myournet:

* Falling Down
* Super Guitar Solo
* Super History Eraser
* Photo Editor
* Super Ringtone Maker
* Super Sex Positions
* Hot Sexy Videos
* Chess
* Falldown
* Hilton Sex Sound
* Screaming Sexy Japanese Girls
* Falling Ball Dodge
* Scientific Calculator
* Dice Roller
* Advanced Currency Converter
* App Uninstaller
* PewPew
* Funny Paint
* Spider Man

More information can be found here.

The exploit has been patch in 2.3 so if you're running GB then you are safe.

DOWNLOAD

 

[Helgaiden]

Cool, just applied the zip. I assume its just going into the recovery then flashing the zip from sd card right?

 

[mmmark111]

Cool, just applied the zip. I assume its just going into the recovery then flashing the zip from sd card right?

Yep, you got it.

 

[Gutterball]

Does anyone know if avg or lookout detects all or any of these?

 

[vee]

Can we apply this at any time or only at fresh flash? Are there any signs to know if you're infected

 

[mmmark111]

Can we apply this at any time or only at fresh flash? Are there any signs to know if you're infected

Yea you can flash it at any time unless you have installed any of the apps listed.

Then check your /system/bin/ for a file named "profile" (unless you have already flashed the zip) If it's there you're most likely infected.

You guys should give the xda thread a read through. A lot of it is speculation but they know that this will fix this particular type of malware.

 

[SGH360]

how do i know if i got infected? i cannot remember if i downloaded one of those apps and then uninstall it day later

 

[r00t]

Awesome work, really appreciate this.

I think the list was larger, about 50 something apps. Lookout antivirus seems to detect the root kits.

 

[denshigomi]

The Droid Dream virus relies on the Rage Against The Cage exploit.
I thought that exploit was patched in 2.2.1.
If so, the virus can't infect the Optimus V.

 

[mmmark111]

The Droid Dream virus relies on the Rage Against The Cage exploit.
I thought that exploit was patched in 2.2.1.
If so, the virus can't infect the Optimus V.

It was patched in 2.3. The virus can infect our phones.

 

[LeslieAnn]

Is this an apply once and forget, or do you need to apply this after each rom flash?

 

[denshigomi]

It was patched in 2.3. The virus can infect our phones.

It looks like I was mistaken, the Optimus V is vulnerable.
It was patched in 2.2.2.
An Update on Android Market Security - Official Google Mobile Blog

 

[denshigomi]

Is this an apply once and forget, or do you need to apply this after each rom flash?

It's just a blank file named /system/bin/profile with permissions set to 644. If your ROM flashes /system (which I assume it does) then you'll need to recreate the file after flashing.

 

[LeslieAnn]

Ahh okay, easy enough to incorporate into a build then.

 

[KSmithInNY]

Moved this over to the root/hack/rom section because of it's requirement to be rooted to use (flash through custom recovery). I think non-rooted phones can grab droiddream cleaner from lookout labs free from the market.

 

[drezliok]

Was this added to the Rodimus rom?

 

[mmmark111]

Was this added to the Rodimus rom?

Not yet. Next release will have out though.

 

[denshigomi]

I posted my thoughts on this patch in another thread.
http://forum.androidcentral.com/opt...6027-optimus-v-rom-question-2.html#post815416