March 20, 2011

Security Alert: zHash, A Binary that can Root Android Phones, Found in Chinese App Markets and Android Market

The Threat

Earlier this week we discovered a Chinese language app available for download on alternative Chinese app markets that has the ability to root an Android device, leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities, contains a binary called zHash that attempts to root a device using the exploid exploit to break out of the Android security container – one of the same exploits used by the author(s) of DroidDream. It then leaves a backdoor root shell with the file name “zHash”, in the /system/bin directory.

There was also a version of this app available in the Android Market (same application package). However, while that version did contain the same zHash exploit binary, it did not contain the code required to to invoke the exploit. However, the existence of the zHash binary leaves those phones vulnerable to future exploits. Google has removed the application from the Android Market, and has exercised the remote application removal feature to delete it from users’ phones. This only affects versions of the app downloaded through the Android market, and will not remove versions downloaded from alternative Chinese markets.

The app’s use of the backdoor shell is extremely limited and not clearly malicious, however, zHash creates a hole in the security layer of the phone, leaving it vulnerable to other applications wanting to take advantage of the device. If the device was successfully rooted by this app, any other app on the device could gain root access without the user’s knowledge.

Who is Affected

Currently this threat mainly affects Chinese Android phone owners who either downloaded the app through the Chinese app markets or the official Android Market. We believe that the number of downloads attributed to this app in the Android Market is under 5,000. All instances of the threat have been removed from the Android Market.

How to Stay Safe

Lookout Free and Premium users are automatically protected from this threat and do not need to take further action.

As the number of malware exploits on smartphones increase, it is more important than ever to pay attention to the apps you’re downloading. Here are a few tips to stay safe:

  • Only download apps from trusted sources, such as reputable app markets. Remember to look at the developer name, reviews, and star ratings.
  • Always check the permissions an app requests. Use common sense to ensure that the permissions an app requests match the features the app provides.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS or network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this threat.
One comment
  1. Jenay says:

    Your posting really stiarhgtened me out. Thanks!

Leave a comment