Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
ForumsAndroidZ4root Virus


141 posts

Master Geek
+1 received by user: 7


Topic # 84076 24-May-2011 20:21
Send private message

http://handheld.softpedia.com/progDownload/z4root-Download-110178.html

Hi, Just thought I would get my copy of Z4root.  To try the Battery Calibrator program.  Then.... Microsoft Security essentials reports this as malware.  Which is understandable.  But then it talks about some kind of "exploit unix lotor" being imbedded in there.    Just wondering if anyone else has come across this?

Create new topic


141 posts

Master Geek
+1 received by user: 7


  Reply # 473677 24-May-2011 21:52
Send private message

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Exploit:Unix/Lotoor


Technical Information (Analysis)
Exploit:Unix/Lotoor is a detection for specially-crafted Android programs that attempt to exploit vulnerabilities in the Android operating system to gain root privilege.
Installation
Exploit:Unix/Lotoor is dropped and installed by TrojanSpy:AndroidOS/DroidDream.A. Once installed, the exploit is present as the following names:

  • rageagainstthecage

  • exploid


 
Payload
Allows root access
When run, Exploit:Unix/Lotoor allow a remote attacker to gain administrator privilege to the device running Android operation system.
 

2777 posts

Uber Geek
+1 received by user: 152

Trusted

  Reply # 473684 24-May-2011 22:02
Send private message

Lol!

According to that description it's dangerous because it gives you admin privileges on your own phone! 




Lead Consultant @Intergen
All comments are my own opinion, and not that of my employer unless explicitly stated.



141 posts

Master Geek
+1 received by user: 7


  Reply # 473692 24-May-2011 22:12
Send private message

Oh yeah and I missed this paragraph.....


Connects to a remote website
Exploit:Unix/Lotoor decrypts the name of a remote server provided by TrojanSpy:AndroidOS/DroidDream.A such as "184.105.245.17". The server address is used to send user identifiable data from the affected mobile device.



141 posts

Master Geek
+1 received by user: 7


  Reply # 473729 24-May-2011 22:38
Send private message

This just came up from attempting a download from Softpedia as mentioned.  Hopefully someone may have a safer option.  Get get Z4 from.

3829 posts

Uber Geek
+1 received by user: 233

Trusted

  Reply # 473751 24-May-2011 23:22
Send private message

I hope you did not continue with the installation because it is a virus.

http://virus.netqin.com/en/android/BD.DroidDream.A/




Do whatever you want to do man.

  



141 posts

Master Geek
+1 received by user: 7


  Reply # 473752 24-May-2011 23:24
Send private message

Nope.

4025 posts

Uber Geek
+1 received by user: 1076

Trusted

  Reply # 473758 25-May-2011 00:25
Send private message

Its what z4root uses, rageagainstthecage exploit. Because its an exploit, technically an antivirus program should pick it up. ESET NOD32 started picking up my apks for z4root as well.

Rooting on android is done by exploiting a security flaw, and thats exactly what this does.
I disabled my antivirus before downloading it from the official source and copying it to my phone.
http://forum.xda-developers.com/showthread.php?t=833953
22/ 43 result on virustotal, which is exactly what i'd expect here.
rageagainstthecage is a root exploit via a fork bomb.

It IS a potentially malicious payload, BUT it is being used with owner's consent to root the phone.

The DreamDroid malware use exactly same payload - they are trojans, but this is a helpful tool.

It IS a dangerous tool in the wrong hands, but this is a root exploit, so you should exercise common sense and a little understanding of what it does and how it works.


SuperOneClick and anything else with the same exploit code will also set it off. 



141 posts

Master Geek
+1 received by user: 7


  Reply # 473759 25-May-2011 00:29
Send private message

I think I agree.  But the version I was downloading definitely had a nasty on it.  Able to talk to some server etc.  I will look at this site. Cheers

4025 posts

Uber Geek
+1 received by user: 1076

Trusted

  Reply # 473760 25-May-2011 00:43
Send private message

No, the one you downloaded is identical to the one from XDA. It does not talk to a remote server.

Your antivirus, and others are detecting the exploit code that z4root uses, which is identical to the exploit code that the DreamDroid malware uses, and this is why the antivirus picks it up. DroidDream DOES talk to a remote server.

I edited my post above when you were replying with this info.



141 posts

Master Geek
+1 received by user: 7


  Reply # 473761 25-May-2011 00:50
Send private message

Ok.  Now I am happy with that explanation. Cheers.

4408 posts

Uber Geek
+1 received by user: 826

Trusted
Lifetime subscriber

  Reply # 473767 25-May-2011 04:10
Send private message

Good to reason not to root. How certain can you be? Are you sure you download the right one. The last thing you want your phone got hijacked. What is the file md5





4025 posts

Uber Geek
+1 received by user: 1076

Trusted

  Reply # 473866 25-May-2011 12:12
Send private message

SuperOneClick has removed rageagainstthecage to avoid these false positives. It now has only psneuter and GingerBreak.

Rooting can be fine as long as you're getting the program to do it from its original source. Z4root, superoneclick, unrevoked3 are all examples of apps which are are commonly used to root. Using the MD5 to verify its the original file is a good idea. 

2782 posts

Uber Geek
+1 received by user: 120


  Reply # 474007 25-May-2011 16:10
Send private message

If you're worried, install the "Lookout" app, it's basically Android anti-virus.




@KnightNZ

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Microsoft Dynamics 365 Business Central launches
Posted 10-Jul-2018 10:40

Spark completes first milestone in voice platform upgrade
Posted 10-Jul-2018 09:36

Microsoft ices heated developers
Posted 6-Jul-2018 20:16

PB Technologies charged for its extended warranties and warned for bait advertising
Posted 3-Jul-2018 15:45

Almost 20,000 people claim credits from Spark
Posted 29-Jun-2018 10:40

Cove sells NZ's first insurance policy via chatbot
Posted 25-Jun-2018 10:04

N4L helping TAKA Trust bridge the digital divide for Lower Hutt students
Posted 18-Jun-2018 13:08

Winners Announced for 2018 CIO Awards
Posted 18-Jun-2018 13:03

Logitech Rally sets new standard for USB-connected video conference cameras
Posted 18-Jun-2018 09:27

Russell Stanners steps down as Vodafone NZ CEO
Posted 12-Jun-2018 09:13

Intergen recognised as 2018 Microsoft Country Partner of the Year for New Zealand
Posted 12-Jun-2018 08:00

Finalists Announced For Microsoft NZ Partner Awards
Posted 6-Jun-2018 15:12

Vocus Group and Vodafone announce joint venture to accelerate fibre innovation
Posted 5-Jun-2018 10:52

Kogan.com to launch Kogan Mobile in New Zealand
Posted 4-Jun-2018 14:34

Enable doubles fibre broadband speeds for its most popular wholesale service in Christchurch
Posted 2-Jun-2018 20:07


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.