[Q] Is Andr.Exploit.Ratc in CF-Auto-Root file malicous? - General Questions and Answers

Greetings!
A couple of months ago, I rooted my Samsung Galaxy Note II (GT-N7105) using the file found at http://autoroot.chainfire.eu/, namely, the file CF-Auto-Root-t0lte-t0ltexx-gtn7105.zip with md5 hash of 196163105a21a52d49546bc63f7f4eec. I also followed these instructions from the respective forum thread.
After this, I left the file on my (Ubuntu) desktop, and only today scanned it with an antivirus scanner (yes, in retrospect, I really should have done this at the time!). It alerted me that the file contains the Andr.Exploit.Ratc exploit. Googling the exploit took me to this page.
Excuse me if the answer should be obvious, but can you tell me whether I should be concerned (ie the file is malicious), or whether the exploit is simply necessary in order to circumvent the manufacturer's security on the phone?
Many thanks in advance

Related

[Q] 3 newbie questions

All, I received my Samsung Galaxy 3 last friday and I started to play with it a little.
I googled out some of informations required but still have a few questions to ask
1. As Android has preety good SDK in place, is there a way to test my newly cooked ROM on emaulator instead of flashing it on phone directly (risking brick or sth.)
2. Knowing the kernel (2.6.32.9) - is it safe to upload some new binaries to bin directory along with liblaries (to lib of course) without touching existing ones.
3. I'm about to write an app which communicates with my server via socket. To open socket, root privileges are required. The question is - Having SuperUser in place on my phone, will I be asked for root privs or it will go to "Permission denied". Should some steps should be undertaken?
I searched this forum, but for above ones I found no answers.
Thanks in advance.
XiamUser said:
All, I received my Samsung Galaxy 3 last friday and I started to play with it a little.
I googled out some of informations required but still have a few questions to ask
1. As Android has preety good SDK in place, is there a way to test my newly cooked ROM on emaulator instead of flashing it on phone directly (risking brick or sth.)
2. Knowing the kernel (2.6.32.9) - is it safe to upload some new binaries to bin directory along with liblaries (to lib of course) without touching existing ones.
3. I'm about to write an app which communicates with my server via socket. To open socket, root privileges are required. The question is - Having SuperUser in place on my phone, will I be asked for root privs or it will go to "Permission denied". Should some steps should be undertaken?
I searched this forum, but for above ones I found no answers.
Thanks in advance.
Click to expand...
Click to collapse
1)No way, but if you don't flash the bootloader there will be no problem
2)Yes, if they're compiled for armv[5-6]
3)No idea, i did not try yet.
Thanks very much

[Q] what is this Exploit.Linux.Lotoor.g

this site tried to put this on my pc when i joined here
i also just got this alert when clicking to download an attachment added to a post here. Superoneclick.
could it be a false positive of some sort? The download hadn't begun so i doubt it was the actual attachment that was infected.
"The requested URL cannot be provided
The requested object at the URL:
http://forum.xda-developers.com/
attachment.php?attachmentid=437039&d=
1289271263
Threat detected:
object is infected by Exploit.Linux.Lotoor.g"
I am seeing it too
I am getting an alert from Kaspersky that the file rageagainstthecage file in the SuperOneClickv1.5.5-ShortFuse.zip is infected with Exploit.Linux.Lotoor.g
Kaspersky report:
detected: Trojan program Exploit.Linux.Lotoor.g file: C:\Documents and Settings\user\Desktop\SuperOneClickv1.5.5-ShortFuse\rageagainstthecage
I expect this is a false positive due to the nature of the application, but Id like someone brighter than me to confirm.
Thanks!
I'm going to have to agree with the false positive considering it says it's a linux exploit in the name. RaTC is an exploit to get root on android which is a form of linux. I've also used SuperOneClick so I know it's not malicious.
Well, maybe it is malicious if we take into consideration this:
...
Troj/DroidD-A
Aliases
* Exploit.Linux.Lotoor.k
* Exploit.Linux.Lotoor.g
* Trojan-Downloader.AndroidOS.Rooter.a
* Android.Rootcager
* Backdoor.AndroidOS.Rooter.a
* Trojan-Downloader.AndroidOS.Rooter.b
* Exploit.Linux.Lotoor.l
...
Troj/DroidD-A is a malware for Google Android phone. It purports to be legitimate application and had been on Google Market before it was taken down.
...
All the packages contains repackaged legitimate application with a trojan package in com.android.root package, which is specified to start its action prior to the normal application.
* It can access TelephonyManager and steal IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) code, and various other data.
* It then add this information into an XML file
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<Request>
<Protocol>1.0</Protocol>
<Command>0</Command>
<ClientInfo>
<Partner>%s</Partner>
<ProductId>%s</ProductId>
<IMEI>%s</IMEI>
<IMSI>%s</IMSI>
<Modle>%s</Modle>
</ClientInfo>
</Request>
* using a simple XOR byte encryption with a key predefined in the class adbRoot. The decrypted byte buffer contains the IP address and the URL of the server which is used to post data about the infected phone in an XML format using an HTTP POST request
The package contains runs a set of privilege escalation exploits. These exploits are detected by Sophos as PUA HackTool "Android Local Root Exploit".
After obtaining root privilege, it tries to install another DownloadProviderManager.apk (as package com\android\providers\downloadsmanager) which is the payload (also detected as Troj/DroidD-A)
This payloads will runs as a background service "DownloadManageService" and starts whenever the phone is boot up.
* It will try to access even more information and report back, including trying to enumerate packages installed on the phone and then report back to the same control center.
* It have function to install additional packages from remote download
...
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdroidda.html
That is so confusing lol. Tbh though, I doubt they'd be malicious or else they'd be taken down off of XDA. If they were, I'm sure they'd be taken down straight away as that would be MOST DEFINETLY against the rules. Wait to see what a mod or something says though.
Skellyyy said:
That is so confusing lol. Tbh though, I doubt they'd be malicious or else they'd be taken down off of XDA. If they were, I'm sure they'd be taken down straight away as that would be MOST DEFINETLY against the rules. Wait to see what a mod or something says though.
Click to expand...
Click to collapse
Has anyone got a live link to an example of this?
pulser_g2 said:
Has anyone got a live link to an example of this?
Click to expand...
Click to collapse
Seen this in a previous post, don't know if it'll help but here: http://forum.xda-developers.com/attachment.php?attachmentid=437039&d=
1289271263
Btw, I could swear you're stalking me. jk.
pulser_g2 said:
Has anyone got a live link to an example of this?
Click to expand...
Click to collapse
Here is another link (xda-dev as host): http://forum.xda-developers.com/attachment.php?attachmentid=591335&d=1304969547
Hope it can be solved.
Thx from Germany
Has anyone confirmed or denied that this in a trojan? Kaspersky detected this file on my computer (backup of my sdcard). That file was used when I rooted my phone, so I am concerned. By the way, the two links posted above do not work.
Gaining root privileges seems to be reasonable (especially if it's part of rooting your droid), however it's legitimacy depends on the reason.
In plain English, I'm trying to say that the question about lotoor should be answered per attachment (tool) and not on a global basis.
BTW: lotoor also detected (virustotal 14/42) for zr file which is part of MTKdroidTools. I'm not qualified enough to answer if this is legit
I got this when I downloaded the ace hack kit, but disregard it.
Of COURSE it's a malicious exploit!
If you have specifically rageagainstthecage or zergrush, congratulations, your virus software has successfully discovered your ROOTING software for what it is - a malicious linux-based exploit used to root android devices!
Remember when the phone manufacturers locked the door to root? Remember we decided to break in and root em anyway? These linux exploits are what break the lock - (Super) One Click Root, root.jar files, root.exe files, etc etc. All executables with these 'virus's' that root your phone. That isn't to say you guys don't have something that may well be dangerous to linux machines, but if you still have rooting software on your Windows PC, then this is most likely what it is, and it's a-okay.
Hope you guys are sighing with relief
The4thDoctor said:
Has anyone confirmed or denied that this in a trojan? Kaspersky detected this file on my computer (backup of my sdcard). That file was used when I rooted my phone, so I am concerned. By the way, the two links posted above do not work.
Click to expand...
Click to collapse
voshell said:
this site tried to put this on my pc when i joined here
Click to expand...
Click to collapse
Have you downloaded or installed "Exynos Abuse" to root Samsung/Exynos powered device ??
Because that's what I have, and I get it all the time on my antivirus Kaspersky
Exynos Abuse main development page http://forum.xda-developers.com/showthread.php?t=2050297
wait a minute .. but my kaspersky detected it in a file named "root me " on the computer , i did root my samung mini2 with it , yet it's STILL fully functional after ks quarantined it !!
Is it something else?

[Q&A] [GT-P31xx] CF-Auto-Root

Q&A for [GT-P31xx] CF-Auto-Root
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [GT-P31xx] CF-Auto-Root. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
Hi,
I 've tried root my GT-P3100 with auto-root but with no success.
I've stock 4.2.2, first wiped all data and did factory reset, then start rooting. After reboot an icon of supersu appears but after run it says "there is no SU binary installed" . I notice that this version is 2.13 with date 2014/10/10. I download it from link in the third post which is described as containing 1.30 version of superSu inside.
I try to reflashing auto-root many times but binary is still missing.
Maybe superSu misversion is a problem? How can i resolve an issue with missing binary?
Thanks for help, &Y
First post : Need personalized root info for GT-P3113
My first post and not sure what I'm doing or if its the right place, please have patience?
I have a 2012 Galaxy Tab 2 P3113 wifi only model. It auto updated from the stock Andy 4.0 to Andy 4.2.2. Im unhappy with this and Samsung tells me its irreversible. That makes me even more unhappy as, better or worse, its not the same 'user experience' for which I chose the device. Therefore I'm interested in 'rooting' it. My objective is to tweak the interface, disable some of the auto updating and some of the autostarting Samsung software and services (also some phone apps and services) which I will never use and manage autostarting of user installed apps. I would also like the ability to make complete 'single click' backups which include screen/'desktop' arrangements and app settings (such as one would make with a Windows system). I am NOT interested in loading custom ROMs or other modified system ware.
1 Is 'rooting' my solution?
2 Is it reversible?
3 Will it do anything more than unlock the existing system - what modifications will the rooting process make?
4 Will 'unrooting' reverse my settings alterations or can I disable the Samsung ware, and relock the system for safety/security? Will changes such as power or mem settings made by 'root only' apps remain in place after unrooting?
5 Is a 'temporary root' a better solution for me?
6 Has the aforementioned Samsung update made the root process any more difficult or hazardous?
7 Will just rooting leave a permanent detectable trace?
8 Can someone give me the simplest step by step procedure and reversal procedure? I realize this is covered in many places throughout these forums, but this will be my first attempt at raiding a Android device and I would be more confident with a personalized procedure that I can ask questions about and get direct device specific answers to.
I've been having trouble finding straight info about performing a ROOT ONLY. To reiterate I only want enhanced control over the EXISTING system, primarily to prevent autostarts, to positively terminate running apps and to make full image backups - I do NOT want to install modded systems or irreversibly or significantly alter the existing system.
I appreciate any clear info or advice I can get. Thank you.
Rooting Help
Hi I have a Samsung Galaxy Tab 2 7.0 GT-P3113 Jellybean 4.2.2. I have tried the CF Auto Root Method 6 times and it doesn't work. Odin says that it passes and that it worked but when the tab reboots, I try to open SuperSU but it says "There is no SU binary installed! and SuperSU cannot install it. This is a Problem!" Help me please! I know I am doing it right aren't I?
Help. Samsung Galaxy tab
i don't have much experience on rooting, i have only rooted 2 phones and worked. plus this tablet.
so i have a Samsung galaxy tab 2 7.0 GT-P3113 (IR blaster/wifi) at 4.2.2 JB
i tried rooting it with the ChainFire auto root tar.md5 file which is for GT-P3113 on Odin3.07 and odin detected my tablet, but showed it as blue
but seeing it different from Odin1.87 it worked and PASSED! by odin so i flashed it in download mode, on PDA, everything was looking normal,
after the loading on the download mode it went to where the Red pirate guy was shown and after that it rebooted.
i had the SuperSu application when i opened my tab which i didn't have before rooting so i downloaded a couple of root checkers from play store,
here comes the problem,
when i click SuperSU it says "There is no SU binary installed and SUperSU cannot install it. This is a problem!"
and when i check it with a root checker it says no Root Access so i think somehow i failed rooting.
but when i check the Build info via root checkers:
Device: espressowifi
Hardware: espresso
Product: expressowifiue
and it says on SU (info i saw on root checkers):
su found
[/system/xbin/]
i want to try to flash the tar.md5 auto-root file again with odin can i do it again? will it somehow stack the root or i don't know, be a risk for my tablet? or is there a fix to this?
Thank you.

Motorola Droid 2 Global OTA files

Hey guys,
I've been using XDA for quite a while, but so far the community as a whole has been so helpful and thorough that I have never needed to make an account and post, so if any part of this post is wrong or in the wrong section please feel free to move or close this thread.
Now down to business: recently, some old Moto Droid 2 Globals resurfaced at my house, and as they are very old and outdated I figured I would re-purpose them into a few projects I'm working on, as they probably won't be extremely useful in any other ways. Here is my problem though: in order to use them how I would like, they must be rooted. Rooting is not my problem: I have rooted one of them many times when I was still using it (I might or might not have bricked it one or seven times while trying to install custom ROMs so flashing, rooting, and every other aspect of un-bricking is familiar to me). HOWEVER, ALL THE FILES NEEDED TO DOWNGRADE, ROOT, REFLASH AND RESTORE DO NOT EXIST ANYMORE!. This is one of those times where things on the internet actually disappear, as quite a few of the mirrors to the files I need were hosted on the gem of the internet back in the early 2010s, MegaUpload. The rest of the files were linked to personal servers, smaller and now nonexistent file hosting companies, or were straight up removed from their links. So what I'm asking is: if you ever had to root a Motorola Droid 2 Global running GingerBread 2.3.4, System Version 4.5.629.A956.Verizon.en.US, and for some reason you still have the files required to root it, could you upload it and post a link in the comments? I will list the necessary files below in case you would like to scour the internet as I have, or if you want to check that the files you might have are the ones needed. I will also post links to a few guides so if you want to refresh yourself or see how the process is done you can do so without extra searches.
And seriously guys, thanks in advance. Even if no one has the files, this community has helped me out so much over the years that a thank you was way overdue.
https://forum.xda-developers.com/showthread.php?t=1592154
(not entirely sure what this one below is, it looks like its a correct file but its got huge red "DO NOT INSTALL" all over the page so take it how you will)
http://rootzwiki.com/topic/21934-4.5.629.zip-please-do-not-install,-only-for-developers
Files I'm (mostly) Certain I Need:
Verizon OTA Version 4.5.608 (but it looks like this is a modified and repacked version)
Verizon OTA Version 4.5.629
wrong section buddy, post this thread in your device's forum

How To Get Magisk To See Motorola Edge Stock ROM Image

I rooted my Motorola Edge (regular not +) and I'm trying to do this so I can do the Motorola software updates without wiping out my Android installation and starting from scratch. I need to know how the stock ROM image(which I have) needs to be named and where to put it so Magisk can see it. I asked for help in the Motorola + section here in this thread, but it was a ghost town. The one response I did get was very helpful as it's where I got the first link in this post from.
I found a little help here on another site. While that thread is regarding Magisk, it's using it with another phone, so I don't know how relavant it is for using Magisk with my phone. It says to put the file in /data/data on the root partition. Is that right? They also mentioned putting the file's SHA1 hash in a magisk config file, which I did, but it didn't help. It also said to rename the file and GZIP it, ending up with a file with an img.gz extension, which I didn't do.
Maybe not exactly what you are looking for, but I've posted some
General Updating Moto devices and keeping root instructions here.
[Guide] Update Rooted (Magisk) Motorola Device
[Guide] Update Rooted (Magisk) Motorola Device This is a General Motorola Guide If you need more help Please create a thread in your device's forum. Mention me by Posting "@sd_shadow" I'll help you as much as I can... Required Android SDK...
forum.xda-developers.com

Categories

Resources