6

Situation:

  • User installed an Android app from the Google Play Store.
  • User's device is rooted, but that app does not have root privileges.
  • XPrivacy reveals that the app is trying to make IPC (inter-process communication) calls that do not seem appropriate for the app. Specifically, it is trying to access iContentProvider:CALL, and the app has nothing to do with making calls.

Question:

  • Besides uninstalling the app, are there other actions that the user should take?

If additional actions should be taken, please explain why. IOW, please don't just write "run an antivirus scanner" without providing references explaining how an app without root privileges can break out of the Android sandbox.

Note that this particular case was for Android KitKat, so information for that version of Android is the most relevant. But if the response varies for different versions of Android, please feel free to contribute answers for those versions as well (please specify the relevant Android version in your answer).

RockPaperLz- Mask it or Casket
  • 3,114
  • 21
  • 50
  • 1
    Older versions of Android OS and some of the newer exploits, a hammer. And after that only buy devices that the manufacturers take an interest in keeping up to date. – Fiasco Labs Feb 22 '16 at 04:48
  • What do you mean "questionable"? Malware? OR just some apps without verified certificates? For malware, I think the actions you should take depend on malware's behavior. Which processes it is running, which connections it initiates..... There is nothing you could do without fully knowing what malware does on your phone. – Yang Yu Feb 23 '16 at 00:38
  • @YangYu Good question. I've updated the third bullet point to describe the specific behavior. – RockPaperLz- Mask it or Casket Feb 23 '16 at 21:16
  • 2
    I feel like I should point out that iContentProvider:CALL has very little (if anything in most cases) to do with making phone calls from the device. It is for calling content methods from other processes, which can certainly be used maliciously, but also has many innocuous uses. If this is your only clue that the app is malicious, your premise is suspect. – Jeff Meden Feb 23 '16 at 21:27
  • @JeffMeden That's great information, thank you. The app was a standalone app that should not need to interact with other processes. Since the app was not essential, it was uninstalled. Not sure if any other clean-up work is recommended. – RockPaperLz- Mask it or Casket Feb 24 '16 at 00:01

1 Answers1

2

Having a rooted device and running an outdated ROM both greatly increase the odds of a malicious app gaining root privileges without user authorization.

How did the user manage to get root? That's just one method that the malicious app could use to get root.

With root one thing that the malicious app can do is install another app that won't show up in your list of installed apps. You deleted the first app, but not the second, so you aren't actually any better off now.

A factory reset might not get rid of your problem, but correctly flashing a new ROM should.

andDevW
  • 217
  • 1
  • 11