5

On resetting a smartphone, the default factory image replaces the OS completely and restores it to known good settings.

Is there any known way by which this default image can be compromised? On Android, by getting root access, can't some malware just outright flash the ROM itself? And how viable is such an attack on a Windows Phone(which doesn't have such superuser accounts)?

Mayank Singh
  • 613
  • 1
  • 7
  • 11

2 Answers2

6

The factory reset on any phone/computer shouldn't be trusted, as it can be modified by the system and thus becomes a heaven for malware that wishes to persist. This also applies to the Windows 8 "refresh my PC" feature, the "recovery partition" nonsense OEMs put up to avoid supplying $0,01 recovery DVDs (which are write-once media and can't be compromised) and any similar feature.

To properly "nuke and reinstall" a phone, you should use a known good machine to download a clean ROM image (either an official one or a third-party one you trust), reboot the device in bootloader/DFU mode (for iPhones) and then install the image (in the Android and Windows phone worlds, a nice bonus is that you have the chance to install a non carrier-branded ROM and say goodbye to their bloatware and lack of updates).

Theoretically the bootloader itself could be compromised and evil, and at this point there isn't much to do besides physically unsoldering the memory chips from the phone and writing a new firmware & bootloader to them from a clean machine. The only reason these attacks aren't more widespread is the same as for malicious BIOSes for PCs - the fact that this kind of malware isn't portable and targets only a single make/model of machine and the difficulty needed to develop such malware (a lot more complicated than your average malware running in userland).

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 1
    Also, you shouldn't be buying any phone that either doesn't provide official firmware images on their site (with hashes or signatures) or lets carriers fiddle with their firmware. Wasting lots of time searching non-official forums to find a clean firmware image just to reinstall a compromised phone shouldn't be considered normal. – André Borie Aug 23 '15 at 08:25
  • So, the only correct solution is to reflash the ROM by downloading a clean image and flashing it? – Mayank Singh Aug 23 '15 at 12:39
  • @MayankSingh exactly, from a known good (not compromised) computer. Make sure to verify the authenticity of the image downloaded by comparing its hashes with the ones published by the ROM developer. – André Borie Aug 23 '15 at 13:21
-2

It is possible, I personally haven't seen or heard of any malware that flashes the rom. It would need to be very sophisticated malware with root privileges to flash the rom in the first place, in addition flashing the rom would be a very visible process.

Factory resetting the phone will as the name suggests reset the phone and wipes everything, including malware. If the malware is part of an infected service, app, backedup file or remote storage system that is restored after the factory reset the malware may be deployed and installed on the device again.

This is based solely on my own experience, hope it helps.

TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
  • -1. Writing to the recovery partition wouldn't be visible at all; we're not talking about installing another ROM, merely adding a malicious setuid-root binary into the existing ROM. If done correctly this wouldn't be detectable at all. – André Borie Aug 23 '15 at 19:56
  • Thanks for that. I did say flashing the rom would be visible, which it would. I also pointed out that an attack of the nature would need to be very sophisticated and would require root privileges. Can you give an example of malware that can make setuid changes to the rom without giving any visible indication and to be persistent even after a factory reset? Im not saying there isn't any, only that I do not know of any and would genuinely like to have a look at such malware and it's working. – TheJulyPlot Aug 24 '15 at 08:49
  • When you see what a disaster the Android ecosystem is in regards to updates, getting root privileges isn't that hard on most phones. An example of malware ? Any malware written by a professional should be capable of this. We're just lucky that most malware out there are written by idiots who want quick money and don't care about the long term (persistent and sneaky malware would make them a lot more money if done right). – André Borie Aug 24 '15 at 12:06
  • 1
    How do we know there isn't lots of persistent sneaky malware? : ) – Erik Reppen Mar 05 '16 at 19:11