Malware designed to exploit a flaw which granted extra permissions to applications on devices with custom Android ROMs has been identified by Lookout Mobile Security. A CyanogenMod developer confirmed that the vulnerability was closed in version 7.0.3 of CyanogenMod in May, when the popular ROM was updated for a mystery "important security fix".

The problem is that if applications are signed with the same private key as the operating system, Android grants them permission to install and uninstall applications without user intervention. Normally, this would not be a problem as the private key would be secret, but many custom ROMs are built from the Android Open Source Project (AOSP) source code which includes publicly available private keys.

Lookout found malware, which it dubbed jSMSHider, in several applications in alternative Chinese app markets. jSMSHider is signed with the "private key" from AOSP and uses the permissions flaw to install a secondary payload onto the system which could read, send and process SMS messages, download and install more applications, communicate with a C&C remote server and open URLs silently.

CyanogenMod developers modified their ROM to ensure that applications signed with the platform's private key were not allowed to be installed into user-controlled storage.

(djwm)