Kanging in the development world is generally understood to mean stealing code without giving credit, asking for permission, and claiming you’re the developer when you’re not.
In an open source environment, where you’re expected to provide access to modifications of others’ code in order to comply with the GPL, stealing credit and the benefits that come with it is pretty darn easy.
In a development environment where you can watch another ROM or feature be developed before your eyes and cherry pick code as originators push commits to repositories, it’s downright advantageous financially for some people to grab Developer X’s code, release it as their own, and beg for donations for all the hours they’ve put in sacrificing time with their loved ones, mourning over the grave of their dearly departed Chihuahua, the strain on their body from all the Monster Energy Drinks, etc.
It pays a kanger to steal. Financially there’s a gain when that PayPal donate button goes up and the ego gets stroked since when people come in claiming Developer Z is a kanger the average user doesn’t know how to look and see that Dev X released the code that Dev Z stole.
They just know that Z’s product gave them their toy and don’t care that it might have been stolen from X. A kanger can get friends and supporters by playing the “woe is me, I built this toy for you, this person coming in is lying,” card.
I’ve watched these dramas play out for years, from S-OFF teams soliciting donations application developers claiming the real author of an application was a thief, ROM developers showing time and again that this or that group aren’t developers but thieves, etc.
For the most part developers have hunkered down, gotten ticked off, fought on the internet, and it’s been a negligible gain if they win in the court of public opinion.
A couple of weeks ago I saw someone release a fake commit. It was complete garbage and designed to only be picked up by a group that was stealing the developer’s work. The description of the update couldn’t even be read with a straight face.
Within a couple of days that commit had been baked into the ROM and their repos with no changes. It had garnered no cursory inspections as the info obviously was fake.
Then it happened again this weekend in a different context with different people.
In both cases the developers who claimed to cherry pick the best parts of other development had included code they didn’t inspect from a group they knew to be against their product with a description that no one would install if they bothered to read it.
Now, the payload wasn’t malicious, the groups that integrated the fake commits without ever looking at them spun it to seem like the developers who released them were asses (may have been, I’m not judging here, as far as I know it’s the first credit they ever gave them,) and life moved on.
But one wonders what if. It takes a ticked off developer next to no time to get non-malicious code into another ROM whose developers knew there were grudges held about them stealing code, what happens when someone releases a time bomb that triggers at a future date on ROM X or Application Y?
While on a non-rooted Android running an app with kanged components the end result is probably just all your information being stolen and perhaps 60 billion texts sent to a number that charges you $10 per text, on a rooted device you could do some very nasty things as recoveries like TWRP allow you to script actions. Anything you could flash could be done at 3:50am on a random Sunday while you’re sleeping.
Think bricked phone, ransomware, code spying on your every move. It’s really not out of the realm of possibilities.
So yeah, if your developers are stealing without giving credit, chances are that they are doing this because they don’t know how to code, read code, read commit logs, or bother to examine the code that’s being put into the product they’re selling you. All it takes is Someone at ROM Y to put in code in their publicly pickable ROM that says if the ROM name is “Beautiful Donkey Explosion Team ROM” to execute some code after a certain date.
The target might end up being you.