Yesterday (08/17/2011), we have just seen the rapid evolution of DroidKungFu in the last two months. Today, my research team, in collaboration with NQ Mobile, identified a new high-risk malware -- GingerMaster, which is the first Android malware that utilizes a root exploit against Android 2.3 (i.e., Gingerbread). Unlike previous ones with root exploits (e.g., DroidKungFu) to compromise phones running Android 2.2 or below, GingerMaster takes advantage of the most recent root exploit against Android platform 2.3 (which was discovered in April 2011 [1]). As this is the first time such malware has been identified, it is not surprising when our experiments show that it can successfully evade the detection of all tested (leading) mobile anti-virus software.
The GingerMaster malware is repackaged into legitimate apps. These legitimate apps are supposedly popular to attract user downloads and installation. (The screenshot of one app featuring photographs of models is shown below.) Within the repackaged apps, it will register a receiver so that it will be
notified when the system finishs booting. Insider the receiver, it will silently launch a service
in the background. The background service will accordingly collect various information including
the device id, phone number and others (e.g., by reading /proc/cpuinfo) and then upload them
to a remote server.
After getting root privilege, GingerMaster malware will connect to the remote C&C server and wait
for instructions. According to our investigation, the GingerMaster malware has the payload to
silently download and install the app without users' awareness. More specifically, it can download the
apk file from remote server and then install this app by executing "pm install" command in root shell.
Last modified: August 18th, 2011