GingerMaster

GingerMaster: First Android Malware Utilizing a Root Exploit on Android 2.3 (Gingerbread)

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Yesterday (08/17/2011), we have just seen the rapid evolution of DroidKungFu in the last two months. Today, my research team, in collaboration with NQ Mobile, identified a new high-risk malware -- GingerMaster, which is the first Android malware that utilizes a root exploit against Android 2.3 (i.e., Gingerbread). Unlike previous ones with root exploits (e.g., DroidKungFu) to compromise phones running Android 2.2 or below, GingerMaster takes advantage of the most recent root exploit against Android platform 2.3 (which was discovered in April 2011 [1]). As this is the first time such malware has been identified, it is not surprising when our experiments show that it can successfully evade the detection of all tested (leading) mobile anti-virus software.

Phoning Home

The GingerMaster malware is repackaged into legitimate apps. These legitimate apps are supposedly popular to attract user downloads and installation. (The screenshot of one app featuring photographs of models is shown below.) Within the repackaged apps, it will register a receiver so that it will be notified when the system finishs booting. Insider the receiver, it will silently launch a service in the background. The background service will accordingly collect various information including the device id, phone number and others (e.g., by reading /proc/cpuinfo) and then upload them to a remote server.

Launching the exploits

As mentioned earlier, the GingerMaster malware contains the GingerBreak root exploit. The actual exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name gbfm seems to be the acronym of "Ginger Break For Me" while the png suffix seems to be the atttempt of making it less suspicious. This exploit once launched on Android 2.3.3 (and 2.2 according to the anecdotal feedback in [1]) will elevate it to the root priviledge. (NOTE: more than 90% of Android device runs on Android 2.3.3 or below [2]). After that, GingerMaster will attempt to install a root shell (with file mode 4755) into system partition for later use.

Dropping more malware

After getting root privilege, GingerMaster malware will connect to the remote C&C server and wait for instructions. According to our investigation, the GingerMaster malware has the payload to silently download and install the app without users' awareness. More specifically, it can download the apk file from remote server and then install this app by executing "pm install" command in root shell.

Mitigation:

Due to the fact that GingerMaster contains the most recent root exploit, we consider it poses one of the most serious threats to mobile users. For mitigation, please follow common-sense guidelines for smartphone security. For example,

download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.

Follow-ups:

8/18/2011: We detected the first GingerMaster malware.