Beware the Android Gingermaster

Posted by Trent Nouveau

Researchers from NC State University and NetQin have positively identified an Android malware variant that successfully utilizes a Gingerbread (2.3) root exploit.



As assistant professor Xuxian Jiang notes, the stealth Gingermaster - repackaged into legitimate apps - is capable of evading a number of leading mobile anti-virus platforms.

"Within the repackaged apps, it registers a receiver so it will be notified when the system finishes booting. Insider the receiver, it silently launches a service in the background," explained Jiang.



"The background service will accordingly collect various information including the device id, phone number and others (e.g., by reading /proc/cpuinfo) and then upload them to a remote server."

According to Sophos security expert Vanja Svajcer, Gingermaster is "perfectly capable of spreading globally," despite its Chinese origin. 

Svajcer also confirmed that Gingermaster steals information from Android 2.3 devices - sending out data to a remote website in an HTTP POST request.

"The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time. The server responds with the various configuration parameters including the update frequency and the update URL. The responses are just simple JSON objects.

"If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality. One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager."

Although Gingermaster will be detected by Sophos products such as Andr/Gmaster-A, Svajcer recommended that Android users follow basic security protocols, such as avoiding alternative Android marketplaces (unless they are trustworthy) and not running strange, permission hungry apps.

For example, in one current iteration, Gingermaster claims to be an application which downloads "beauty of the day" pictures of celebrities from a website."

So why would it need permissions such as WRITE_USER_DATA and MOUNT_UNMOUNT_FILESYSTEMS?

"This is [certainly] an interesting technique which I have not seen before. [It] nicely bypasses the Android permissions system by removing the requirement for declaring the ‘uses-permission’ INSTALL_PACKAGES in the Android manifest file.  



"[Of course], once a malicious process gets root, its powers are potentially unlimited," Svajcer added.