The evolution of mobile malware seems to be accelerating, especially as it applies to Android malware. The newest example of this rapid change is the appearance of GingerMaster, a variant of the DroidKungFu malware that now sports a root exploit for Android 2.3 and gives the attacker complete control of the infected device.
The new piece of malware, discovered by researchers at North Carolina State University, uses a jailbreak exploit for Android 2.3, also known as Gingerbread, that is packaged in an infected app as a seemingly legitimate file. Once that exploit runs, it gives the malware root privileges on the phone and also begins collecting data about the device for transmission to a remote server.
“The GingerMaster malware exists in infected apps by registering a receiver so that it will be
notified when the system finishes booting. Insider the receiver, it will silently launch a service
in the background. The background service will accordingly collect various information including
the device id, phone number and others (e.g., by reading /proc/cpuinfo) and then upload them
to a remote server,” Xuxian Jiang, an assistant professor at NC State, whose team found the GingerMaster malware, wrote in a blog post.
“The actual
exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name
gbfm seems to be the acronym of “Ginger Break For Me” while the png suffix seems to be the
attempt of making it less suspicious. This exploit once launched on Android 2.3.3 will elevate it to the root privilege. After that,
GingerMaster will attempt to install a root shell (with file mode 4755) into system
partition for later use.”
Jiang said that the exploit may also works on Android 2.2 and lower with some adjustments. Android Gingerbread version 1 was released in December and the operating system has gone through a few revisions since then. Many Android handsets have yet to get the Gingerbread update, but many others already have it.
Once the GingerMaster malware is installed and has root privileges, it then reaches out to a remote command-and-control server and asks for instructions. It then has the ability to download and install apps on its own, without the user’s permission, Jiang found. GingerMaster is an evolution of the existing DroidKungFu malware, which had some of the same functionality. Earlier this week, Jiang’s team also found other variants of DroidKungFu in several dozen infected apps in alternate Android app stores. That version included a couple of root exploits as well, but for earlier versions of Android.
“Similar to the earlier variants, this new version also carries with two root exploits.
To avoid being detected, these root exploits are encrypted. Our analysis shows that one
of them is the well-known “RageAgainstTheCage” root exploit and the other exploits
the adb resource exhaustion bug, which affects Android 2.2 or below (NOTE: more than
85% of Android device runs on Android 2.2 and Android 2.1). If successful, the malware
can elevate its privilege to root. Recent Android versions (2.3+) have patched these bugs
and these two exploits will not be successful. In this case, the malware will attempt
to detect whether the phone has been already rooted and if so further request for the
root privilege. In either way, the malware will still phone home with collected phone
information (e.g., IMEI and phone model etc),” Jiang said in a blog post.
There’s no indication that GingerMaster is in any apps in the official Android Market.