First malware using Android Gingerbreak root exploit

Filed Under: Android, Featured, Google, Malware, Mobile, SophosLabs

It did not take too long after I found out about the discovery of Gingermaster, the first Android malware to use the Gingerbreak exploit, to acquire a sample which was still available from a Chinese alternative Android Marketplace.

The package I downloaded uses the following permissions:

android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGES

I was quite interested to find out how and why the Gingerbreak privilege escalation exploit, also known as CVE-2011-1823 is used.

Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator.

Gingermaster installed and the home activity

The malware purports to be an application which displays "Beauty of the day" pictures. The content is downloaded from a website, not packaged with the application.

(When I carried out my tests, the list of beauties also included photos of Lady Gaga - some celebrities seem to be truly global.)

Celebrities

Apart from displaying the photos, Gingermaster creates a service that steals information from your device, sending it out to a remote website in an HTTP POST request. The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time.

The server responds with the various configuration parameters including the update frequency and the update URL. The responses are just simple JSON objects.

In the assets folder of the APK file, Gingermaster includes three ELF executables and one shell script, all with the file name extension .png, presumably to make the exploit code slightly less obvious. The file names are gbfm.png, install.png, installsoft.png and runme.png. The malware also creates a file called gbfm.sh. This contains the the actual Gingerbreak exploit code, launched in a separate thread.

Gingermaster also generates an output log, called logcat, which contains information about what the malware has done so far:

Gingermaster logcat output

If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality.

One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.

This is an interesting technique which I have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the "uses-permission" INSTALL_PACKAGES in the Android manifest file.

Of course, once a malicious process gets root, its powers are potentially unlimited.

Gingermaster will be detected by Sophos products as Andr/Gmaster-A.

The Android malware writing scene is heating up as the season of summer holidays is coming to its end. Last week, we received a record number of samples which are now waiting to be analysed in detail.

Hopefully, I will have enough time to document the more interesting ones and share them with you on NakedSecurity.

If you are an Android user, here are some security hints:

* Avoid alternative Android Marketplaces unless you have strong evidence they are trustworthy.

* Avoid applications which request more permissions than they need.

(Gingermaster claims to be an application which downloads "beauty of the day" pictures of celebrities from a website. Why would it need permissions such as WRITE_USER_DATA and MOUNT_UNMOUNT_FILESYSTEMS?)

* Email your vendor to urge them to update the OS on your device if they have not yet done so.

, , , ,

You might like

3 Responses to First malware using Android Gingerbreak root exploit

  1. Craig · 1065 days ago

    Scary,

    Considering Lady Gaga comes up as a beauty of the day.

  2. AdderV · 1065 days ago

    @Vanja,
    Did you find it by just observing its behaviour or was it caught by any anti-malware software ?

    • Vanja Svajcer · 1065 days ago

      It was not too difficult to find. I read the article by Xuxian Jiang and tried to guess the name of the package. Once I was fairly certain I had the right name I managed to Google it. I downloaded and analysed the package to make sure it really was a sample using Gingerbreak exploit. The exploit seems to be a recompile but it was clearly created from the original, publicly available Gingerbreak source.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Vanja is a Principal Virus Researcher in SophosLabs. He has been working for Sophos since 1998. His major interests include automated analysis systems, honeypots and malware for mobile devices. Vanja is always ready for a good discussion on various security topics.