According to Symantec, the malware interfaces with a bonet that it's dubbed "Android.Bmaster." That botnet appears to have active connections with about 11,000 Android devices, and is likely generating daily revenue between $1,600 and $9,000 for its controller, or botmaster.
RootSmart is designed to escape detection by being named "com.google.android.smart," which the same name as a settings app included by default with Android operating systems. The malware can gain root access to phones running versions of Android Gingerbread before 2.3.4, or Android 3.0, as well as "phone home" to a command-and-control (C&C) server for instructions. More than half of all Android smartphones are now running some version of Gingerbread.
[ Google's effort to stop bad apps is a step in the right direction. However, Google Bouncer Won't Block All Android Malware. ]
A Google spokesman, however, emphasized via email that the malware hadn’t been discovered in the official Android Market, but rather only on third-party app markets. Google recently revealed that it’s been keeping a much closer eye on Android Market apps with its Bouncer malware scanning service to help block rogue apps with just these types of exploits.
Should RootSmart get installed, however, it first lies dormant, waiting for some type of trigger, such as an outgoing phone call. Once triggered, however, "RootSmart will connect to its C&C server with various information collected from the phone," said Xuxian Jiang, a computer science professor at North Carolina State University, in a blog post. "Our analysis shows that the collected information includes the Android OS version number, the device IMEI number, as well as the package name." To make it more difficult for security vendors to block the software, it also obfuscates the URL of the C&C server that it contacts.
After RootSmart phones home, it then downloads exploit code known as GingerBreak from the server, and uses it "to obtain root privilege on infected phones," said Jiang. Next, RootSmart attempts to download additional malicious applications--including malware known as DroidLive--which it installs in the device's system partition. "It's worth mentioning that if RootSmart fails to obtain the root privilege, it will still attempt to install the downloaded apps," said Jiang. "However in this case, it cannot install the apps silently. Instead, a pop-up window will be shown for [the] user's approval."
"Due to the fact that RootSmart utilizes the GingerBreak root exploit and can be remotely controlled, we believe it poses serious threats to mobile users," said Jiang. Google, however, said that since May 2011, all Android device updates have included a patch against GingerBreak. Then again, not all mobile carriers push Android updates to their subscribers in a timely manner.
What's RootSmart's purpose? Like so many types of malware, it's designed to earn money for its botmaster. According to Symantec, it pursues that goal by primarily targeting users of two Chinese mobile phone carriers. "For example, an infected device can be configured to send messages to a particular premium SMS number at a specific rate (three a day, for instance) for a certain number of days," said Cathal Mullaney, a security response engineer at Symantec, in a blog post. "Devices connecting to premium video or telephony services can also be configured for how long they should connect to a premium phone number or pay-per-view website." The malware can be set to block incoming emails containing specified keywords, which attackers could use to try and prevent mobile subscribers from receiving "unusual activity" alerts from their carrier.
How might RootSmart end up on an Android device? The software comes bundled "with a legitimate application for configuring phone settings," said Mullaney. "Trojanized applications are a well known infection vector for Android malware, as they allow malware to be distributed while retaining the appearance of a legitimate application."
Thankfully, however, the N.C. State researchers found the malware not in the official Android Market, but rather on third-party download sites. Accordingly, Jiang recommended avoiding such download sites whenever possible. But in some countries, including China, access to the official Google Android Market is blocked. Thus it's no surprise that, according to Symantec's study of RootSmart, "the vast majority of infected devices belonged to Chinese customers."
In terms of mitigation strategies, Jiang also recommended keeping a close eye on the permissions being requested by apps, as well as any unusual device behavior, and finally, running mobile security tools to keep devices safe.
Ed. note: Story updated Feb. 10 with comments from Google.
Hacks of Comodo and DigiNotar exposed weakness in the Secure Sockets Layer protocol. The new Dark Reading supplement shows you what's being done to fix it. (Free registration required.)