Mobile
News
8/24/2011
12:44 PM
Connect Directly
RSS
E-Mail
50%
50%

Android Hackers Craft GingerMaster Rootkit

GingerMaster malware exploits Android, providing attackers with root-level access to the devices.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
Security researchers have discovered new malware, known as GingerMaster, that can exploit Android version 2.3.3 (Gingerbread), providing attackers with root-level access to devices.

While malware that targets Android has been found previously, this is the first exploit that directly targets Gingerbread and may not be spotted by current smartphone security software.

"As this is the first time such malware has been identified, it is not surprising when our experiments show that it can successfully evade the detection of all tested (leading) mobile anti-virus software," said Xuxian Jiang, a computer science assistant professor at N.C. State University, in a blog post. Anecdotal evidence suggests that the malware also exploits Android version 2.2 (Froyo).

The malware is currently packaged as part of what appear to be legitimate applications available for download on Chinese application markets. One infected application, for example, promises "beauty of the day" pictures of women, such as Lady Gaga. When GingerMaster-infected applications first launch, they collect various pieces of device information, including the phone number, SIM card number, and IMEI and IMSI numbers, then share them with a remote command-and-control server.

"If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality," said Vanja Svajcer, a principal virus researcher in SophosLabs, in a blog post. The malware also contains some innovative techniques for bypassing Android's application permission system, he said.

The malware is named for the Gingerbreak exploit, and is the first malware to utilize it. Gingerbreak was developed to provide root-level access to Android devices. In the words of its developer, "free your phone."

According to Jiang, "the GingerMaster malware contains the GingerBreak root exploit. The actual exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name gbfm seems to be the acronym of 'Ginger Break For Me' while the png suffix seems to be the attempt of making it less suspicious."

The malware has to potential to be built into any Android application. "Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator," said Svajcer at SophosLabs.

GingerMaster, of course, is only the latest in a long line of malware that targets Android, and in terms of quantity, the malicious code just keeps coming. "The Android malware writing scene is heating up as the season of summer holidays is coming to its end," said Svajcer. "Last week, we received a record number of samples which are now waiting to be analyzed in detail."

What can Android users on version 2.3.3 and earlier do to avoid GingerMaster exploits? For starters, whenever possible, avoid third-party application stores. As the official Android Market doesn't work in China, however, Chinese users who want to download apps arguably face some hurdles.

In any case, "download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading," said Jiang. Likewise, Android users should keep an eye on the permissions requested by any given application, and "be alert for unusual behavior on the part of mobile phones," he said. Finally, smartphone security software can help too.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.