Android Hackers Craft GingerMaster Rootkit

GingerMaster malware exploits Android, providing attackers with root-level access to the devices.

Mathew J. Schwartz, Contributor

August 24, 2011

3 Min Read

Lookout Mobile Security Protects Android Smartphones

Lookout Mobile Security Protects Android Smartphones

Slideshow: Lookout Mobile Security Protects Android Smartphones (click image for larger view and for slideshow)

Security researchers have discovered new malware, known as GingerMaster, that can exploit Android version 2.3.3 (Gingerbread), providing attackers with root-level access to devices.

While malware that targets Android has been found previously, this is the first exploit that directly targets Gingerbread and may not be spotted by current smartphone security software.

"As this is the first time such malware has been identified, it is not surprising when our experiments show that it can successfully evade the detection of all tested (leading) mobile anti-virus software," said Xuxian Jiang, a computer science assistant professor at N.C. State University, in a blog post. Anecdotal evidence suggests that the malware also exploits Android version 2.2 (Froyo).

The malware is currently packaged as part of what appear to be legitimate applications available for download on Chinese application markets. One infected application, for example, promises "beauty of the day" pictures of women, such as Lady Gaga. When GingerMaster-infected applications first launch, they collect various pieces of device information, including the phone number, SIM card number, and IMEI and IMSI numbers, then share them with a remote command-and-control server.

"If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality," said Vanja Svajcer, a principal virus researcher in SophosLabs, in a blog post. The malware also contains some innovative techniques for bypassing Android's application permission system, he said.

The malware is named for the Gingerbreak exploit, and is the first malware to utilize it. Gingerbreak was developed to provide root-level access to Android devices. In the words of its developer, "free your phone."

According to Jiang, "the GingerMaster malware contains the GingerBreak root exploit. The actual exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name gbfm seems to be the acronym of 'Ginger Break For Me' while the png suffix seems to be the attempt of making it less suspicious."

The malware has to potential to be built into any Android application. "Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator," said Svajcer at SophosLabs.

GingerMaster, of course, is only the latest in a long line of malware that targets Android, and in terms of quantity, the malicious code just keeps coming. "The Android malware writing scene is heating up as the season of summer holidays is coming to its end," said Svajcer. "Last week, we received a record number of samples which are now waiting to be analyzed in detail."

What can Android users on version 2.3.3 and earlier do to avoid GingerMaster exploits? For starters, whenever possible, avoid third-party application stores. As the official Android Market doesn't work in China, however, Chinese users who want to download apps arguably face some hurdles.

In any case, "download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading," said Jiang. Likewise, Android users should keep an eye on the permissions requested by any given application, and "be alert for unusual behavior on the part of mobile phones," he said. Finally, smartphone security software can help too.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights