Android Hackers Craft GingerMaster Rootkit - InformationWeek
12:44 PM

Android Hackers Craft GingerMaster Rootkit

GingerMaster malware exploits Android, providing attackers with root-level access to the devices.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
Security researchers have discovered new malware, known as GingerMaster, that can exploit Android version 2.3.3 (Gingerbread), providing attackers with root-level access to devices.

While malware that targets Android has been found previously, this is the first exploit that directly targets Gingerbread and may not be spotted by current smartphone security software.

"As this is the first time such malware has been identified, it is not surprising when our experiments show that it can successfully evade the detection of all tested (leading) mobile anti-virus software," said Xuxian Jiang, a computer science assistant professor at N.C. State University, in a blog post. Anecdotal evidence suggests that the malware also exploits Android version 2.2 (Froyo).

The malware is currently packaged as part of what appear to be legitimate applications available for download on Chinese application markets. One infected application, for example, promises "beauty of the day" pictures of women, such as Lady Gaga. When GingerMaster-infected applications first launch, they collect various pieces of device information, including the phone number, SIM card number, and IMEI and IMSI numbers, then share them with a remote command-and-control server.

"If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality," said Vanja Svajcer, a principal virus researcher in SophosLabs, in a blog post. The malware also contains some innovative techniques for bypassing Android's application permission system, he said.

The malware is named for the Gingerbreak exploit, and is the first malware to utilize it. Gingerbreak was developed to provide root-level access to Android devices. In the words of its developer, "free your phone."

According to Jiang, "the GingerMaster malware contains the GingerBreak root exploit. The actual exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name gbfm seems to be the acronym of 'Ginger Break For Me' while the png suffix seems to be the attempt of making it less suspicious."

The malware has to potential to be built into any Android application. "Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator," said Svajcer at SophosLabs.

GingerMaster, of course, is only the latest in a long line of malware that targets Android, and in terms of quantity, the malicious code just keeps coming. "The Android malware writing scene is heating up as the season of summer holidays is coming to its end," said Svajcer. "Last week, we received a record number of samples which are now waiting to be analyzed in detail."

What can Android users on version 2.3.3 and earlier do to avoid GingerMaster exploits? For starters, whenever possible, avoid third-party application stores. As the official Android Market doesn't work in China, however, Chinese users who want to download apps arguably face some hurdles.

In any case, "download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading," said Jiang. Likewise, Android users should keep an eye on the permissions requested by any given application, and "be alert for unusual behavior on the part of mobile phones," he said. Finally, smartphone security software can help too.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll