Android Hackers Craft GingerMaster Rootkit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Android Hackers Craft GingerMaster Rootkit

GingerMaster malware exploits Android, providing attackers with root-level access to the devices.

Lookout Mobile Security Protects Android Smartphones
Slideshow: Lookout Mobile Security Protects Android Smartphones
(click image for larger view and for slideshow)
Security researchers have discovered new malware, known as GingerMaster, that can exploit Android version 2.3.3 (Gingerbread), providing attackers with root-level access to devices.

While malware that targets Android has been found previously, this is the first exploit that directly targets Gingerbread and may not be spotted by current smartphone security software.

"As this is the first time such malware has been identified, it is not surprising when our experiments show that it can successfully evade the detection of all tested (leading) mobile anti-virus software," said Xuxian Jiang, a computer science assistant professor at N.C. State University, in a blog post. Anecdotal evidence suggests that the malware also exploits Android version 2.2 (Froyo).

The malware is currently packaged as part of what appear to be legitimate applications available for download on Chinese application markets. One infected application, for example, promises "beauty of the day" pictures of women, such as Lady Gaga. When GingerMaster-infected applications first launch, they collect various pieces of device information, including the phone number, SIM card number, and IMEI and IMSI numbers, then share them with a remote command-and-control server.

"If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality," said Vanja Svajcer, a principal virus researcher in SophosLabs, in a blog post. The malware also contains some innovative techniques for bypassing Android's application permission system, he said.

The malware is named for the Gingerbreak exploit, and is the first malware to utilize it. Gingerbreak was developed to provide root-level access to Android devices. In the words of its developer, "free your phone."

According to Jiang, "the GingerMaster malware contains the GingerBreak root exploit. The actual exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name gbfm seems to be the acronym of 'Ginger Break For Me' while the png suffix seems to be the attempt of making it less suspicious."

The malware has to potential to be built into any Android application. "Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator," said Svajcer at SophosLabs.

GingerMaster, of course, is only the latest in a long line of malware that targets Android, and in terms of quantity, the malicious code just keeps coming. "The Android malware writing scene is heating up as the season of summer holidays is coming to its end," said Svajcer. "Last week, we received a record number of samples which are now waiting to be analyzed in detail."

What can Android users on version 2.3.3 and earlier do to avoid GingerMaster exploits? For starters, whenever possible, avoid third-party application stores. As the official Android Market doesn't work in China, however, Chinese users who want to download apps arguably face some hurdles.

In any case, "download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading," said Jiang. Likewise, Android users should keep an eye on the permissions requested by any given application, and "be alert for unusual behavior on the part of mobile phones," he said. Finally, smartphone security software can help too.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 Outlook: Tackling Cloud Transformation Choices
Joao-Pierre S. Ruth, Senior Writer,  1/4/2021
Enterprise IT Leaders Face Two Paths to AI
Jessica Davis, Senior Editor, Enterprise Apps,  12/23/2020
10 IT Trends to Watch for in 2021
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/22/2020
White Papers
Register for InformationWeek Newsletters
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll