First malware using Android Gingerbreak root exploit

It did not take too long after I found out about the discovery of Gingermaster, the first Android malware to use the Gingerbreak exploit, to acquire a sample which was still available from a Chinese alternative Android Marketplace.

The package I downloaded uses the following permissions:

android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGES

I was quite interested to find out how and why the Gingerbreak privilege escalation exploit, also known as CVE-2011-1823 is used.

Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: I had no trouble installing it on my test rig and in the Android emulator.

Gingermaster installed and the home activity

The malware purports to be an application which displays “Beauty of the day” pictures. The content is downloaded from a website, not packaged with the application.

(When I carried out my tests, the list of beauties also included photos of Lady Gaga – some celebrities seem to be truly global.)

Celebrities

Apart from displaying the photos, Gingermaster creates a service that steals information from your device, sending it out to a remote website in an HTTP POST request. The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time.

The server responds with the various configuration parameters including the update frequency and the update URL. The responses are just simple JSON objects.

In the assets folder of the APK file, Gingermaster includes three ELF executables and one shell script, all with the file name extension .png, presumably to make the exploit code slightly less obvious. The file names are gbfm.png, install.png, installsoft.png and runme.png. The malware also creates a file called gbfm.sh. This contains the the actual Gingerbreak exploit code, launched in a separate thread.

Gingermaster also generates an output log, called logcat, which contains information about what the malware has done so far:

Gingermaster logcat output

If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality.

One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.

This is an interesting technique which I have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the “uses-permission” INSTALL_PACKAGES in the Android manifest file.

Of course, once a malicious process gets root, its powers are potentially unlimited.

Gingermaster will be detected by Sophos products as Andr/Gmaster-A.

The Android malware writing scene is heating up as the season of summer holidays is coming to its end. Last week, we received a record number of samples which are now waiting to be analysed in detail.

Hopefully, I will have enough time to document the more interesting ones and share them with you on NakedSecurity.

If you are an Android user, here are some security hints:

* Avoid alternative Android Marketplaces unless you have strong evidence they are trustworthy.

* Avoid applications which request more permissions than they need.

(Gingermaster claims to be an application which downloads “beauty of the day” pictures of celebrities from a website. Why would it need permissions such as WRITE_USER_DATA and MOUNT_UNMOUNT_FILESYSTEMS?)

* Email your vendor to urge them to update the OS on your device if they have not yet done so.