Android/GingerMaster.A!tr
Analysis
Android/GingerMaster.A!tr is a malware which targets Android mobile phones.
It is packaged as an application that shows pictures of beautiful girls.
Figure 1. Android/GingerMaster.A!tr installed on a device |
Figure 2. Typical beauties the malware shows |
Once rooted, the malware uses its root privilege to install further applications without user's consent.
Additionally, the malware sends to a remote server several details concerning the infected phone such as the IMEI, IMSI, phone number, SIM serial number, screen resolution.
br>
Technical Details
The malware starts a malicious service, GameService, when the application is launched or when the phone reboots.
When the phone reboots, a receiver, GameBootReceiver, is notified and starts GameService:
if (paramIntent.getAction().equals( "android.intent.action.BOOT_COMPLETED")) { Intent localIntent1 = new Intent(paramContext, GameService.class); Intent localIntent2 = localIntent1.setFlags(268435456); ComponentName localComponentName = paramContext.startService(localIntent1); }
Figure 3. GameService running on infected device
GameService first retrieves some information: IMEI, IMSI, SIM serial number, phone number of the infected phone, network type, CPU information (reading Unix file /proc/cpuinfo), and screen resolution.
Then, it posts this information to a remote web server:
http://[REMOVED]obile.com/report/first_run.doproviding several parameters:
- uid
- imei: IMEI the malware collected above
- imsi: IMSI
- simNum: SIM serial number
- telNum: victim's phone number
- network_type
- cversion: assumed to be client version. Set to 1003
- channel
- width: screen width
- height
- time: current date and time
- gbfm.sh: this is the GingerBreak exploit
- install.sh: a script
- installsoft.sh: a script
- runme.sh: a shell
It retrieves the Unix UID of the current process and stores it.
Then, it launches the exploit (gbfm.sh) and waits for the exploit to run.
Note the exploit requires an SDcard to be inserted on the phone.
If the exploit succeeded and the phone is rooted, the malware then runs the install.sh script which copies sh /system/bin/sh to a specific directory the malware creates and has access to (/system/xbin/appmaster).
Thus, the malware can launch a shell whenever it wishes.
At some time, the malware will also run the installsoft.sh script. This script simply installs a package provided as paramter. As the infected phone is rooted, the script manages to install a new package without user's consent.
The malware communicates with the remote web server at several times. In particular, it checks whether or not it should update the malware. If a new update is found, it is downloaded on the SD Card:
# ls -l ----rwxr-x system sdcard_rw 217586 2011-08-23 09:59 image_1015_1004.apk # pwd /mnt/sdcard/download
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |