Mobile Virus

Android/GingerMaster.A!tr

Analysis

Android/GingerMaster.A!tr is a malware which targets Android mobile phones. It is packaged as an application that shows pictures of beautiful girls.


Figure 1. Android/GingerMaster.A!tr installed on a device

Figure 2. Typical beauties the malware shows
In background, the malware roots the device using the "Gingerbreak/Honeybomb" exploit (CVE-2011-1823). This exploit compromises Android versions up to 2.3.
Once rooted, the malware uses its root privilege to install further applications without user's consent.
Additionally, the malware sends to a remote server several details concerning the infected phone such as the IMEI, IMSI, phone number, SIM serial number, screen resolution.
br>

Technical Details


The malware starts a malicious service, GameService, when the application is launched or when the phone reboots.
When the phone reboots, a receiver, GameBootReceiver, is notified and starts GameService:
if (paramIntent.getAction().equals(
    "android.intent.action.BOOT_COMPLETED")) {
    Intent localIntent1 = new Intent(paramContext, GameService.class);
    Intent localIntent2 = localIntent1.setFlags(268435456);
    ComponentName localComponentName = paramContext.startService(localIntent1);
}

Figure 3. GameService running on infected device
GameService first retrieves some information: IMEI, IMSI, SIM serial number, phone number of the infected phone, network type, CPU information (reading Unix file /proc/cpuinfo), and screen resolution.
Then, it posts this information to a remote web server:
http://[REMOVED]obile.com/report/first_run.do
providing several parameters:
  • uid
  • imei: IMEI the malware collected above
  • imsi: IMSI
  • simNum: SIM serial number
  • telNum: victim's phone number
  • network_type
  • cversion: assumed to be client version. Set to 1003
  • channel
  • width: screen width
  • height
  • time: current date and time
Then, the malware attempts to root the device. To do so, it copies several scripts and executables it has in its assets to the device (/data/data/PACKAGENAME/files). In the asset directory, the files have a .png extension to fool the end-user, they are not images but ARM executables or Unix scripts.
  • gbfm.sh: this is the GingerBreak exploit
  • install.sh: a script
  • installsoft.sh: a script
  • runme.sh: a shell
It sets appropriate permissions (chmod 775) to those files, then runs runme.sh to get a shell.
It retrieves the Unix UID of the current process and stores it.
Then, it launches the exploit (gbfm.sh) and waits for the exploit to run.
Note the exploit requires an SDcard to be inserted on the phone.
If the exploit succeeded and the phone is rooted, the malware then runs the install.sh script which copies sh /system/bin/sh to a specific directory the malware creates and has access to (/system/xbin/appmaster).
Thus, the malware can launch a shell whenever it wishes.
At some time, the malware will also run the installsoft.sh script. This script simply installs a package provided as paramter. As the infected phone is rooted, the script manages to install a new package without user's consent.
The malware communicates with the remote web server at several times. In particular, it checks whether or not it should update the malware. If a new update is found, it is downloaded on the SD Card:
# ls -l
----rwxr-x system   sdcard_rw   217586 2011-08-23 09:59 image_1015_1004.apk
# pwd
/mnt/sdcard/download

Recommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.