It did not take too long to find out about the discovery of Gingermaster, the first Android malware to use theGingerbreak exploit, to acquire a sample which was still available from a Chinese alternative Android Marketplace.
The package downloaded uses the following permissions:
android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGESIt was quite interested to find out how and why the Gingerbreak privilege escalation exploit, also known asCVE-2011-1823 is used.
Despite its Chinese origin, the Gingermaster malware is perfectly capable of spreading globally: It had no trouble installing it on test rig and in the Android emulator.
The malware purports to be an application which displays “Beauty of the day” pictures. The content is downloaded from a website, not packaged with the application.
(When I carried out my tests, the list of beauties also included photos of Lady Gaga – some celebrities seem to be truly global.)
Apart from displaying the photos, Gingermaster creates a service that steals information from your device, sending it out to a remote website in an HTTP POST request. The information grabbed includes: user identifier, SIM card number, telephone number, IMEI number, IMSI number, screen resolution and local time.
The server responds with the various configuration parameters including the update frequency and the update URL. The responses are just simple JSON objects.
In the assets folder of the APK file, Gingermaster includes three ELF executables and one shell script, all with the file name extension .png, presumably to make the exploit code slightly less obvious. The file names are gbfm.png, install.png, installsoft.png and runme.png. The malware also creates a file calledgbfm.sh. This contains the the actual Gingerbreak exploit code, launched in a separate thread.
Gingermaster also generates an output log, called logcat, which contains information about what the malware has done so far:
If the root exploit is successful, the system partition is remounted as writable and various additional utilities installed, supposedly to make removal more difficult and allow for additional functionality.
One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.
This is an interesting technique which we have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the “uses-permission” INSTALL_PACKAGESin the Android manifest file.
Of course, once a malicious process gets root, its powers are potentially unlimited.
The Android malware writing scene is heating up as the season of summer holidays is coming to its end.
Hopefully, we will have enough time to document the more interesting ones and share them with you on our Blog.
If you are an Android user, here are some security hints:
* Avoid alternative Android Marketplaces unless you have strong evidence they are trustworthy.
* Avoid applications which request more permissions than they need.
(Gingermaster claims to be an application which downloads “beauty of the day” pictures of celebrities from a website. Why would it need permissions such as WRITE_USER_DATA and MOUNT_UNMOUNT_FILESYSTEMS?)
* Email your vendor to urge them to update the OS on your device if they have not yet done so.
No comments:
Post a Comment