The latest malware targeting Android devices takes advantage of a jailbreak exploit to gain root-level access and executes instructions from a remote server.
Researchers have uncovered
the first malware using the "Gingerbreak" root exploit for Android
2.3, code-named "Gingerbread."
GingerMaster, a variant of
the DroidKungFu malware that appeared earlier this year, has a root exploit
that gives the attacker control of the infected device, Xuxian Jiang
associate professor at North Carolina State University's department of computer
science, wrote in a blog post Aug. 18. NC State researchers worked with mobile
security vendor NetQin and discovered that GingerMaster wrapped malicious code
around a jailbreak exploit for Android 2.3 devices.
Once the malicious application
is downloaded and installed onto the device, it gains root privileges on the
computer and transmits data stored on the device to a remote server, the
researchers said. The information stolen includes the user identifier, SIM card
number, telephone number, IMEI number, IMSI number screen resolution and local
time, according to
, a principal virus researcher in SophosLabs.
"The GingerMaster malware is
repackaged into legitimate apps," said Jiang. The applications masquerade as
popular applications to encourage users to download it. The researchers also
found that several mobile antivirus tools failed to detect the applications as
Svajcer analyzed the application,
which claims to display "Beauty of the Day" pictures. Available from
a Chinese alternative Android Market, the application requested 16 different
permissions from the user upon installation, including the ones to read logs,
access the Internet, write to the SD card, access the file system and access
Once installed, GingerMaster
will also attempt to install a root shell into the system partition for later
use. The malware also installs various utilities onto the partition,
"supposedly to make removal more difficult" and for additional
functionality, Svajcer said. Once a malicious process gets roots, "its
powers are potentially unlimited," he said.
With control over the mobile
device, GingerMaster contacts the remote command-and-control server for follow-up
instructions. It can download and install applications on its own without the
user's permission, Jiang found.
difficult" to gauge the impact of Android malware distributed outside the
official Android market, Tim Armstrong, a malware researcher at Kaspersky Lab,
. "Due to the fact
that new variants keep arriving, we can assume there is money being made, and
users being infected, or the malware authors would likely move onto other
platforms," Armstrong said.
Users should avoid
alternative Android Marketplaces
unless they have "strong
evidence" the applications are trustworthy, Svajcer recommended.
Kaspersky's Armstrong pointed out that the term "alternative markets"
also includes independent Websites, forums, peer-to-peer sharing sites and even
email, as users can install applications from all these sources.
More importantly, users
should look at the permissions list and avoid installing applications that
request more than what seems reasonably necessary. GingerMaster is an application
that downloads pictures from a Website, Svajcer said, adding, "Why would
it need permissions such as WRITE_USER_DATA and
Android malware attacks have
jumped by 76 percent over the past three months, making Android the most
heavily attacked mobile platform, McAfee found in its latest quarterly threat
report, released Aug. 22.
writing scene is heating up as the season of summer holidays is
coming to its end. Last week, we received a record number of samples which are
now waiting to be analyzed in detail," said Svajcer.
GingerMaster may compromise
Android 2.2 and earlier devices with some adjustments, Jiang said. Even though
Google has updated Gingerbread several times since it was released in December,
many carriers have not yet updated their devices to the latest version of 2.3.3
or to 2.3.4. Jiang's team also found other DroidKungFu variants in alternate
Android application stores that used similar root exploits for earlier versions