Threat Description

Trojan:​Android/GinMaster.A

Details

Aliases: Trojan:​Android/GinMaster.A, Trojan:​Android/GinMaster.A, GinMaster, GinMaster.A
Category: Malware
Type: Trojan
Platform: Android

Summary



Trojan:Android/GinMaster.A steals confidential information from the device and sends it to a remote website.



Removal



Automatic

F-Secure's Mobile Security product blocks installation of this program with default settings.

Manual Removal

Monitoring-Tool:Android/GinMaster.A can be uninstalled by following the steps below:

  • Go to Settings
  • Go to Applications
  • Go to Manage Applications
  • Select the application
  • Press "Clear data"
  • Press "Uninstall"
  • Select "OK" when asked for confirmation and wait


Technical Details



Trojan:Android/GinMaster.A is a trojanized application which was first seen in the Android Market for (mainland) China by researchers from North Carolina State University. The exploit source code has been publicly available since April 2011.

It is the first malicious software to utilize a rooting exploit that targets Android 2.3.3 (Gingerbread) devices to escalate privileges on the system. Based on the author's own description of the exploit and examination of its binary, it may also work on Android 2.2 (Froyo) and 3.0 (Honeycomb) devices.

Trojan:Android/GinMaster.A's own description.

However, in the particular sample analyzed, the trojan will only run the exploit if the device version is not greater than 2.3.3 (up to Gingerbread version only).

Trojan:Android/GinMaster.A's use of the exploit may allow it to install additional applications to the device without the user's consent.

Installation

The malicious application asks for the following permissions during installation:

Permissions requested by Trojan:Android/GinMaster.A

If the user agrees with the permission requests and proceeds with installation, the application will start up a malicious service in the background. The malicious service is designed in such a way that as long as the main process is running, it will not be terminated by the operating system in the event of a device memory resources shortage.

This is how it looks like on the device in the list of running services.

Trojan:Android/GinMaster.A starts a service in the background.

Activity

The malicious service (in effect, the trojan's payload) is triggered when one of the following conditions is met:

  • When the trojanized application is running
  • When the device finishes a boot
  • When a new package is installed on the device.
  • When a new package is removed from the device.

All these malicious activities occur invisibily in the background and are performed without notifying the user or seeking consent.

Downloads

While the trojanized application is running, to the user it appears to be a list of links leading to pretty images:

Some images from the trojanized application

After a few seconds, a popup message will appear that asks the user's confirmation to apply an update. If the user confirms, a new application update downloaded from the internet will be applied.

Popup dialogue.

The user can choose not to confirm the update and just press the phone's back button. The trojan however still proceeds to silently download the application package and save it in the device's SD card, all without the user's consent.

http://www.f-secure.com/virus-info/v-pics/autodownload_update_2.png

http://www.f-secure.com/virus-info/v-pics/ginmaster_automatically_downloaded_update.png

Trojan:Android/GinMaster.A automatically downloads the 'update' regardless of user action (click for larger view).

Data harvesting

If any of the trigger conditions for the malicious service is met, it immediately downloads application configuration and harvests the following confidential information from the device:

  • Current system time
  • International Mobile Equipment Identity (IMEI)
  • User Identifier (UID - same as IMEI)
  • International Mobile Subscriber Identity (IMSI)
  • SIM number
  • Telephone number
  • Network type
  • Current version of app (versionCode)
  • Serial number

The stolen information is sent to a remote site.

The trojan also collects package information of packages installed in the system (except those with "Android" or "Google" in the package name) and stores them in its local database.

http://www.f-secure.com/virus-info/v-pics/ginmaster_collected_package_info_db.png

Package information of installed programs harvested and saved (click for larger view).

The trojan also collects package information for apps newly installed on or removed from the device. For this sample, a test install of Skype was used.

http://www.f-secure.com/virus-info/v-pics/triggered_package_added_events.png

Package information of newly-installed program saved (click for larger view).

The collected package information is also sent to the remote site together with the abovementioned confidential information.

Exploits

The malicious service then proceeds to the rooting process by first preparing the files it needs, then executing them.

The original files are suffixed with png extensions (presumably in order to mislead the user) but in fact they are ELF32 for ARM binaries and shell utility scripts.

Other variants

  • Trojan:Android/Ginmaster.B
  • Trojan:Android/Ginmaster.C





SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Keep your mobile device protected

F-Secure Mobile Security will keep your mobile device protected on the go and enable you to find it in case you lose it

Learn More