Trojan:Android/GinMaster.A steals confidential information from the device and sends it to a remote website.
Disinfection & Removal
F-Secure's Mobile Security product blocks installation of this program with default settings.
Monitoring-Tool:Android/GinMaster.A can be uninstalled by following the steps below:
- Go to Settings
- Go to Applications
- Go to Manage Applications
- Select the application
- Press "Clear data"
- Press "Uninstall"
- Select "OK" when asked for confirmation and wait
Trojan:Android/GinMaster.A is a trojanized application which was first seen in the Android Market for (mainland) China by researchers from North Carolina State University. The exploit source code has been publicly available since April 2011.
It is the first malicious software to utilize a rooting exploit that targets Android 2.3.3 (Gingerbread) devices to escalate privileges on the system. Based on the author's own description of the exploit and examination of its binary, it may also work on Android 2.2 (Froyo) and 3.0 (Honeycomb) devices.
Trojan:Android/GinMaster.A's own description.
However, in the particular sample analyzed, the trojan will only run the exploit if the device version is not greater than 2.3.3 (up to Gingerbread version only).
Trojan:Android/GinMaster.A's use of the exploit may allow it to install additional applications to the device without the user's consent.
The malicious application asks for the following permissions during installation:
Permissions requested by Trojan:Android/GinMaster.A
If the user agrees with the permission requests and proceeds with installation, the application will start up a malicious service in the background. The malicious service is designed in such a way that as long as the main process is running, it will not be terminated by the operating system in the event of a device memory resources shortage.
This is how it looks like on the device in the list of running services.
Trojan:Android/GinMaster.A starts a service in the background.
The malicious service (in effect, the trojan's payload) is triggered when one of the following conditions is met:
- When the trojanized application is running
- When the device finishes a boot
- When a new package is installed on the device.
- When a new package is removed from the device.
All these malicious activities occur invisibily in the background and are performed without notifying the user or seeking consent.
While the trojanized application is running, to the user it appears to be a list of links leading to pretty images:
Some images from the trojanized application
After a few seconds, a popup message will appear that asks the user's confirmation to apply an update. If the user confirms, a new application update downloaded from the internet will be applied.
The user can choose not to confirm the update and just press the phone's back button. The trojan however still proceeds to silently download the application package and save it in the device's SD card, all without the user's consent.
Trojan:Android/GinMaster.A automatically downloads the 'update' regardless of user action (click for larger view).
If any of the trigger conditions for the malicious service is met, it immediately downloads application configuration and harvests the following confidential information from the device:
- Current system time
- International Mobile Equipment Identity (IMEI)
- User Identifier (UID - same as IMEI)
- International Mobile Subscriber Identity (IMSI)
- SIM number
- Telephone number
- Network type
- Current version of app (versionCode)
- Serial number
The stolen information is sent to a remote site.
The trojan also collects package information of packages installed in the system (except those with "Android" or "Google" in the package name) and stores them in its local database.
Package information of installed programs harvested and saved (click for larger view).
The trojan also collects package information for apps newly installed on or removed from the device. For this sample, a test install of Skype was used.
Package information of newly-installed program saved (click for larger view).
The collected package information is also sent to the remote site together with the abovementioned confidential information.
The malicious service then proceeds to the rooting process by first preparing the files it needs, then executing them.
The original files are suffixed with png extensions (presumably in order to mislead the user) but in fact they are ELF32 for ARM binaries and shell utility scripts.