| Android Malware Utilizes the GingerBreak Root Exploit »www.csc.ncsu.edu/faculty/jiang/RootSmart/
By Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University
Last August, we reported the first Android malware, GingerMaster, which makes use of the GingerBreak root exploit (affecting Android devices with versions less than 2.3.3 and 3.0). Today, my research team, in collaboration with NQ Mobile, has identified a new malware called RootSmart that follows the GingerMaster step and becomes the second to utilize the GingerBreak exploit.
Different from GingerMaster, this new malware does not directly embed the root exploit inside the app. Instead, it dynamically fetchs the GingerBreak root exploit from a remote server and then executes it to escalate its privilege. Such attack is reminiscent of an earlier proof-of-concept app called RootStrap that was written by Jon Oberheide to demonstrate such capability. But RootSmart seriously substantiates this threat as the first such malware in the wild. It also reminds the earlier Plankton spyware. But Plankton does not contain any root exploit.
After obtaining the root privilege, RootSmart will further silently download and install other malware from remote server without user's knowledge. During our analysis, we have successfully captured a DroidLive malware that was downloaded from the remote C&C server. |
|
| This is one of the compelling reason to use Cyanogenmod ROM instead of Stock Rom
There are MANY MANY local root exploits in Linux Kernel , the latest one is just out which affects kernel 2.6.39 & up. and there is an Android version
My mod Kernel is the latest 2.6.32.56, the stock one is still stuck 2.6.32.9...come on!!!
So when your carrier gives you a OTA update to 2.3.7 or 4.0.3, it ONLY updates the Android OS (of course, they Don't update the buggy Openssl components...) not the buggy Linux Kernel. A malware just runs couple line of C codes and it is ROOT to steal all your corporate passwords & emails & your LIFE... |
|
|
|
| If your mobile kernel is 2.6.39 or up & it is not up-to-date...(kernel.org has already dropped 2.6.39 support...) this is a clear and present danger from mempodroid:
»github.com/saurik/mempodroid |
|
| told ya, Google don't update Android webkit browser code, now we have 0-days for our 'smart'phone
from Full Disclosure "Android Multiple Vulnerabilities"
»seclists.org/fulldisclosure/2012/Feb/111 |
|
| reply to DarkSithPro
Full details of "RootSmart"
»resources.infosecinstitute.com/r···malware/
Summary
Android’s increasing popularity, combined with the possibility to create alternative markets, makes this platform a fertile ground for malware authors. While most of these applications just exploit the inexperience of the average user that is looking for free software, others are pretty smart and use more sophisticated techniques to take, and keep, control of the infected devices.
Lately it came to my attention that a new malware was taking advantage of the famous GingerBreak exploit to gain root privileges on infected phones. RootSmart, the name given to the malware by the people who identified it first, is the second application found in the wild making use of an exploit (the first one was GingerMaster detected back in August 2011).
RootSmart is actually, well… smart, kind of. The exploit is not embedded into the package, probably in an attempt to appear less suspicious to the AV systems, but is downloaded from a remote webserver alongside other malicious packages. Additionally, a bit of cryptography is used to deter the analyst from reverse engineering the application.
Let’s dig in.
Application Information
The sample I was able to retrieve has the following parameters:
File: com.google.android.smart.apk
File size: 314.445 bytes
MD5: F70664BB0D45665E79BA9113C5E4D0F4
SHA1: 67CF01EE7FF0E65CB7EC78CDBD274077153ADD4E
At the time of writing, the detection rate on VirusTotal is 8/43 (identified as Android.RootSmart or Android.BMaster).
Manifest Analysis
Android needs to gather some essential information from every application before the underlying OS can be able to run them. This information is stored in the manifest file, and that’s where we’ll start our journey. |
|
| offtopic: MSE seems to be quite good at catching malwares of Android OS, compared to its own  |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17 | reply to DarkSithPro
An overview of things Android Market and exploits thereof are summarised quite well here |
|
