[Warning] Identified malicious application using Gingerbread vulnerability

1. Introduction

These days, several malwares to try root have been found, however, those only work lower than Android SDK 2.2 version.
Since new malicious application using vulnerability of Gingerbread(Android SDK 2.3 version) has been found, user who has Ginderbread's device needs to be careful on using.
This malicious application is designed to target Chinese user so far, however, there are a lot of possibilities emerging variants. We also found 10 more variants.


  
2. Spreading path and symptoms of infection

This repackaged malicious application can spread via various black markets and 3rd party markets and can require various permissions as following.

Permission explanation

- android:name="android.permission.READ_PHONE_STATE"
- android:name="android.permission.READ_LOGS"
- android:name="android.permission.DELETE_CACHE_FILES"
- android:name="android.permission.ACCESS_CACHE_FILESYSTEM"
- android:name="android.permission.WRITE_SECURE_SETTINGS"
- android:name="android.permission.ACCESS_NETWORK_STATE"
- android:name="android.permission.INTERNET"
- android:name="android.permission.WRITE_EXTERNAL_STORAGE"
- android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS"
- android:name="android.permission.READ_OWNER_DATA"
- android:name="android.permission.WRITE_OWNER_DATA"
- android:name="android.permission.WRITE_SETTINGS"
- android:name="com.android.launcher.permission.INSTALL_SHORTCUT"
- android:name="com.android.launcher.permission.UNINSTALL_SHORTCUT"
- android:name="android.permission.RECEIVE_BOOT_COMPLETED"
- android:name="android.permission.RESTART_PACKAGES"

Upon installed, this will create execution icon as following, clicking icon will show you various entertainers.


  
* Run icon (Variants has different icon.)
 

* Run screen (It shows famous entertainers.)

* Detailed analysis

* Infected symptoms

1. Collects IMEI/IMSI, numbers in contacts, processes through /proc/cpuinfo, CPU type, manufacturer
2. Sends collected information to certain external site
3. Gets SDK version information for rooting
4. Gets root permission
5. Downloads and installs additional apk files

  
* Code for collecting information

After the installation, various Activities are registered including one receiver(GameBootReceiver), following code will help to leak various information to external site.



* Get root permission with using Gingerbread vulnerability

This malicious application can acquire root permission through Gingerbreak rooting technique using Gingerbread vulnerability with following code.



This malicious application uses "gbfm.png" file, one of packaged file in its inside, to acquire root permission.
Actually this file is "ELF" file, but just masqueraded as a PNG file. This disguised file can acquire root permission with shell command.

Additionally, gbmf of "gbmf.png" is known as abridged word of "GingerBreak For Me".

* Try additional apk file download

This malicious application can download certain apk file with the connection of external C&C server and tries to install additional package with acquired root permission mentioned above.

* File download URL for additional apk file
- http://apk.(~)/apk/(yymmdd)/19225910801.apk

3. How to prevent

With the disclosure of Gingerbread vulnerability, appearance of various malicious applications can be prevalent.
To use smartphone safely from security threats of these malicious applications, we recommend following tips "Smartphone security management tips" for general users.

Smartphone security management tips

1. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
2. Download the proven application by multiple users at all times.
3. Use mobile anti-virus SW to check downloaded application before using it.
4. Do not visit suspicious or unknown site via smartphone.
5. Try not to see MMS, text, e-mail from uncertain user.
6. Set strong password on smartphone always.
7. Turn the wireless interfaces like Bluetooth only be used.
8. Do not save important information on phone.
9. Do not try illegal customizing like rooting or jailbreak.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Mobile for Android for mobile such as malicious file stated above and runs responding system against various security threats.

■ Diagnosis name

- Trojan-Spy/Android.GingerMaster.A
- Trojan-Spy/Android.GingerMaster.B
- Trojan-Spy/Android.GingerMaster.C
- Trojan-Spy/Android.GingerMaster.D
- Trojan-Spy/Android.GingerMaster.E
- Trojan-Spy/Android.GingerMaster.F
- Trojan-Spy/Android.GingerMaster.G
- Trojan-Spy/Android.GingerMaster.H
- Trojan-Spy/Android.GingerMaster.I
- Trojan-Spy/Android.GingerMaster.J
- Trojan-Spy/Android.GingerMaster.K