Home / malwarePDF  

Trojan:AndroidOS/GingerMaster.A


First posted on 26 October 2011.
Source: SecurityHome

Aliases :

Trojan:AndroidOS/GingerMaster.A is also known as Android.Gingersploit.2 (Dr.Web), Backdoor.AndroidOS.GinMaster.a (Kaspersky), Linux/Exploit-Lotoor (McAfee), Andr/Gmaster-A (Sophos).

Explanation :

TrojanSpy:AndroidOS/GingerMaster.A is a malicious program that affects mobile devices running the Android operating system; it may be bundled with clean applications, and is capable of allowing a remote attacker to gain access to the mobile device.


Top

TrojanSpy:AndroidOS/GingerMaster.A is a malicious program that affects mobile devices running the Android operating system; it may be bundled with clean applications, and is capable of allowing a remote attacker to gain access to the mobile device.



Installation

Trojan:AndroidOS/GingerMaster.A may be downloaded from the Internet from third-party Android markets.

Upon installation, it displays the following information on the device, outlining its capabilities:





Payload

Steals information

TrojanSpy:AndroidOS/GingerMaster.A is capable of doing the following:

  • Accessing the Internet
  • Accessing the device's SD card (including modifying and deleting the card contents)
  • Modifying the device's settings and system files
  • Gaining highest privilege on the device's operating system
  • Downloading other potentially arbitrary, possibly malicious files onto the device


Trojan:AndroidOS/GingerMaster.A contains an exploit code masquerading as an image file named 'gbfm.png', which is detected as Exploit:Unix/GingerMaster, and may allow a remote attacker to gain administrator privilege to the underlying operating system of the mobile device.

The malware can steal the following information stored on the device, and save it to a file named 'game_service_package.db', before sending the information to the remote address 'client.mustmobile.com' via HTTPPOST:

  • Device ID (IMEI)
  • Subscriber ID (IMSI)
  • Model
  • Manufacturer
  • SIM Serial number
  • Line number
  • CPU
  • Network Type
  • UserId


It is also capable of downloading and installing other potentially malicious files onto the compromised device; in the wild, we have observed it downloading a file named '19225910801.apk' from the above mentioned remote server.



Analysis by Marianne Mallen

Last update 26 October 2011

 

TOP