DSLReports discussionBy Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University
Last August, we reported the first Android malware, GingerMaster, which makes use of the GingerBreak root exploit (affecting Android devices with versions less than 2.3.3 and 3.0). Today, my research team, in collaboration with NQ Mobile, has identified a new malware called RootSmart that follows the GingerMaster step and becomes the second to utilize the GingerBreak exploit.
Different from GingerMaster, this new malware does not directly embed the root exploit inside the app. Instead, it dynamically fetchs the GingerBreak root exploit from a remote server and then executes it to escalate its privilege. Such attack is reminiscent of an earlier proof-of-concept app called RootStrap that was written by Jon Oberheide to demonstrate such capability. But RootSmart seriously substantiates this threat as the first such malware in the wild. It also reminds the earlier Plankton spyware. But Plankton does not contain any root exploit.
After obtaining the root privilege, RootSmart will further silently download and install other malware from remote server without user's knowledge. During our analysis, we have successfully captured a DroidLive malware that was downloaded from the remote C&C server.
Android OS Security Alert
Forum rules
Welcome to the Official SynergyXR Forums! You will have to register to post and if you're new here, please read our Welcome Post and Forum Rules.
Welcome to the Official SynergyXR Forums! You will have to register to post and if you're new here, please read our Welcome Post and Forum Rules.
- a4nic8er
- 1500+ Posts
- Posts: 1527
- Joined: Fri Dec 31, 2004 1:24 am
- Xfire ID: a4nic8er
- Neocron Characters: A-Four
Afk
Afornicater
BlackWilly
Lag
Oh Noes
Taxi
Utu - Fallen Earth Characters: Lara Craft (55 - Pistols/Tradeskiller)
Lag (55- Melee/Mutant)
Packet Loss (55 - Rifle)
Adol Fittler (31 - Mule) - Global Agenda Character: Afore_AdolFittler
- Operating System: Win10 Pro 64
- CPU: Intel Core i9 9900K
- Newegg.com Item #: N82E16819117957
- CPU Heatsink/Cooler: Cooler Master MasterLiquid ML360R
- Newegg.com Item #: N82E16835103275
- Motherboard: MSI MPG Z390 GAMING PRO CARBON
- Newegg.com Item #: 9SIACVB8SB4811
- Memory (RAM): CORSAIR Vengeance RGB Pro 32GB DDR4
- Newegg.com Item #: N82E16820236441
- Video Card: GV-N2070AORUS X-8GC
- Newegg.com Item #: N82E16814932087
- Hard Drive: Samsung 850 EVO 120GB SATA3 SSD
- Newegg.com Item #: 9SIAADF6YC8581
- Hard Drive (Secondary): Samsung 860 EVO 1TB SATA3 SSD
- Newegg.com Item #: N82E16820147673
- Monitor: Acer Predator XB271HUA
- Newegg.com Item #: N82E16824011082
- Secondary Monitor: BenQ XL2411T
- Newegg.com Item #: N82E16824014376
- Keyboard: Logitech G13
- Newegg.com Item #: 9SIA9JN5XP4936
- Mouse: LOGITECH G502 Proteus Core
- Newegg.com Item #: N82E16826104934
- Case: Cooler Master COSMOS S
- Newegg.com Item #: N82E16811119150
- Power Supply: Silverstone OP1000-E 1000W
- Newegg.com Item #: N82E16817256043
- Rig Accessory: D-Link DNS-343 NAS
- Newegg.com Item #: N82E16822155010
- Internet Connection: aDSL 10/1Mbps
- Location: New Zealand
- Contact:
Android OS Security Alert
Security Alert: New RootSmart Android Malware Utilizes the GingerBreak Root Exploit
- satransisuu
- 1000+ Posts
- Posts: 1087
- Joined: Wed Oct 06, 2004 4:48 pm
- WoW Server: Nathrezim
- Location: Rochester, NY
- Contact:
Re: Android OS Security Alert
This particular malware was found in alternative Android Markets, not in the official Android Market. For mitigation, please follow common-sense guidelines for smartphone security. For example,
download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;
check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;
be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.