Security Alert: New RootSmart Android Malware Utilizes the GingerBreak Root Exploit

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Last August, we reported the first Android malware, GingerMaster, which makes use of the GingerBreak root exploit (affecting Android devices with versions less than 2.3.3 and 3.0). Today, my research team, in collaboration with NQ Mobile, has identified a new malware called RootSmart that follows the GingerMaster step and becomes the second to utilize the GingerBreak exploit.

Different from GingerMaster, this new malware does not directly embed the root exploit inside the app. Instead, it dynamically fetchs the GingerBreak root exploit from a remote server and then executes it to escalate its privilege. Such attack is reminiscent of an earlier proof-of-concept app called RootStrap that was written by Jon Oberheide to demonstrate such capability. But RootSmart seriously substantiates this threat as the first such malware in the wild. It also reminds the earlier Plankton spyware. But Plankton does not contain any root exploit.

After obtaining the root privilege, RootSmart will further silently download and install other malware from remote server without user's knowledge. During our analysis, we have successfully captured a DroidLive malware that was downloaded from the remote C&C server.

How it works?

Specifically, when started, RootSmart will connect to its C&C server with various information collected from the phone. Our analysis shows that the collected information includes the Android OS version number, the device IMEI number, as well as the package name. To impede reverse engineering, the malware does not directly include the C&C server URL in plaintext. Instead, it encrypts the C&C URL inside a raw resource file. And the key used to decrypt this resource file is generated by providing a fixed seed number (stored in the manifest file) to the Java random number generator. The following screenshot shows the encrypted C&C server in raw resource file.





After that, RootSmart will download the GingerBreak root exploit from the remote server and then launch it to obtain root privilege on infected phones. The downloaded root exploit is in a zip file named shells.zip, which contains the actual GingerBreak root exploit and two additional helper scripts. The first script is used to install a root shell into the system partition and the second script one is used to install additional apps also into the system partition. The following figure shows the second script.





Dropping more malware

Mitigation:

download apps from reputable app stores that you trust; and always check reviews, ratings as well as developer information before downloading;

check the permissions on apps before you actually install them and make sure you are comfortable with the data they will be accessing;

be alert for unusual behavior on the part of mobile phones and make sure you have up-to-date security software installed on your phone.

Follow-ups:

2/3/2012: This article goes public.

Last modified: Feb 3rd, 2012