Security Alert: New RootSmart Android Malware Utilizes the GingerBreak Root Exploit

By Xuxian Jiang, Associate Professor, Department of Computer Science, NC State University

Last August, we reported the first Android malware, GingerMaster, which makes use of the GingerBreak root exploit (affecting Android devices with versions less than 2.3.3 and 3.0). Today, my research team, in collaboration with NQ Mobile, has identified a new malware called RootSmart that follows the GingerMaster step and becomes the second to utilize the GingerBreak exploit.

Different from GingerMaster, this new malware does not directly embed the root exploit inside the app. Instead, it dynamically fetchs the GingerBreak root exploit from a remote server and then executes it to escalate its privilege. Such attack is reminiscent of an earlier proof-of-concept app called RootStrap that was written by Jon Oberheide to demonstrate such capability. But RootSmart seriously substantiates this threat as the first such malware in the wild. It also reminds the earlier Plankton spyware. But Plankton does not contain any root exploit.

After obtaining the root privilege, RootSmart will further silently download and install other malware from remote server without user's knowledge. During our analysis, we have successfully captured a DroidLive malware that was downloaded from the remote C&C server.

How it works?

The RootSmart malware hides in an Android app named com.google.android.smart, which has the same icon with the default Android system setting app (see the following screenshot). Once installed, it will register several system-wide receivers to wait for various events (e.g., new outgoing calls). When these system events occur, its malicious payload will automatically run in the background.

Specifically, when started, RootSmart will connect to its C&C server with various information collected from the phone. Our analysis shows that the collected information includes the Android OS version number, the device IMEI number, as well as the package name. To impede reverse engineering, the malware does not directly include the C&C server URL in plaintext. Instead, it encrypts the C&C URL inside a raw resource file. And the key used to decrypt this resource file is generated by providing a fixed seed number (stored in the manifest file) to the Java random number generator. The following screenshot shows the encrypted C&C server in raw resource file.

After that, RootSmart will download the GingerBreak root exploit from the remote server and then launch it to obtain root privilege on infected phones. The downloaded root exploit is in a zip file named shells.zip, which contains the actual GingerBreak root exploit and two additional helper scripts. The first script is used to install a root shell into the system partition and the second script one is used to install additional apps also into the system partition. The following figure shows the second script.

Dropping more malware

After obtaining the root privilege, RootSmart will download additional (malicious) apps from its C&C server and install them to the system partition unbeknownst to users. It's worth mentioning that if RootSmart fails to obtain the root privilege, it will still attempt to install the downloaded apps. However in this case, it cannot install the apps silently. Instead, a pop-up window will be shown for user's approval. During our analysis, we successfully captured another malware downloaded from the C&C server, which turns out to be a DroidLive malware.

Mitigation:

Due to the fact that RootSmart utilizes the GingerBreak root exploit and can be remotely controlled, we believe it poses serious threats to mobile users. This particular malware was found in alternative Android Markets, not in the official Android Market. For mitigation, please follow common-sense guidelines for smartphone security. For example,

Follow-ups:

Last modified: Feb 3rd, 2012