Last August, we reported the first Android malware, GingerMaster, which makes use of the GingerBreak root exploit (affecting Android devices with versions less than 2.3.3 and 3.0). Today, my research team, in collaboration with NQ Mobile, has identified a new malware called RootSmart that follows the GingerMaster step and becomes the second to utilize the GingerBreak exploit.
Different from GingerMaster, this new malware does not directly embed the root exploit inside the app. Instead, it dynamically fetchs the GingerBreak root exploit from a remote server and then executes it to escalate its privilege. Such attack is reminiscent of an earlier proof-of-concept app called RootStrap that was written by Jon Oberheide to demonstrate such capability. But RootSmart seriously substantiates this threat as the first such malware in the wild. It also reminds the earlier Plankton spyware. But Plankton does not contain any root exploit.
After obtaining the root privilege, RootSmart will further silently download and install other malware from remote server without user's knowledge. During our analysis, we have successfully captured a DroidLive malware that was downloaded from the remote C&C server.
Specifically, when started, RootSmart will connect to its C&C server with various information collected
from the phone. Our analysis shows that the collected information includes the Android OS version number,
the device IMEI number, as well as the package name. To impede reverse engineering, the malware does not directly include the C&C server URL in plaintext. Instead, it encrypts the C&C URL inside a raw resource file. And the key used to decrypt this resource file is generated by providing a fixed seed number (stored in the manifest file) to the Java random number generator. The following
screenshot shows the encrypted C&C server in raw resource file.
After that, RootSmart will download the GingerBreak root exploit from the remote server and then launch it to obtain root privilege on infected phones. The downloaded root exploit is in a zip file named shells.zip, which contains the actual GingerBreak root exploit and two additional helper scripts. The first script is
used to install a root shell into the system partition and the second script one is used to install additional apps also into the system partition. The following figure shows the second script.
Last modified: Feb 3rd, 2012