A new malware affecting the latest version of Google Inc.'s Android operating system, Gingerbread, is now out in the wild and masquerading as an app featuring the "Beauty of the Day" photos.
Computer security firm Sophos said Gingermaster, which threatens to root the Android device, is available from a Chinese alternative Android Marketplace.
"The malware purports to be a web view app which supposed to display 'Beauty of the day' pictures, though the content is downloaded from a website and not embedded as a part of the application resources," Sophos sophos said in a blog post.
A package downloaded by Sophos' Vanja Svajcer uses the following permissions:
android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGES
But Svajcer said that while it displays the photos, Gingermaster creates a service that sends information using the standard HTTP POST method.
"The information submitted to the remote server includes the user identifier, number of the SIM card, telephone number, IMEI number, IMSI number, screen resultion and local time," he said.
He said the server responds with configuration parameters including the update frequency and the update URL, adding the responses are just simple JSON objects.
Gingermaster also generates an output log "logcat," which contains detailed information about what the malware has done so far.
Root exploit
If the root exploit is successful, the system partition is remounted as writable, and the malware installs added utilities to make removal difficult.
One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.
"This is an interesting technique which I have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the 'uses-permission' INSTALL_PACKAGES in the Android manifest file," Svajcer said.
More malware detected as summer ending
SOURCE: http://adf.ly/2NyeV
Computer security firm Sophos said Gingermaster, which threatens to root the Android device, is available from a Chinese alternative Android Marketplace.
"The malware purports to be a web view app which supposed to display 'Beauty of the day' pictures, though the content is downloaded from a website and not embedded as a part of the application resources," Sophos sophos said in a blog post.
A package downloaded by Sophos' Vanja Svajcer uses the following permissions:
android.permission.READ_PHONE_STATE
android.permission.READ_LOGS
android.permission.DELETE_CACHE_FILES
android.permission.ACCESS_CACHE_FILESYSTEM
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_NETWORK_STATE
android.permission.INTERNET
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.MOUNT_UNMOUNT_FILESYSTEMS
android.permission.READ_OWNER_DATA
android.permission.WRITE_OWNER_DATA
android.permission.WRITE_SETTINGS
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.RESTART_PACKAGES
But Svajcer said that while it displays the photos, Gingermaster creates a service that sends information using the standard HTTP POST method.
"The information submitted to the remote server includes the user identifier, number of the SIM card, telephone number, IMEI number, IMSI number, screen resultion and local time," he said.
He said the server responds with configuration parameters including the update frequency and the update URL, adding the responses are just simple JSON objects.
Gingermaster also generates an output log "logcat," which contains detailed information about what the malware has done so far.
Root exploit
If the root exploit is successful, the system partition is remounted as writable, and the malware installs added utilities to make removal difficult.
One these utilities, installsoft.png, contains code to install Android packages using the command line version of the package manager.
"This is an interesting technique which I have not seen before and nicely bypasses the Android permissions system by removing the requirement for declaring the 'uses-permission' INSTALL_PACKAGES in the Android manifest file," Svajcer said.
More malware detected as summer ending
SOURCE: http://adf.ly/2NyeV
SOURCE: http://adf.ly/2R3SD
No comments:
Post a Comment