Project Assignment

IV Semester Student Project Paradigms of Programming II

Android Project

Android GinMaster

Prepared by : 12IT97 12IT11 12IT08 12IT53 12IT91

March/April-2014

Department of Information Technology

National Institute of Technology, Karnataka

Table of Contents
1 What is GinMaster

2 Emergence of GinMaster.

3 The Evolution of GinMaster Generations

4 Third Generation of GinMaster...

5 Business Model of GinMaster.

6 Conclusion.

ABSTRACT
Android GinMaster is a trojanized application family targeting Android mobile devices. GinMaster has gone across three momentous generations as it was fi rst discovered by researchers from North Carolina State University on 17 August 2011. Primarily discovered in inside China, there are nowadays above 13,000 recognized variants. Our Case discover is established on that newest variants of GinMaster that can prosperously circumvent detection by mobile anti-virus multimedia by employing polymorphic methods to obscure malicious program, obfuscating class terms for every single infected object, and randomizing package names. We will onset off alongside rise of GinMasters and next move on to its consecutive evolution. Next we will delineate the company ideal of GinMaster and ecosystem. In the end we will difference amid the progress of malware in a PC and android .Al tough no fool facts resolution has been discovered out to this setback but we will contain the present events on resolution to this setback by Anti-Virus Companies.

1. What is GinMaster
Android GinMaster is a Trojanized and re-packaged application family distributed in Chinese third party stores targeting Android mobile devices. Trojan:Android/GinMaster was first seen in the Android Market for China by researchers from North Carolina State University. The exploit source code has been publicly available since April 2011. It is the first malicious software to take advantage of a rooting exploit that targets Android 2.3.3 (Gingerbread) devices to escalate privileges on the system. Based on the author's own description of the exploit and examination of its binary, it may also target. Android 2.2 (Froyo) and 3.0 (Honeycomb) devices. GinMaster has gone through three significant generations since it was first founded by researchers from North Carolina State University on 17 August 2011. During the last 26 months, over 13,000 samples with three significant evolved generations have been found. The trojan contains a malicious service with the ability to root specific devices to escalate privileges. It also has the ability to modify and delete data in the devices SD card, steal confidential information and send it to a remote website, execute command-and-control services from the remote website, as well as download and install applications regardless of user interaction.

2.THE EMERGENCE OF GINMASTER

The early creation of GinMaster was released extra than 2 year and a half ago. The early creation of GinMaster was primarily exposed by researchers from North Carolina State University. It was the early Android malware to use a origin exploit (GingerBreak) opposing Android 2.3 (code name: GingerBread) devices. Therefore, the university scutiny team shouted this new high-risk malware GingerMaster. Later, countless anti-virus vendors noticed it and utilized a shortened term GinMaster. GingerBreak exploits a vulnerability of vold, the volume manager daemon, on Android 3.0 and 2.x beforehand 2.3.4 systems. Instituted on the authors description, it acquires origin opportunities via a negative index that bypasses a maximum merely authorized integer check in the mPartMinors[] method, that triggers recollection corruption. The malware is able to use GingerBreak to obscure itself inside the Android arrangement partition and circumvent being deleted.

2.1Phoning Home
The GinMaster malware is repackaged into legitimate apps. These legitimate apps are supposedly popular to attract user downloads and installation. Within the repackaged apps, it will register a receiver so that it will be notified when the system finishes booting. Insider the receiver, it will silently launch a service in the background. The background service will accordingly collect various data including the device id, phone number and others and then upload them to a remote server .

2.2Launching the exploits

As specified prior, the Ginmaster malware holds the Gingerbreak root exploit. The actual exploit is packaged into the infected app in the form of a regular file named gbfm.png. The name gbfm seems to be the acronym of "Ginger Break For Me" while the png suffix seems to be the attempt of authoritative it beneath suspicious.. This exploit once launched on Android 2.3.3 (and 2.2 according to the anecdotal feedback in) will elevate it to the root privilege. (NOTE: more than 90% of Android device runs on Android 2.3.3 or below). After that, GingerMaster will attempt to install a root shell (with file mode 4755) into system partition for later utilization.

2.3Dropping more malware

After getting root privilege, GingerMaster malware will connect to the remote C&C server and wait for instructions. According to our investigation, the GingerMaster malware has the payload to silently download and install the app without users' awareness. More specifically, it can download the apk file from remote server and then install this app by executing "pm install" command in root shell.

3.THE EVOLUTION OF GINMASTERS GENERATIONS 3.1Close to polymorphism

At the onset of 2012, a momentous progress of GinMaster was discovered by SophosLabs. The scutiny exposed that the new variant was on the verge of polymorphic mobile malware. The new variant has been inoculated into above 600 legitimate requests and has been distributed in Chinese third-party markets. We categorize this variant as the subsequent creation of GinMaster. In order to evade detection by anti-virus multimedia, this creation obfuscates class terms and encrypts URLs as well as C&C orders (see Figure). It is impossible to catch this variant by noticing the class term or URLs. The pursuing program is the decryption module:

public static String b(String paramString) { byte[] arrayOfByte = d.b(paramString).getBytes(); for (int i1 = 0; i1 < arrayOfByte.length; i1++) arrayOfByte[i1] = (byte)(0x78 ^ arrayOfByte[i1]); return new String(arrayOfByte); }

The unscrambling module is usually frank and static. It utilizes XOR alongside key 0x78 in the awaken of elucidating in Base64. Table displays a rundown of scrambled strings and their associating yields. As indicated in the table, this variant uses a insufficient new Urls as remote order and manipulation servers. Moreover, the C&C orders are somewhat disparate from those in the early creation, but the malware has the skill of describing package data associating to packages installed/uninstalled in the arrangement, hunting and tabulating package data from remote websites, and downloading supplementary requests to the mechanism lacking the users consent. The subsequent Ginmaster period is like the early period in that it uses a Sqlite database to store data encompassing download fi les, gave and uninstalled packages, and so on. Furthermore it is intriguing that the examples yet use plain text SQL statements rather than the encrypted strings utilized for URLs and C&C instructions. The keywords such as mechanism ID, phone number, web kind and others are additionally in plain text. Furthermore, it is worth noting that Ginmaster quits employing the rooting exploit to intensify opportunities on the system. And it uses an intention way to mount request packages instead of casing in the preceding generation.

SQL Statements in 2nd Generations

4. Third generation of GinMaster

About six months afterward the subsequent creation was discovered (a year afterward the early generation), SophosLabs discovered something interesting in the latest GinMaster variants. The obfuscation and encryption of this creation is far extra complex than its two predecessors. Figure 4 illustrates the deep form of obfuscation and encryption of the package term, classes and strings of third generation. The obfuscation and encryption of this creation is far extra complex than its two predecessors. Figure illustrates the deep form of obfuscation and encryption of the package term, classes and strings of the third generation. The third creation seizes supremacy of a present renaming method, Overload Induction, to obfuscate classes, methods and variables. The renaming arrangement assigns as countless methods, classes or variables as probable to the alike easy name. The program below demonstrates the manipulation of Overload-Induction: the class term is A as it has two confidential variables, TextView a and Button b, as well as one more two methods alongside alike term, a and b. The method makes the malware extremely tough to reverse builder and detect. Moreover, it has one more helpful side result, that is a reduction in file size.

public class A extends Activity { private TextView a; private Button b; private Button c; private String d; private String e; private String f; private int g; static String a(A paramA) { String str = paramA.e; return str; } static int b(A paramA) { int i = paramA.g; return i; }

The decryption module is extra comprehensive and convoluted than the one in the subsequent generation. Firstly, nearly every single keyword, URL, C&C education and SQL statement is encrypted. Secondly, instead of a easy XOR cipher, the decryption module is extremely complex. Table displays a little encrypted strings alongside their corresponding plain text. The decryption method is methodical in Appendix A at the conclude of the paper. Thirdly, the third creation is commencing to use polymorphic knowledge to change cipher codes for every single decrypting method in order to evade detection.

5. THE BUSINESS MODEL OF GINMASTER 5.1Growth of variants over time and Generations breakdown
Figure displays the GinMaster trend line in a quarterly think from August 2011 to April 2013. As shown in the trend line, GinMaster has a constant and stable development in volume. Starting from February 2012, there was an rise of amid 500 and 1,500 new examples contrasted to the preceding quarter. Across the last quarter, from February 2013 to April 2013, SophosLabs recorded above 4,700 new samples. And we anticipate there to be concerning 6,000 consented in the subsequent three months.

Apart from the rise in the finished number of GinMaster examples, we additionally discovered that the exceedingly obfuscated malware examples of the subsequent and third generations contain nearly 95% of all the GinMaster examples, as displayed in Figure. It additionally displays that the subsequent and third generations nearly tear these obfuscated malware examples in half.

5.2 Business Strategies of GinMaster

In order to maximize the profit, the malware author has to retain the malicious requests on users mechanisms as long as possible. The malware author utilizes the pursuing 3 strategies to accomplish above objective.

Strategy 1
Pick the most suitable category to attract users.

Strategy 2
Re-packaging interesting and exciting applications for downloading.

Strategy 3
Frequently change certificate and encryption algorism against detection.

6. CONCLUSION
The GinMaster ecosystem is a representative ideal of Chinese Android malware. It additionally reaches supplementary growing states such as Thailand and Vietnam. It makes use of the colossal number of Android third-party stores and the lack of protection in privacy and patent to allocate as countless repackaged malicious requests as possible.

The infected mechanisms are utilized to set up a mobile botnet via malicious program hidden in the altered app. Though, instead of undeviating seizing supremacy of these zombie mechanisms to make profit from end-users, the malware controller employs the botnet to produce millions of installations and colossal volumes of publicizing traffic to legitimate developers and publicizing services respectively. As a consequence, they gain indirect income from third parties. Moreover, the malware author is able to rise the infection rate by employing methodical confidential data consented from every single altered device. Elevated obfuscation and encryption methods alongside the supplement of randomized selfsigned certificates are utilized to evade detection by anti-virus products. In synopsis, the fight amid good and evil in the Android arrangement is just starting. The scale is far larger and the level is far higher than we expected. And there is no conclude to the fight in sight.