RootSmart Android malware
(Publication) Google search: [1]
RootSmart Android malware | |
---|---|
Botnet | |
Malware | RootSmart |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / 10 février 2012 |
Editor/Conference | InfoSec Institute |
Link | http://resources.infosecinstitute.com/rootsmart-android-malware/ (Archive copy) |
Author | Quequero |
Type |
Abstract
“ Android’s increasing popularity, combined with the possibility to create alternative markets, makes this platform a fertile ground for malware authors. While most of these applications just exploit the inexperience of the average user that is looking for free software, others are pretty smart and use more sophisticated techniques to take, and keep, control of the infected devices.
Lately it came to my attention that a new malware was taking advantage of the famous GingerBreak exploit to gain root privileges on infected phones. RootSmart, the name given to the malware by the people who identified it first, is the second application found in the wild making use of an exploit (the first one was GingerMaster detected back in August 2011).
RootSmart is actually, well… smart, kind of. The exploit is not embedded into the package, probably in an attempt to appear less suspicious to the AV systems, but is downloaded from a remote webserver alongside other malicious packages. Additionally, a bit of cryptography is used to deter the analyst from reverse engineering the application.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR866, editor = {InfoSec Institute}, author = {Quequero}, title = {RootSmart Android malware}, date = {Error: Invalid time.}, month = Error: Invalid time., year = {2012}, howpublished = {\url{http://resources.infosecinstitute.com/rootsmart-android-malware/}}, }