Microsoft security software detects and removes this threat.
This malicious program affects mobile devices running the Android operating system. It can give a remote hacker access to your mobile device.
This threat might be bundled with clean applications.

What to do now

Install security software on your device
This malware affects Android devices. 

Threat behavior


Trojan:AndroidOS/GingerMaster.A may be downloaded from the Internet from third-party Android markets.

Upon installation, it displays the following information on the device, outlining its capabilities:


Steals information

TrojanSpy:AndroidOS/GingerMaster.A is capable of doing the following:

  • Accessing the Internet
  • Accessing your device's SD card (including modifying and deleting the card contents) 
  • Modifying your device's settings and system files 
  • Gaining highest privilege on your device's operating system 
  • Downloading other potentially arbitrary, possibly malicious files onto the device

Trojan:AndroidOS/GingerMaster.A contains an exploit code masquerading as an image file named 'gbfm.png', which is detected as Exploit:AndroidOS/CVE-2011-1823, and may allow a remote attacker to gain administrator privilege to the underlying operating system of the mobile device. 

The malware can steal the following information stored on the device, and save it to a file named 'game_service_package.db', before sending the information to the remote address '' via HTTPPOST:

  • Device ID (IMEI)
  • Subscriber ID (IMSI)
  • Model
  • Manufacturer
  • SIM Serial number
  • Line number
  • CPU
  • Network Type
  • UserId

It is also capable of downloading and installing other potentially malicious files onto the compromised device; in the wild, we have observed it downloading a file named '19225910801.apk' from the above mentioned remote server.

Analysis by Marianne Mallen


System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:



Alert level: Severe
First detected by definition: 1.111.839.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Aug 26, 2011
This entry was first published on: Aug 26, 2011
This entry was updated on: Oct 11, 2013

This threat is also detected as:
  • Android.Gingersploit.2 (Dr.Web)
  • Backdoor.AndroidOS.GinMaster.a (Kaspersky)
  • Linux/Exploit-Lotoor (McAfee)
  • Andr/Gmaster-A (Sophos)