Trojan:AndroidOS/GingerMaster.A

Installation

Trojan:AndroidOS/GingerMaster.A may be downloaded from the Internet from third-party Android markets.

Upon installation, it displays the following information on the device, outlining its capabilities:

Payload

Steals information

TrojanSpy:AndroidOS/GingerMaster.A is capable of doing the following:

• Accessing the Internet
• Accessing your device's SD card (including modifying and deleting the card contents) 
• Modifying your device's settings and system files 
• Gaining highest privilege on your device's operating system 
• Downloading other potentially arbitrary, possibly malicious files onto the device

Trojan:AndroidOS/GingerMaster.A contains an exploit code masquerading as an image file named 'gbfm.png', which is detected as Exploit:AndroidOS/CVE-2011-1823, and may allow a remote attacker to gain administrator privilege to the underlying operating system of the mobile device. 

The malware can steal the following information stored on the device, and save it to a file named 'game_service_package.db', before sending the information to the remote address 'client.mustmobile.com' via HTTP POST:

• Device ID (IMEI)
• Subscriber ID (IMSI)
• Model
• Manufacturer
• SIM Serial number
• Line number
• CPU
• Network Type
• UserId

It is also capable of downloading and installing other potentially malicious files onto the compromised device; in the wild, we have observed it downloading a file named '19225910801.apk' from the above mentioned remote server.

Analysis by Marianne Mallen