Rowland Yu Sophos
download slides (PDF)
Android GinMaster is a trojanized application family targeting Android mobile devices. GinMaster has gone through three significant generations since it was first found by researchers from North Carolina State University on 17 August 2011. Originally discovered in mainland China, there now over 6,000 known variants. Our investigation reveals that new variants of GinMaster can successfully avoid detection by mobile anti-virus software by using polymorphic techniques to hide malicious code, obfuscating class names for each infected object, and randomizing package names and self-signed certificates for applications.
Android GinMaster is distributed in third-party app markets in China. Our research indicates that attackers inject GinMaster code into thousands of legitimate game, ringtone and sexy picture applications. These applications have more chance to lure mobile users into installing the malware. The application also contains a malicious service with the ability to root devices to escalate privileges, steal confidential information and send to a remote website, as well as install applications without user interaction.
This paper will give an overview of three generations of the GinMaster family, examine their core malicious functionality, track their evolution from source code, and present notable techniques utilized by specific variants.
Finally, the paper will attempt to answer the following questions from a technical perspective:
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.
