GinMaster : a case study in Android malware

Rowland Yu Sophos

  download slides (PDF)

Android GinMaster is a trojanized application family targeting Android mobile devices. GinMaster has gone through three significant generations since it was first found by researchers from North Carolina State University on 17 August 2011. Originally discovered in mainland China, there now over 6,000 known variants. Our investigation reveals that new variants of GinMaster can successfully avoid detection by mobile anti-virus software by using polymorphic techniques to hide malicious code, obfuscating class names for each infected object, and randomizing package names and self-signed certificates for applications.

Android GinMaster is distributed in third-party app markets in China. Our research indicates that attackers inject GinMaster code into thousands of legitimate game, ringtone and sexy picture applications. These applications have more chance to lure mobile users into installing the malware. The application also contains a malicious service with the ability to root devices to escalate privileges, steal confidential information and send to a remote website, as well as install applications without user interaction.

This paper will give an overview of three generations of the GinMaster family, examine their core malicious functionality, track their evolution from source code, and present notable techniques utilized by specific variants.

Finally, the paper will attempt to answer the following questions from a technical perspective:

  • What techniques link the three generations of the GinMaster family together?
  • What makes them grow in volume and complexity?
  • Who is behind them?
  • What business model drives their profits?
And look at comparisons between the development of PC malware and Android malware.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.