Advertisment

Are you installing Nintendo Entertainment System (NES) emulator games? Your wallet is at risk

Gunpoder is a new Android malware that evades antivirus detection by using popular ad libraries

author-image
Sonal Desai
New Update
Malware

MUMBAI, INDIA: Geeks beware. A new malware is on the prowl.

Advertisment

Palo Alto Networks has discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal Web service.

While researching samples, Unit 42, the threat intelligence team of the company noted that they contained many characteristics of adware, embedded as a popular adware library within it.

Some of these characteristics include:
• Collecting sensitive information from users
• Propagating itself via SMS message
• Potentially push fraudulent advertisements
• Ability to execute additional payloads

Advertisment

The targets:
Gunpoder targets Android users in at least 13 different countries, including Iraq, Thailand, India, Indonesia, South Africa, Russia, France, Mexico, Brazil, Saudi Arabia, Italy, United States, and Spain.

One interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China, Palo Alto said.

Gunpoder targets users not residing in China. Samples observed support online payments, including PayPal, Skrill, Xsolla and CYPay.

Advertisment

How it works:
By examining the reverse-engineered samples, the malware author applied the following unique techniques to evade antivirus detection:

Legit ad libraries: The Gunpoder malware includes legitimate advertisement libraries within the samples.

The malware samples successfully use these advertisement libraries to hide malicious behaviors from detection by antivirus engines.

Advertisment

While antivirus engines may flag Gunpoder as being adware, by not flagging it as being overtly malicious, most engines will not prevent Gunpoder from executing.

Nintendo: Gunpoder samples embed malicious code within popular Nintendo Entertainment System (NES) emulator games, which are based on an open source game framework, by re-packaging open source Android applications with malicious code. Gonpoder makes use of this technique, which makes it difficult to distinguish malicious code during static analysis.

For instance, Gunpoder samples pretend to be NES games. After installation, the malware will present a declaring statement when opened for the first time. This statement explicitly tells users that this app is ad-supported and allows the advertising library to collect information from the device.

Advertisment

The modus operandi:
Once launched, the app will actively pop up a dialog to ask users to pay for a lifelong license of this game. If the user clicks the Great! Certainly! button, a payment dialog will pop up, including PayPal, Skrill, Xsolla (the transaction link is no longer active) and CYPay.

The hackers than inject the Gunpoder virus by sending SMS to selected contacts with links to download Gunpoder. Due to the size of SMS messages, the download links are Google short URLs: http://goo.gl/KVhRwC (active in June 2015), http://goo.gl/OpnVHv (not active in June 2015).

The propagation SMSs are sent out in two scenarios. One, when the main activity is paused by the user; this makes it difficult for most dynamic analysis antivirus engines to trigger the sending behaviors.

Advertisment

Two, when the user refuses to make a payment to activate the cheating mode (ie clicking the Next Time button). In this case, Gunpoder will ask the user to share a fun game, which is actually a variant of the malware.

Potential fraudulent advertisements:
The Gunpoder malware was discovered to aggressively push fraudulent advertisements to victims via the legitimate advertisement library.

The fraudulent advertisement page attempts to mimic a Facebook page. It requests that victims finish a number of surveys and asks them to install various applications in order to receive a gift.

Advertisment

The captured Gunpoder logs include information about these logs as well. The malware collects and uploads very detailed user/device information from the victim, including the victim’s device id, device model and current location.

The impact:
It was discovered that Gunpoder steals victims’ browser history and bookmark information. Additionally, it collects information about all installed packages on the victim’s device. It also provides capabilities for executing payloads. The dynamic code for loading and executing the payload after decrypting reside in com.fcp.a and com.fx.a components.

Thus far, Palo Alto Networks has traced 49 unique samples of the Gunpoder family.

Specifically, variants of group 1 (12 samples) can propagate via SMS and entice users to make a payments. Variants of group 2 (16 samples) can only entice users to make a payment, and variants of group 3 (21 samples) do not contain SMS propagation or entice users to make payments. Group 3 was discovered to be the newest of the Gunpoder malware variants.

Furthermore, the same certificate signed the first and second variants, while a different certificate signed the third variant. While the certificate varies between these groupings of variants, Palo Alto suspects that the same malware author wrote all of these samples.

The security vendor warns that users will have to foot a large bill, if they are tricked. The fake payment costs users only about $0.49 or $0.29, but the bill caused by sending SMS is much more than this. The total amount of the SMS bill depends on how many contacts reside in users’ devices.

palo-alto-networks tech-news must-read