Home / The latest news and reviews / Doctor Web security researchers examined a new representative of adware for Android

Doctor Web security researchers examined a new representative of adware for Android

new representative of adware for Android

New adware for Android attacked firmware and apps by well-known companies. In March, Doctor Web security researchers examined a new representative of this type of malware after it had been spotted in firmware of about 40 popular low-end smartphones and in several applications developed by well-known companies.

Trojans for Android are mainly designed to display advertisements and install unwanted software on mobile devices, “sponsoring” authors of a malware application. Thus, it is no wonder that adware Trojans are so much popular among attackers.

This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments. Although one may assume that Android.Gmobi.1 does not pose any threat, it, in fact, performs typical adware functions—thus, all applications infected by this malware are detected by Dr.Web for Android as malicious ones. Doctor Web specialists found that this SDK has already arrived on almost 40 mobile devices. In addition, the Trojan also compromised such Google Play apps as Trend Micro Dr.Safety, Dr.Booster, and Asus WebStorage. All the affected companies have been already informed about this incident, and they are currently considering possible solutions to this problem. Meanwhile, TrendMicro Dr.Safety and TrendMicro Dr.Booster are updated and are not dangerous for Android users anymore.

Trojan Android.Gmobi.1

The main purpose of Android.Gmobi.1 and its several modifications is to collect confidential information and send it to the remote server. For example, the Trojan’s versions embedded into TrendMicro Dr.Safety and TrendMicro Dr.Booster perform only the above-mentioned functions. However, in this article, we are going to focus on a more sophisticated modification that was designed to compromise firmwares of mobile devices.

Every time the device is connected to the Internet, or its home screen is active (if previously the screen was off for more than one minute), Android.Gmobi.1 collects the following information for sending it to the server:

  • User emails
  • Roaming availability
  • GPS or mobile network coordinates
  • Information on the device
  • Geolocation of the user
  • Presence of a Google Play application on the device

The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:

  • Update the database with information about the advertisement to display.
  • Create an advertising shortcut on the home screen.
  • Display an advertising notification.
  • Display a notification tapping which will result in launch of an installed application.
  • Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.

Depending on a received command, the Trojan starts displaying advertisements and performing other money-making actions. In particular, the Trojan is able to:

  • Display advertisements in the status bar.
  • Display advertisements in dialogs.
  • Display advertisements in interactive dialogs—tapping “Ok” leads to sending of a text message (only if an application, in which the SDK is incorporated, has necessary privileges).
  • Display advertisements on top of running applications and the GUI of the operating system.
  • Open advertising webpages in the browser or in a Google Play application.

Besides, Android.Gmobi.1 can automatically run programs installed on the device by the user and download applications via specified links, picking up the rating of this software.

Dr.Web for Android successfully detects all the known modifications of Android.Gmobi.1 only if they are not located in the system directories. If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims of Android.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.


Protect your Android device with Dr.Web now


Android.Gmobi.1

Added to Dr.Web virus database: 2016-03-12
Virus description was added: 2016-03-17

SHA1:

  • 90f044607f37ccc795af8a8d87eef2fae071104f
  • 45273fc93befb963015bbb99ae67bcf596412cc1 (dex)
  • 9fef8711a2cce4b2e46f93f29bc4b3153d719af1 (RockClient.odex , detected as Android.Gmobi.3)

A Trojan SDK (Software Development Kit) incorporated into Android applications. It is designed to display advertisements, download and install software, and collect confidential information. The malware was detected in such applications as com.rock.gota (system software for Micromax AQ5001 firmware update), Trend Micro Dr.Safety, Dr.Booster, and Asus WebStorage.

Every time the infected device is turned on (android.intent.action.BOOT_COMPLETED) or new applications are installed on the device (android.intent.action.PACKAGE_ADDED), Android.Gmobi.1 uses the ActionMonitor system event receiver (BroadcastReceiver) to launch ActionService.

Then ActionService checks whether other components of the malware are active and, if necessary, executes them. ActionService starts the AlarmManager system service that sends messages to ActionMonitor every 60 seconds—thus, ActionService works continiously.

ActionActivity

One of receivers (BroadcastReceiver) registered in ActionMonitor monitors the status of the device’s screen. Once it detects that the screen is on (android.intent.action.SCREEN_ON), the receiver checks its local databases for advertisements to display. If it finds any, ActionActivity is launched. ActionActivity performs the following advertising actions:

  • Displays advertisements in the status bar
  • Displays advertisements in dialogs
  • Displays advertisements in interactive dialogs—tapping “Ok” leads to sending of a text message (if an application, in which the SDK is incorporated, has necessary privileges)
  • Displays advertisements on top of running applications and the GUI of the operating system
  • Opens advertising webpages in the browser or in a Google Play application
  • Automatically runs applications already installed on the device by the user
  • Downloads applications using the DownloadManager system service via initially prepared links, which are covertly added to the user’s download queue

PushThread

PushThread is launched once Internet connection is established, or the home screen is active. It terminates its operation in 60 seconds after the home screen is off, or if there is no Internet connection. Then it updates the database with a list of applications installed on the device.

It collects the following information:

  • User emails
  • Roaming availability
  • GPS or mobile network coordinates
  • Information on the device, such as the device’s manufacturer, IMEI and IMSI identifiers, MAC address of a Bluetooth and a Wi-Fi adapter, screen size, information about an application with the malicious SDK, the SDK version, and other data
  • Geolocation of the user found by GPS coordinates (if GPS is not available, information obtained from NetworkCountryIso, the SIM card, or Locale is used)
  • Presence of a Google Play application on the device

Then this data is encrypted and sent to the http: / / api.fotapro.com/api/push/connect server. The sent information generated by the Trojan may look as follows:

{
"device":{
"sdk_b":"2015.03.18.1",
"os_v":"4.1.2",
"lang":"en",
"id":"54be457a2c47a2981219219c",
"gprs":false,
"updated":false,
"app_v":"01.03.03",
"sdk":"go2sync",
"roaming":false,
"wmac":"9C:3A:AF:51:01:F6",
"sw":480,
"bmac":"9C:3A:AF:51:01:F5",
"os":"android",
"app":"com.rock.gota",
"sn":"4da348e981cfee7d",
"imei":"356507059351894",
"sd":true,
"loc":{
"lat":59.9588551,
"lng":30.3187445
},
"emails":[
"XXXXX@gmail.com"
],
"sh":800,
"cid":"B40CF4E8F83EEA83CD65C119F2B1AAD7",
"sdk_v":"2.0",
"country":"ru",
"wifi":true,
"sa":false,
"ua":"android;MANUFACTURER\/samsung;MODEL\/GT-I8190;BOARD\/DB8520H;BRAND\/samsung;DEVICE\/golden;
HARDWARE\/samsunggolden;PRODUCT\/goldenxx",
"brand":"Samsung",
"imsi":"",
"gp":true
},
"ac":"D603ECE5139479DD9D55A36FE8E10B73",
"last":"6262634407211827200,2016031613,D603ECE5139479DD9D55A36FE8E10B73"
}

The server replies with an encrypted JSON (Java Script Object Notification) object, which contains a configuration file with the TCP server address (tcp://) and the “mode” parameter. Depending on this parameter, PushThread can connect to the server in order to receive a similar generated JSON object that contains the “messages” commands.

It can execute the following commands:

  • Update the database with information about the advertisement to display
  • Create an advertising shortcut on the home screen (tapping this shortcut leads to the launch of ActionActivity)
  • Display an advertising notification (tapping this notification leads to the launch of ActionActivity)
  • Display a notification tapping which will result in launch of an installed application
  • Automatically download and install APK files using ReliableDownloadManager (the installation is not covert)
  • To covertly install APK files by means of ReliableDownloadManager (pm install is used)

The above-mentioned commands can contain the following filters:

  • By IMEI identifier
  • By the name of the application with the malicious SDK
  • By the user geolocation
  • By current mobile network
  • By the device’s manufacturer

The server may reply with:

{
"server":"tcp://0.0.0.0",
"chs":[
],
"did":"56e2c66b31409b5725270a9d",
"sid":"56e2c66b31409b5725270a9d-com.trendmicro.dr.booster",
"brand":"Google",
"ac":null,
"messages":[
],
"last":"6260771250398822400,2016031113,",
"fileUrl":"http://cdn.fotapro.com/files/{id}",
"enabled":true,
"mode":3,
"fs":[
],
"ri":300,
"log":false
}

The “ri” parameter received from the server specifies seconds. When the time runs out, the information from the “Data” database is uploaded to http: / / api.fotapro.com/api/data/d.

Once PushThread performs all its functions, it waits some seconds before being relaunched in infinite loop. It keeps operating until there is no Internet connection, the home screen is turned off, or until it gets the “push/disable” command from an application containing the malicious SDK.

The ReliableDownloadManager component

The component downloads APK files and covertly installs applications on the device. Once executed by ActionService, it uses android.net.conn.CONNECTIVITY_CHANGE to monitor whether Internet connection is established. It places the received commands for APK file downloading into Map. Once Internet connection is detected, this component downloads necessary files and tries to install them using a standard system dialog or getPackageManager().installPackage(…). If it fails to install the files with the help of installPackage(…), it executes the “su pm install” command.

This module is also used to install additional files—for example, advertising shortcuts or images.

LocationService

It starts operating after being executed by ActionService and registers receivers to monitor the status of the device’s home screen. Then it calculates overall time of the screen activity. In case the screen has been active for more than an hour, it uses GPS or mobile network coordinates to determine the device’s geolocation. Then, by means of http://maps.googleapis.com, it obtains the exact location of the device (road, county, state, state district, country, country_code, region, town, city), and its current coordinates.

This information is saved into SharedPreferences and the local database under the location_send_server_data key. As long as SharedPreferences contains information for location_send_server_data, new coordinates are not saved.

The device’s current coordinates are sent directly to an application containing the malicious SDK, which is the reply to the “GetSalesTrackInfo” command. In this case, SDK can perform such commands as:

  • GetSalesTrackInfo
  • push/disable
  • push/enable
  • data/
  • GetSDKUsedTime

AppUsageMonitor

It is created and launched by the receivers registered in ActionService that monitor the status of the home screen. Every time the screen is active, it performs TimerTask every 5 seconds. This task checks a list of running applications and adds information about them to the local database in the “application + status” format.

If one of the running applications is specified in SharedPreferences, the “Reward Action” function is performed. This function is presumably designed to generate a profit with every download and launch of advertised applications. Once the home screen is off, TimerTask is canceled.


Protect your Android device with Dr.Web now

Check Also

The fastest WordPress Themes

Speed Matters: Check out some of the fastest WordPress Themes

The Fastest WordPress Themes An effectively optimized WordPress site can significantly improve how fast your …