Palo Alto Networks’ Unit 42 team on Tuesday published a report on Gunpoder, a family of Android malware that can evade detection scans by pretending to be adware. Cong Zheng and Zhi Xu authored the report.
The team discovered the new Android malware last November. Its new report aims to spur cooperation within the security community to mount defenses against the threat.
The name “Gunpoder” comes from the main malicious component the researchers identified in the malware code. It bypasses antivirus software’s malware scans by pretending to be adware, most noticeably by including the Airpush advertisement library.
The Unit 42 team found 49 unique samples across three different variants. That finding highlights the fine line between adware, which is annoying but otherwise harmless, and malware, which can cause harm.
Gunpoder reflects a trend researchers first observed last April: Malware authors have been repackaging Android applications with malicious code, making it difficult for antivirus scanners that perform static analysis to spot it.
The captured samples exhibit characteristics typical of both adware and malware. Gunpoder tricks Android users into clicking on a fraudulent ad. It then collects sensitive information from their devices and spreads itself via SMS messages and Google short URLs. The malware potentially can execute additional payloads.
“Traditional antimalware vendors completely missed the boat on this one. The actual Gunpoder malware itself is not that complex or sophisticated,” said Scott Simkin, senior threat intelligence manager at Palo Alto Networks.
What It Does
Gunpoder displays a notification that includes the Airpush library. It may have been added intentionally in order to use the Airpush library as a scapegoat, the researchers suggested.
Gunpoder samples embed malicious code within popular Nintendo Entertainment System (NES) emulator games, which are based on an open source game framework.
After installation, the malware presents a statement telling users that this app is ad-supported, and it allows Airpush to collect information from the device. Once launched, the app pops up a dialog to ask users to pay for a “lifelong” license for the game.
If the user clicks the “Great! Certainly!” button, a payment dialog appears. Users need to pay via a PayPal or Skrill account.
The payment dialog also pops up when users click the “Cheats” option within the app. In fact, the malware author added this malicious payment function to the “Cheats” option, which is free in the original app.
The original project did not have the Cheats option. The researchers compared the code between Gunpoder and the open source project and determined that the malware author added the payment functionality.
If the user refuses to make a payment to activate the Cheats mode, the malware offers a “Next Time” button. In that case, Gunpoder asks the user to share a “fun game,” which is actually a variant of the malware family, according to the Palo Alto Networks report.
Either way, the damage is done. The user is tricked into clicking on a button to execute the malware.
Worst Fears Come True
Gunpoder is a nasty class of malware. It tricks users into spreading the virus to all their friends, and gains lots of personal information that exposes them to future unknown hostile payloads, observed Rob Enderle, principal analyst at the Enderle Group.
“One of the biggest concerns surrounding open source in general was the apparent ease in subverting the legitimate applications and games to weaponize them secretly, turning them into malware,” he told LinuxInsider.
This malware family clearly showcases those well-founded concerns and suggests Android device users must be particularly vigilant when it comes to installing anything, particularly if it is side-loaded and not out of the Android store, Enderle added.
“I wonder how many other games on Android that we haven’t analyzed do similar things,” he added.
What’s the Harm?
Gunpoder detects the country of the user. If the user is located outside China, the app automatically sends an SMS message to random selected friends in the background. The message contains a variant downloading link.
Users will have a large bill if they are tricked. The fake payment costs users only about 29 to 49 US cents, but the bill caused by sending so many SMS messages comes to much more. The total amount of the SMS bill depends on how many contacts reside in a user’s device.
Gunpoder steals victims’ browser history and bookmark information, the researchers also found. The malware collects from victims very detailed user and device information, such as device ID, device model, current location and more.
Gunpoder also collects information about all installed packages on the victim’s device, and it provides capabilities for executing payloads using embedded dynamic code.
More Devious Moves
Gunpoder also pops up advertisements to promote other applications. The captured samples included code targeting as many as 13 different countries. For each country, the author used specific URLs for downloading promoted applications.
Reverse-engineering revealed that Gunpoder only propagates among users outside of China. Gunpoder targets Android users in at least 13 different countries: Iraq, Thailand, India, Indonesia, South Africa, Russia, France, Mexico, Brazil, Saudi Arabia, Italy, the United States and Spain.
The Chinese name “Wang Chunlei” appeared in the debug code. That could be the name of the malware author, report authors Zheng and Xu said.
Part of the Ruse?
The fact that China is excluded as an attackable population implies that Gunpoder could be a state-sponsored product, according to Enderle.
However, making China appear to be guilty could be part of the real malware writer’s plan, cautioned Palo Alto Networks’ Simkin.
“We need caution when we talk about who is doing this. We did not call out specifically that this is a Chinese-associated hacker,” he explained. “Maybe the malware creator did not target users in China to set a false flag.”
The malware author applied several unique techniques to evade antivirus detection, Unit 42 researchers found. The samples revealed aggressive advertisement libraries, such as Airpush, within the samples.
These advertisement libraries are used to hide malicious behaviors from detection by antivirus engines, the samples indicate. Antivirus engines may flag Gunpoder as being adware, but scanner engines do not prevent adware from running.
Since Gunpoder is not flagged as being overtly malicious, most engines will not prevent it from executing. Those ad libraries are easily detected and also may include aggressive behaviors.
The user has to be proactive in defending against this new type of Android malware. Now that the report is circulating, the security community at large must take this information and build it into the defensive strategies, according to Simkin. [*Editor’s Note – July 9, 2015]
“You can’t rely on third-parties to do the security job for you. Users need to be aware of the risks in downloading apps and how to protect themselves,” Simkin said.
There is a bigger end game than just bilking somebody out of excessive in-app fees. The bigger threat comes from Gunpoder’s malware capabilities. The data the malware gets gives the cybercriminals a profile of each victim that can be used for future phishing attacks, compromising their identity, and stealing sensitive data on the device itself.
“Companies have to consider the mobile device as potentially a Trojan horse,” warned Simkin. “If you do not have mobile security policies and practices and solutions, you are leaving a business wide open to potential data thefts and much worse.”
*ECT News Network editor’s note – July 9, 2015: The extent to which the report actually has circulated is questionable. The link to the report on Palo Alto Networks led to a “page not found” as of mid-day Thursday. While searching the site for information on Gunpoder, this editor was approached by a sales rep wanting to chat. After being informed of the broken link, the sales rep transferred this editor to another sales rep, who kicked the problem to the support department. Three transfers later, support rep Zachary attempted to address the issue, but he did not know what Gunpoder was. He confirmed that the link was broken for him too. He eventually apologized and supplied this editor with two email contacts, but LinuxInsider declined to pursue the issue further, as we already had accessed the report and only wished to provide a live link for our readers’ benefit.