Researchers have discovered new information-stealing Android malware which remains undetected by all AV products on VirusTotal by pretending to be adware.
Palo Alto Networks found that three slightly different variants of the so-called ‘Gunpoder’ malware were targeting users in 13 countries including France, Italy, the US, Russia, India and Indonesia.
Interestingly it has been designed not to infect users in China, although there are indications that its author could be ‘Wang Chunlei’ – a name found in the debug code of a specific Gunpoder sample.
Gunpoder uses several techniques to evade Android malware filters, according to Palo Alto’s Unit 42 researchers.
It’s disguised as a Nintendo Entertainment System (NES) emulator game, making it tricky to distinguish malicious code via static analysis. If a user decides to launch that fake app, they’ll be asked to pay for a lifelong license using PayPal, Skrill, Xsolla or other mechanisms, the researchers claimed.
It also pushes “aggressive” ads to victims via the Airpush library, tricking sensors into flagging it as merely adware.
The report continued:
“After installation, the malware will present a declaring statement when opened for the first time. This statement explicitly tells users that this app is ad-supported and allows Airpush to collect information from the device. We strongly believe that the malware author intentionally added the Airpush library as the scapegoat so that it could inconspicuously attribute its malicious behaviors to the Airpush library.”
Gunpoder spreads via short Google URLs in SMS messages, said Unit 42:
“The propagation SMS messages will be sent out in two scenarios. The first is when the main activity is paused by the user. This makes it very difficult for most dynamic analysis antivirus engines to trigger the sending behaviors.
The second scenario occurs when the user refuses to make a payment to activate the cheating mode (i.e. clicking the “Next Time” button). In this case, Gunpoder will ask the user to share a ‘fun game,’ which is actually a variant of this malware family.”
If the user is not in China, the app will apparently automatically send an SMS loaded with the malware to a selection of contacts.
Gunpoder also pops up ads for other apps specific to the country the user is located in, but the real purpose behind it seems to be aggressively pushing out fraudulent ads designed to lift detailed user and device information, including browser history and bookmarked sites.
There are also capabilities to execute payloads, Palo Alto Networks concluded.