March 17, 2016

Trojans for Android are mainly designed to display advertisements and install unwanted software on mobile devices, “sponsoring” authors of a malware application. Thus, it is no wonder that adware Trojans are so much popular among attackers. In March, Doctor Web security researchers examined a new representative of this type of malware after it had been spotted in firmware of about 40 popular low-end smartphones and in several applications developed by well-known companies.

This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments. Although one may assume that Android.Gmobi.1 does not pose any threat, it, in fact, performs typical adware functions—thus, all applications infected by this malware are detected by Dr.Web for Android as malicious ones. Doctor Web specialists found that this SDK has already arrived on almost 40 mobile devices. In addition, the Trojan also compromised such Google Play apps as Trend Micro Dr.Safety, Dr.Booster, and Asus WebStorage. All the affected companies have been already informed about this incident, and they are currently considering possible solutions to this problem. Meanwhile, TrendMicro Dr.Safety and TrendMicro Dr.Booster are updated and are not dangerous for Android users anymore.

The main purpose of Android.Gmobi.1 and its several modifications is to collect confidential information and send it to the remote server. For example, the Trojan’s versions embedded into TrendMicro Dr.Safety and TrendMicro Dr.Booster perform only the above-mentioned functions. However, in this article, we are going to focus on a more sophisticated modification that was designed to compromise firmwares of mobile devices.

Every time the device is connected to the Internet, or its home screen is active (if previously the screen was off for more than one minute), Android.Gmobi.1 collects the following information for sending it to the server:

User emails

Roaming availability

GPS or mobile network coordinates

Information on the device

Geolocation of the user

Presence of a Google Play application on the device

The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:

Update the database with information about the advertisement to display.

Create an advertising shortcut on the home screen.

Display an advertising notification.

Display a notification tapping which will result in launch of an installed application.

Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.

Depending on a received command, the Trojan starts displaying advertisements and performing other money-making actions. In particular, the Trojan is able to

Display advertisements in the status bar.

Display advertisements in dialogs.

Display advertisements in interactive dialogs—tapping “Ok” leads to sending of a text message (only if an application, in which the SDK is incorporated, has necessary privileges).

Display advertisements on top of running applications and the GUI of the operating system.

Open advertising webpages in the browser or in a Google Play application.

Besides, Android.Gmobi.1 can automatically run programs installed on the device by the user and download applications via specified links, picking up the rating of this software.

Dr.Web for Android successfully detects all the known modifications of Android.Gmobi.1 only if they are not located in the system directories. If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims of Android.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.