New Android Gmobi adware found in firmware and popular apps

Pierluigi Paganini March 18, 2016

Malware researchers at the Dr Web firm have found an Android malware named Gmobi specifically designed to spread as a software development kit (SDK).

Malware researchers at security firm Dr.Web have detected a new strain of malware that was specifically designed to spread as a software development kit (SDK) used by  software developers and mobile device manufacturers. The malware, named Android.Gmobi.1, has been found in several legitimate applications developed by well-known companies, as well as in firmware for nearly 40 mobile devices.

“This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.” states the analysis published by the company.

The malware acts as an information stealer, it collects user and device data and send them back to the C&C server. Gmobi collects user emails, device info, roaming availability status, GPS or mobile network coordinates, whether the Google Play app that installed on the device.

Gmobi collects the following information and sends it to the C&C server: user emails, device info, roaming availability status, device location and mobile network coordinates, whether the presence of a Google Play application on the device.

The malware belongs to the adware category, once the C&C server has received the data from the device it can instruct the Gmobi in showing ads in specific positions of the device. The bad news is that operators behind Gmobi can also instruct the malware to download and install malicious APK files using a standard system dialog.

android gmobi adware

The experts highlighted that the Gmobi adware can install the APK files in a covert way only if the malware has the necessary privileges.

The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:

  • Update the database with information about the advertisement to display.
  • Create an advertising shortcut on the home screen.
  • Display an advertising notification.
  • Display a notification tapping which will result in launch of an installed application.
  • Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.

The researchers have detected Gmobi in Trend Micro’s Dr. Safety and Dr. Booster apps, and the ASUS WebStorage apps. The Gmobi variant that was discovered in the software of the Trend Micro firm only collected information from the Android devices and sent it to a remote server.

Dr.Web reported the issue to all the impacted companies, Trend Micro has promptly released a new version of the infected apps.

“If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims ofAndroid.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.” concludes Dr Web.

Pierluigi Paganini

(Security Affairs – Gmobi Adware, Android mobile)

you might also like

leave a comment