New Android Gmobi adware found in firmware and popular apps

Malware researchers at the Dr Web firm have found an Android malware named Gmobi specifically designed to spread as a software development kit (SDK).

Malware researchers at security firm Dr.Web have detected a new strain of malware that was specifically designed to spread as a software development kit (SDK) used by software developers and mobile device manufacturers. The malware, named Android.Gmobi.1, has been found in several legitimate applications developed by well-known companies, as well as in firmware for nearly 40 mobile devices.

“This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments.” states the analysis published by the company.

The malware acts as an information stealer, it collects user and device data and send them back to the C&C server. Gmobi collects user emails, device info, roaming availability status, GPS or mobile network coordinates, whether the Google Play app that installed on the device.

Gmobi collects the following information and sends it to the C&C server: user emails, device info, roaming availability status, device location and mobile network coordinates, whether the presence of a Google Play application on the device.

The malware belongs to the adware category, once the C&C server has received the data from the device it can instruct the Gmobi in showing ads in specific positions of the device. The bad news is that operators behind Gmobi can also instruct the malware to download and install malicious APK files using a standard system dialog.

The experts highlighted that the Gmobi adware can install the APK files in a covert way only if the malware has the necessary privileges.

The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:

Update the database with information about the advertisement to display.
Create an advertising shortcut on the home screen.
Display an advertising notification.
Display a notification tapping which will result in launch of an installed application.
Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.

The researchers have detected Gmobi in Trend Micro’s Dr. Safety and Dr. Booster apps, and the ASUS WebStorage apps. The Gmobi variant that was discovered in the software of the Trend Micro firm only collected information from the Android devices and sent it to a remote server.

Dr.Web reported the issue to all the impacted companies, Trend Micro has promptly released a new version of the infected apps.

“If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims ofAndroid.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.” concludes Dr Web.

Pierluigi Paganini

(Security Affairs – Gmobi Adware, Android mobile)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.