Gunpoder Android Malware Hides Malicious Behaviors in Adware

The Gunpoder Android malware has co-opted a Nintendo NES game emulator and hides inside the Airpush ad library, researchers at Palo Alto Networks said.

A stream of new Android malware infections is sounding a harsh tone on two fronts: hackers are making free and open source applications their own; and legacy security software needs to step up detection of adware behaving maliciously.

The Gunpoder malware is spreading via third-party Android app stores hiding in a Nintendo Entertainment System (NES) video game emulator that is freely available online. The attackers are seeding the emulator with an aggressive ad library called Airpush, and hiding malicious behaviors such as the collection of device and user data and communication with an attacker’s server in the library knowing that security technologies will detect it as adware and mark it benign.

Researchers at Palo Alto Networks today said that three variants of Gunpoder are in circulation, and victims in 13 countries have been infected. The malware is crimeware, and the attackers’ objective is profit by running up premium SMS charges, as well as charging the victims for access to the app and its cheat feature.

The malware also spreads via SMS to contacts on the phone, propagating in a worm-like manner.

The use of mobile games to move malware is not new, with attackers relying on users’ familiarity with a name in order to trick them into downloading and executing something malicious instead.

“People spend a lot of time and energy making free and open source apps like these emulators, and they’re being co-opted to make money for attackers,” said Scott Simkin, senior threat intelligence manager at Palo Alto.

Once a user installs the game, Palo Alto said in a report published today, the malware presents a notification that the app is ad supported and by agreeing, the user allows Airpush to collect device information.

“We strongly believe that the malware author intentionally added the Airpush library as the scapegoat so that it could inconspicuously attribute its malicious behaviors to the Airpush library,” the report says.

Users are also presented with a payment dialog box, asking for 29- or 49-cent payments and an additional dialog charging more for cheats. If the user declines by clicking on “Next Time,” the app asks the user to share the game with a friend and the malware is sent via a Google short URL in an SMS message to contacts.

Gunpoder also has a feature that detects whether the user is in China, and if so, will not execute.

Logs obtained by Palo Alto show that the malware collects and uploads user and device information, including a device ID, model and location. It also steals browser history and bookmark information and information about installed packages on the device. Palo Alto said there are additional capabilities for executing other payloads.

The device information, could be part of a larger puzzle, where the attackers could be building a profile on the user.

“If someone is collecting data on users, they could be doing so to build profiles for phishing attacks in the future,” Simkin said. “This is something we could see an attacker doing, or perhaps dumping the information for others to use.”

The three variants, meanwhile, demonstrate how the attacks have evolved. The first set of samples propagate via SMS and entice users to make payments, Palo Alto said, while the second only seeks payments, and the third and latest version has neither capability. The same certificate, the researchers said, was used to sign the first two variants, while the third was signed with a different certificate.

“While the certificate varies between these groupings of variants, we highly suspect that the same malware author wrote all of these samples,” the report said.

Suggested articles