Gunpowder Android malware: A new android version of malware targets non-residents of China people and infects their Android phones. Researchers have discovered a new family of malware for Android that successfully evaded all antivirus products on the VirusTotal Web service. Palo Alto Networks named this family of malware 'Gunpowder' based on the principal name of the malicious android software, and threat intelligence team of Palo Alto Networks Unit 42 found 49 unique samples through three different variants.
This finding highlights the fine line between "adware" which is not traditionally prevented by antivirus and malware products, with its ability to cause harm.
Gunpowder samples have been uploaded to VirusTotal since November 2014, with all antivirus engines reported this malware as "benign" or "adware", that is verdicts existing controls would not prevent the installation of the malware in android.
During the investigation of the sample, the team noted that the unit 42, although it contained many features of adware, and actually incorporates a popular adware inside her library, also a number of openly malicious activities were discovered, researchers believe characterizes this family as malware, such as collecting sensitive information of users; spread via SMS messages; push potentially fraudulent advertising; and the ability to run additional payloads.
Gunpowder targets Android users in at least 13 different countries, including India. An interesting observation found by Gunpoder reverse engineering is that this new Android family only spreads among users outside China.
The Gunpowder android malware includes legitimate advertising libraries within samples. These ad libraries are easily detected and may also include aggressive behaviors. The malware successfully used these advertising libraries to hide malicious behavior detected by antivirus. While antivirus software can flag Gunpowder as adware, not flag as being overtly malicious.
Users who have executed Gunpowder are shown a notice that include ad library and the advertising is legitimate. "We believe that the notice was intentionally added in order to use the library as legitimate scapegoat", the researchers said.
Gunpowder embed malicious code samples in popular Nintendo Entertainment System (NES) emulator games, which is based on a framework of open source game
Palo Alto Networks has seen a trend of malware authors repackaging Android open source applications with malicious code. Gonpoder makes use of this technique, which makes it difficult to distinguish malicious code to perform static analysis.
From the observation it was found that this malicious Samples support online payments, including PayPal, Moneybookers, Xsolla and CYPay. Also Gunpowder steals your browser history, bookmarksand and other private information of the victims.
In addition, Gunpowder collect information about all apps, android packages installed on the device of the victim. Also it provides capabilities for executing payloads. Dynamic code for loading and executing the payload after decoding reside in "com.fcp.a" and components "com.fx.a".
So far, Palo Alto Networks has observed 49 unique samples of Gunpowder family; and he found three different groups of variants within this family. In particular, variants of group 1 (12 samples) can spread via SMS and attract users to make some payments. Variants in group 2 (16 samples) can only attract users to make a payment, and variants of group 3 (21 samples) do not contain the spread of SMS or attract users to make payments. Group 3 was found to be the newest malware variants of Gunpowder.