Gunpoder: A new Android malware targets users not residing in China

Researchers have discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. Palo Alto Networks named this malware family ‘Gunpoder’ based on the main malicious component name, and Palo Alto Networks’ threat intelligence team Unit 42 observed 49 unique samples across three different variants. This finding highlights the fine line between “adware,” which isn’t traditionally prevented by antivirus products, and malware, with its ability to cause harm. Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware. While researching the sample, the Unit 42 team observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which the researchers believe characterises this family as being malware, such as: collecting sensitive information from users; propagating itself via SMS message; potentially push fraudulent advertisements; and ability to execute additional payloads. [caption id=“attachment_2339592” align=“alignleft” width=“450”]  Palo Alto[/caption] Gunpoder targets Android users in at least 13 different countries, including India. One interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China. The  Gunpoder malware includes legitimate advertisement libraries within the samples. Those ad libraries are easily detected and may also include aggressive behaviors. The malware samples successfully use these advertisement libraries to hide malicious behaviors from detection by antivirus engines. While antivirus engines may flag Gunpoder as being adware, by not flagging it as being overtly malicious, most engines will not prevent Gunpoder from executing. Users who have executed Gunpoder are shown a notification that includes the legitimate advertising library. “We believe the notification was intentionally added in order to use the legitimate library as a scapegoat,” the researchers said. Gunpoder samples embed malicious code within popular Nintendo Entertainment System (NES) emulator games, which are based on an open source game framework (http://sourceforge.net/p/nesoid/code/ci/master/tree/). Palo Alto Networks has witnessed a trend of malware authors re-packaging open source Android applications with malicious code. Gonpoder makes use of this technique, which makes it difficult to distinguish malicious code when performing static analysis. Samples observed support online payments, including PayPal, Skrill, Xsolla and CYPay. It was discovered that Gunpoder steals victims’ browser history and bookmark information Additionally, Gunpoder will collect information about all installed packages on the victim’s device. It also provides capabilities for executing payloads. The dynamic code for loading and executing the payload after decrypting reside in “com.fcp.a” and “com.fx.a” components. Thus far, Palo Alto Networks has observed 49 unique samples of the Gunpoder family; and found three different groups of variants within this family.  Specifically, variants of group 1 (12 samples) can propagate via SMS and entice users to make a payments. Variants of group 2 (16 samples) can only entice users to make a payment, and variants of group 3 (21 samples) do not contain SMS propagation or entice users to make payments. Group 3 was discovered to be the newest of the Gunpoder malware variants.