March 17, 2016
This Trojan, which was named Android.Gmobi.1, is designed as a specialized program package (the SDK platform) usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments. Although one may assume that Android.Gmobi.1 does not pose any threat, it, in fact, performs typical adware functions—thus, all applications infected by this malware are detected by Dr.Web for Android as malicious ones. Doctor Web specialists found that this SDK has already arrived on almost 40 mobile devices. In addition, the Trojan also compromised such Google Play apps as Trend Micro Dr.Safety, Dr.Booster, and Asus WebStorage. All the affected companies have been already informed about this incident, and they are currently considering possible solutions to this problem. Meanwhile, TrendMicro Dr.Safety and TrendMicro Dr.Booster are updated and are not dangerous for Android users anymore.
The main purpose of Android.Gmobi.1 and its several modifications is to collect confidential information and send it to the remote server. For example, the Trojan’s versions embedded into TrendMicro Dr.Safety and TrendMicro Dr.Booster perform only the above-mentioned functions. However, in this article, we are going to focus on a more sophisticated modification that was designed to compromise firmwares of mobile devices.
Every time the device is connected to the Internet, or its home screen is active (if previously the screen was off for more than one minute), Android.Gmobi.1 collects the following information for sending it to the server:
- User emails
- Roaming availability
- GPS or mobile network coordinates
- Information on the device
- Geolocation of the user
- Presence of a Google Play application on the device
The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:
- Update the database with information about the advertisement to display.
- Create an advertising shortcut on the home screen.
- Display an advertising notification.
- Display a notification tapping which will result in launch of an installed application.
- Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.
Depending on a received command, the Trojan starts displaying advertisements and performing other money-making actions. In particular, the Trojan is able to
- Display advertisements in the status bar.
- Display advertisements in dialogs.
- Display advertisements in interactive dialogs—tapping “Ok” leads to sending of a text message (only if an application, in which the SDK is incorporated, has necessary privileges).
- Display advertisements on top of running applications and the GUI of the operating system.
- Open advertising webpages in the browser or in a Google Play application.
Besides, Android.Gmobi.1 can automatically run programs installed on the device by the user and download applications via specified links, picking up the rating of this software.
Dr.Web for Android successfully detects all the known modifications of Android.Gmobi.1 only if they are not located in the system directories.
If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims of Android.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.