Security Alert: New GappII Trojan Found in Alternative Android Markets

By Xuxian Jiang, Assistant Professor, Department of Computer Science, NC State University

In this week, my research team, in collaboration with NQ Mobile, has discovered a new Android malware GappII in popular third-party Android markets. It masks as an "Android Patch" app to attract user downloads. Once downloaded, it actually contains a bot-like payload to fetch and install additional apps. Based on our investigation, this malware itself does not carry any known root exploits. Instead, it will request for root privilege (for rooted phones). If granted, the malware will then install additional apps on the background without the user's consent. If the phones are not rooted, it will show as "System Update" notification to trigger users for installation.

How it works

For infected phones, GappII will not show any icon on the home screen. Instead, it registers for the system-wide event -- "android.intent.action.BOOT_COMPLETED" -- to automatically boostrap a built-in service. The service runs behind the scene and monitors the status of current phone screen. If the screen is turned on, GappII invokes its payload to fetch and install additional apps on the background.

To install apps on the background, GappII attempts to request root privilege, which is shown in the following code snippet screenshot.

To fetch apps on the background, GappII has a few pre-configured control and control (C&C) servers. In the sample we analyzed, it encrypts server URLs within a resource file (shown below). This resource file will be decrypted at runtime and the decrypted URLs will be contacted in a frequency based on the current network connection. Specifically, if the Wifi connection is available, the C&C server will be immediately contacted. Otherwise, the "phone home" behavior will happen once every 5 hours.

The downloaded apps will be saved in the sdcard (/mnt/sdcard/download). For rooted phones, if the malware is already granted the root privilege, these apps will be silently installed -- as shown in the following figure. Otherwise, the malware will try to show the downloaded app as a "System Update" (in the notification bar) to trigger users for installation.


We found this malware in unofficial Chinese Android markets. To the best of our knowledge, we do not find the infection in the official Android Market. For mitigation, please follow common-sense guidelines for smartphone security. For example,

Last modified: April 27th, 2012