In this week, my research team, in collaboration with NQ Mobile, has discovered a new Android malware GappII in popular third-party Android markets. It masks as an "Android Patch" app to attract user downloads. Once downloaded, it actually contains a bot-like payload to fetch and install additional apps. Based on our investigation, this malware itself does not carry any known root exploits. Instead, it will request for root privilege (for rooted phones). If granted, the malware will then install additional apps on the background without the user's consent. If the phones are not rooted, it will show as "System Update" notification to trigger users for installation.
For infected phones, GappII will not show any icon on the home screen. Instead, it registers for the system-wide event -- "android.intent.action.BOOT_COMPLETED" -- to automatically boostrap a built-in service. The service runs behind the scene and monitors the status of current phone screen. If the screen is turned on, GappII invokes its payload to fetch and install additional apps on the background.
To install apps on the background, GappII attempts to request root privilege, which is shown
in the following code snippet screenshot.
To fetch apps on the background, GappII has a few pre-configured control and control (C&C) servers. In the sample we analyzed, it encrypts server URLs within a resource file (shown below). This resource file will be decrypted at runtime and the decrypted URLs will be contacted in a frequency based on the current network connection. Specifically, if the Wifi connection is available, the C&C server will be immediately contacted. Otherwise, the "phone home" behavior will happen once every 5 hours.
Last modified: April 27th, 2012