Dubbed Gmobi by Dr. Web researchers, the malware comes in the form of a software development kit (SDK), and has been found in several legitimate applications by well-known companies, as well as in firmware for nearly 40 mobile devices.
“This Trojan (…) is designed as a specialized program package usually used either by mobile device manufacturers or by software developers to expand functionality of Android applications. In particular, this module is able to remotely update the operating system, collect information, display notifications (including advertising ones), and make mobile payments,” the researchers explained.
Gmobi collects the following information and sends it to the C&C server: user emails, device info, roaming availability status, GPS or mobile network coordinates, whether the Google Play app is installed on the device.
The operator of the server can send back commands which are mostly about which ads to show and where (in the status bar, in dialogs, on top of running apps, in webpages), but he or she can also instruct the malware to automatically download and install APK files using a standard system dialog.
This download and installation is executed covertly if the Trojan has the necessary privileges to allow this. It does so by using the DownloadManager system service – prepared links are added to the user’s download queue.
The malware can also launch an app that has been previously installed by the user.
Gmobi has been found in Trend Micro’s Dr. Safety and Dr. Booster apps, the ASUS WebStorage apps, and in the system software for Micromax AQ5001 firmware update.
The researchers notified all of those companies about their discovery, and Trend Micro has already pushed out new versions of the aforementioned apps without the adware. In their case, the Trojan “only” collected information from the device and sent it to a remote server – it didn’t show ads or compromise firmware.
“If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges,” the researchers noted.
“However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims of Android.Gmobi.1 is to contact the manufacturer of the device and ask them to release a firmware update without the Trojan.”