FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
Support services
Scanners
Dr.Web vxCube
Trial
VCI investigations
Virus library
Knowledge base

Technologies

Terminology

Training and education

Myths

News

Android.Gmobi.1

Added to the Dr.Web virus database: 2016-03-12

Virus description added:

SHA1:

  • 90f044607f37ccc795af8a8d87eef2fae071104f
  • 45273fc93befb963015bbb99ae67bcf596412cc1 (dex)
  • 9fef8711a2cce4b2e46f93f29bc4b3153d719af1 (RockClient.odex , detected as Android.Gmobi.3)

A Trojan SDK (Software Development Kit) incorporated into Android applications. It is designed to display advertisements, download and install software, and collect confidential information. The malware was detected in such applications as com.rock.gota (system software for Micromax AQ5001 firmware update), Trend Micro Dr.Safety, Dr.Booster, and Asus WebStorage.

Every time the infected device is turned on (android.intent.action.BOOT_COMPLETED) or new applications are installed on the device (android.intent.action.PACKAGE_ADDED), Android.Gmobi.1 uses the ActionMonitor system event receiver (BroadcastReceiver) to launch ActionService.

Then ActionService checks whether other components of the malware are active and, if necessary, executes them. ActionService starts the AlarmManager system service that sends messages to ActionMonitor every 60 seconds—thus, ActionService works continiously.

ActionActivity

One of receivers (BroadcastReceiver) registered in ActionMonitor monitors the status of the device's screen. Once it detects that the screen is on (android.intent.action.SCREEN_ON), the receiver checks its local databases for advertisements to display. If it finds any, ActionActivity is launched. ActionActivity performs the following advertising actions:

  • Displays advertisements in the status bar
  • Displays advertisements in dialogs
  • Displays advertisements in interactive dialogs—tapping “Ok” leads to sending of a text message (if an application, in which the SDK is incorporated, has necessary privileges)
  • Displays advertisements on top of running applications and the GUI of the operating system
  • Opens advertising webpages in the browser or in a Google Play application
  • Automatically runs applications already installed on the device by the user
  • Downloads applications using the DownloadManager system service via initially prepared links, which are covertly added to the user’s download queue

PushThread

PushThread is launched once Internet connection is established, or the home screen is active. It terminates its operation in 60 seconds after the home screen is off, or if there is no Internet connection. Then it updates the database with a list of applications installed on the device.

It collects the following information:

  • User emails
  • Roaming availability
  • GPS or mobile network coordinates
  • Information on the device, such as the device’s manufacturer, IMEI and IMSI identifiers, MAC address of a Bluetooth and a Wi-Fi adapter, screen size, information about an application with the malicious SDK, the SDK version, and other data
  • Geolocation of the user found by GPS coordinates (if GPS is not available, information obtained from NetworkCountryIso, the SIM card, or Locale is used)
  • Presence of a Google Play application on the device

Then this data is encrypted and sent to the http://api.fotapro.com/api/push/connect server. The sent information generated by the Trojan may look as follows:

{
"device":{
"sdk_b":"2015.03.18.1",
"os_v":"4.1.2",
"lang":"en",
"id":"54be457a2c47a2981219219c",
"gprs":false,
"updated":false,
"app_v":"01.03.03",
"sdk":"go2sync",
"roaming":false,
"wmac":"9C:3A:AF:51:01:F6",
"sw":480,
"bmac":"9C:3A:AF:51:01:F5",
"os":"android",
"app":"com.rock.gota",
"sn":"4da348e981cfee7d",
"imei":"356507059351894",
"sd":true,
"loc":{
"lat":59.9588551,
"lng":30.3187445
},
"emails":[
"XXXXX@gmail.com"
],
"sh":800,
"cid":"B40CF4E8F83EEA83CD65C119F2B1AAD7",
"sdk_v":"2.0",
"country":"ru",
"wifi":true,
"sa":false,
"ua":"android;MANUFACTURER\/samsung;MODEL\/GT-I8190;BOARD\/DB8520H;BRAND\/samsung;DEVICE\/golden;
HARDWARE\/samsunggolden;PRODUCT\/goldenxx",
"brand":"Samsung",
"imsi":"",
"gp":true
},
"ac":"D603ECE5139479DD9D55A36FE8E10B73",
"last":"6262634407211827200,2016031613,D603ECE5139479DD9D55A36FE8E10B73"
}

The server replies with an encrypted JSON (Java Script Object Notification) object, which contains a configuration file with the TCP server address (tcp://) and the “mode” parameter. Depending on this parameter, PushThread can connect to the server in order to receive a similar generated JSON object that contains the “messages” commands.

It can execute the following commands:

  • Update the database with information about the advertisement to display
  • Create an advertising shortcut on the home screen (tapping this shortcut leads to the launch of ActionActivity)
  • Display an advertising notification (tapping this notification leads to the launch of ActionActivity)
  • Display a notification tapping which will result in launch of an installed application
  • Automatically download and install APK files using ReliableDownloadManager (the installation is not covert)
  • To covertly install APK files by means of ReliableDownloadManager (pm install is used)

The above-mentioned commands can contain the following filters:

  • By IMEI identifier
  • By the name of the application with the malicious SDK
  • By the user geolocation
  • By current mobile network
  • By the device’s manufacturer

The server may reply with:

{
"server":"tcp://0.0.0.0",
"chs":[
],
"did":"56e2c66b31409b5725270a9d",
"sid":"56e2c66b31409b5725270a9d-com.trendmicro.dr.booster",
"brand":"Google",
"ac":null,
"messages":[
],
"last":"6260771250398822400,2016031113,",
"fileUrl":"http://cdn.fotapro.com/files/{id}",
"enabled":true,
"mode":3,
"fs":[
],
"ri":300,
"log":false
}

The “ri” parameter received from the server specifies seconds. When the time runs out, the information from the “Data” database is uploaded to http://api.fotapro.com/api/data/d.

Once PushThread performs all its functions, it waits some seconds before being relaunched in infinite loop. It keeps operating until there is no Internet connection, the home screen is turned off, or until it gets the “push/disable” command from an application containing the malicious SDK.

The ReliableDownloadManager component

The component downloads APK files and covertly installs applications on the device. Once executed by ActionService, it uses android.net.conn.CONNECTIVITY_CHANGE to monitor whether Internet connection is established. It places the received commands for APK file downloading into Map. Once Internet connection is detected, this component downloads necessary files and tries to install them using a standard system dialog or getPackageManager().installPackage(...). If it fails to install the files with the help of installPackage(...), it executes the “su pm install” command.

This module is also used to install additional files—for example, advertising shortcuts or images.

LocationService

It starts operating after being executed by ActionService and registers receivers to monitor the status of the device’s home screen. Then it calculates overall time of the screen activity. In case the screen has been active for more than an hour, it uses GPS or mobile network coordinates to determine the device’s geolocation. Then, by means of http://maps.googleapis.com, it obtains the exact location of the device (road, county, state, state district, country, country_code, region, town, city), and its current coordinates.

This information is saved into SharedPreferences and the local database under the location_send_server_data key. As long as SharedPreferences contains information for location_send_server_data, new coordinates are not saved.

The device’s current coordinates are sent directly to an application containing the malicious SDK, which is the reply to the “GetSalesTrackInfo” command. In this case, SDK can perform such commands as

  • GetSalesTrackInfo
  • push/disable
  • push/enable
  • data/
  • GetSDKUsedTime

AppUsageMonitor

It is created and launched by the receivers registered in ActionService that monitor the status of the home screen. Every time the screen is active, it performs TimerTask every 5 seconds. This task checks a list of running applications and adds information about them to the local database in the “application + status” format.

If one of the running applications is specified in SharedPreferences, the “Reward Action” function is performed. This function is presumably designed to generate a profit with every download and launch of advertised applications. Once the home screen is off, TimerTask is canceled.

Curing recommendations

Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play