Unit 42, the Palo Alto Networks threat intelligence team, has discovered a new family of Android malware that had previously successfully evaded all antivirus products on the VirusTotal web service.
Palo Alto Networks has dubbed this malware family “Gunpoder” based on the main malicious component name, and the Unit 42 team has already observed 49 unique samples across three different variants. This finding highlights the fine line between adware, which isn’t traditionally prevented by antivirus products, and malware, with its ability to cause harm.
Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware. While researching the sample, the Unit 42 team observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which the researchers believe characterises this family as being malware:
· Collecting sensitive information from users
· Propagating itself via SMS messages
· Potentially pushing fraudulent advertisements
· Ability to execute additional payloads
Gunpoder targets Android users in at least 13 different countries, including Iraq, Thailand, India, Indonesia, and Saudi Arabia. One interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China.
Unit 42 investigated Gunpoder using the Palo Alto Networks AutoFocus service, and released protections for users of its WildFire, Threat Prevention and Mobile Security Manager for all currently known Gunpoder variants. Due to Palo Alto Networks prevention capabilities, future members of the Gunpoder malware family could also potentially be blocked.
Interested?
Read the blog post at http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/
Palo Alto Networks has dubbed this malware family “Gunpoder” based on the main malicious component name, and the Unit 42 team has already observed 49 unique samples across three different variants. This finding highlights the fine line between adware, which isn’t traditionally prevented by antivirus products, and malware, with its ability to cause harm.
Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware. While researching the sample, the Unit 42 team observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which the researchers believe characterises this family as being malware:
· Collecting sensitive information from users
· Propagating itself via SMS messages
· Potentially pushing fraudulent advertisements
· Ability to execute additional payloads
Gunpoder targets Android users in at least 13 different countries, including Iraq, Thailand, India, Indonesia, and Saudi Arabia. One interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China.
Unit 42 investigated Gunpoder using the Palo Alto Networks AutoFocus service, and released protections for users of its WildFire, Threat Prevention and Mobile Security Manager for all currently known Gunpoder variants. Due to Palo Alto Networks prevention capabilities, future members of the Gunpoder malware family could also potentially be blocked.
Interested?
Read the blog post at http://researchcenter.paloaltonetworks.com/2015/07/new-android-malware-family-evades-antivirus-detection-by-using-popular-ad-libraries/
posted from Bloggeroid
No comments:
Post a Comment