A sophisticated new Android malware strain named Gorilla has recently surfaced, posing a significant threat to mobile security by intercepting SMS messages, particularly those containing one-time passwords (OTPs). This malware operates covertly, exploiting Android’s permission system to access sensitive information on infected devices.
Targeted Exploitation of SMS Messages
Gorilla primarily focuses on intercepting SMS messages that contain OTPs, which are crucial for two-factor authentication processes. By gaining access to these messages, attackers can bypass security measures designed to protect user accounts, leading to unauthorized access and potential financial loss.
Technical Mechanisms and Permissions
Upon installation, Gorilla requests critical Android permissions, including READ_PHONE_STATE and READ_PHONE_NUMBERS. These permissions allow the malware to access SIM card information and retrieve phone numbers from the infected device. Such access is instrumental in the malware’s ability to monitor and intercept SMS communications effectively.
Persistent Command and Control Communication
Gorilla establishes a continuous connection with its command and control (C2) servers using WebSocket protocols. This persistent communication channel enables the malware to receive commands and exfiltrate sensitive data in real-time. The connection follows a specific format: ws://$URL/ws/devices/?device_id=$android_id&platform=android, ensuring seamless interaction between the infected device and the attackers’ infrastructure.
Evasion Techniques to Avoid Detection
To evade detection, Gorilla employs unconventional methods by avoiding the use of standard APIs like getInstalledPackages or getInstalledApplications, which would require the REQUEST_INSTALLED_PACKAGES permission and could raise suspicion. Instead, the malware queries launcher intents to gather information about installed applications, including package names, application names, and versions. This approach allows Gorilla to collect necessary data while maintaining a lower profile.
Categorization of Stolen Data
Analysis of the malware’s C2 panel reveals a systematic organization of intercepted SMS messages under tags such as Banks and Yandex. This categorization indicates a targeted approach toward financial information and popular services, enabling attackers to quickly identify and exploit valuable authentication codes and sensitive information contained within the intercepted messages.
Background Services Ensuring Persistence
Gorilla operates through a series of background services, ensuring its persistent operation even when the user is not actively engaging with the device. To comply with Android requirements, these services utilize the startForeground API along with the FOREGROUND_SERVICE permission to display a notification, effectively masking its malicious activity as legitimate system processes.
Command Structure and Capabilities
The malware’s command structure reveals three primary action types, each serving specific functions in the attack chain:
– device_info: Extracts and transmits detailed information about the infected device to the attackers.
– update_settings: Currently appears dormant, logging receipt without further action, but likely enables remote configuration of the malware’s behavior.
– send_sms: Allows attackers to send SMS messages from the infected device to specified recipients with custom message text.
While actively exploiting SMS interception capabilities, Gorilla includes components that suggest planned expansion of its functionality. The presence of an unused WebViewActivity class is particularly concerning, as this component typically renders HTML content and is commonly leveraged in banking trojans to display phishing pages. This indicates potential future developments in the malware’s capabilities, posing an even greater risk to users.
Implications and Preventative Measures
The emergence of Gorilla underscores the evolving nature of mobile threats and the importance of robust security measures. Users are advised to exercise caution when installing applications, especially those requesting extensive permissions. Regularly updating devices and employing reputable security software can provide additional layers of protection against such sophisticated malware.
