The new malware is said to target Android users in at least 13 different countries including India, Iraq, Thailand, Indonesia, South Africa, Russia, France, Mexico, Brazil, Saudi Arabia, Italy, the United States, and Spain. The researchers pointed out one interesting observation of "Gunpoder" that this malware only propagated among users outside of China.
Further, the researchers stressed that the findings highlighted the fine line between adware, which is usually skipped by antivirus software, and malware, which is hostile software with malicious tendency.
The report notes that the samples of "Gunpoder" were uploaded to VirusTotal in November last year, and was marked as either benign or adware by all antivirus engines.
"While researching the sample, we observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which we believe characterizes this family as being malware," notes Palo Alto Networks report.
According to researchers, the "Gunpoder" malware family can collect sensitive information from users; propagate itself through SMS message; potentially push fraudulent advertisements, and has ability to execute additional payloads.
Highlighting how the malware packaged itself into an emulator, the report adds, "Gunpoder samples embed malicious code within popular Nintendo Entertainment System (NES) emulator games, which are based on an open source game framework. Palo Alto Networks has witnessed a trend of malware authors re-packaging open source Android applications with malicious code. Gunpoder makes use of this technique, which makes it difficult to distinguish malicious code when performing static analysis."
Detailing how the malware worked, the report added that soon after installation, the malware presented a declaring statement (when opened for the first time) explicitly notifying users that the app has ad-support and can allow the advertising library to collect information from the device. Once the app is launched, it will ask users to pay for a lifelong license of the game via a pop up dialog.
"If the user clicks the 'Great! Certainly!' button, a payment dialog will pop up, including PayPal, Skrill, Xsolla (the transaction link is no longer active) and CYPay. Users need to register a new PayPal or Skrill account or log in in to their existing account to pay $0.29 or $0.49. The CYPay supports offline gift voucher redeeming. Additionally, this payment dialog will pop up when users click the "Cheats" option within this app. In fact, the malware author added this malicious payment function into this 'Cheats' option, which is free in the original app," explains the report.
Even if users skip the payment dialog, the malware can propagate messages that will be sent out - if users pause the main activity of the malware, and second, if payment is declined then it will share a "fun game" link which will be a variant of this malware family.
"Interestingly enough, the Gunpoder sample will detect the country of the user. If the user is not located in China, this app will automatically send an SMS message, which contains a variant downloading link, to random selected friends in the background," adds report.