Android malware mimics Nintendo games, bypasses AV to steal from users

A new Android malware family called 'Gunpoder' has been infecting and stealing from users worldwide by mimicking a Nintendo Entertainment System (NES) video game emulator, which lets gamers play classic Nintendo games from the 1980s and 1990s.

Android malware mimics Nintendo games, bypasses AV to steal from users
Android malware mimics Nintendo games, bypasses AV to steal from users

Palo Alto Networks' threat intelligence team, Unit 42, discovered the malware family (which contains three variants), and says that it is embedded in open-source versions of the NES video game simulator, which can be downloaded from third-party app stores.

Cleverly, malware authors packaged the app with aggressive adware libraries, including Airpush, so that the malware evades anti-virus solutions. AV solutions typically detect these libraries as “benign” or “adware” – but still allow the code to execute on the victim's machine.

However, Gunpoder is more deadly than adware. Once installed, it will look to steal information from users, including browser histories and bookmarks, whilst also sending itself to the user's contacts over SMS. In addition, Palo Alto says that it shows fraudulent ads and can execute other code on the infected device.

So, how does Gunpoder finds its way onto an Android phone? Well, after reverse engineering the malicious code, Palo Alto found that the legitimate emulator was repackaged with a variety of new functions, including a payment option, advertising software and a text which is sent out by SMS to promote NES games.

This ‘promotion' is done via an SMS message to the phone user's contacts, who receive a message containing a shortened Google URL link, taking them to the game (and the malware). Interestingly however, the malware searches for the user's location and will not propagate if the said user is based in China (it appears as though the malware creator may be Chinese).

After installation, the malware would tell users that the game is ad-supported and that it allows Airpush to collect information from device, with Palo Alto researchers believing this for evading the anti-virus and for pushing the data loss blame onto the advertisers.

Once opened, the game asks for users to pay for ‘lifelong' licence (US$ 0.29 or US$ 0.49), with PayPal, Skrill and Xsolla as the payment options. There is also an option to pay for game cheats.

SMS messages would be sent out to contacts when the game was paused, or when the payment dialogue was opened for cheats. On this occasion, gamers would be invited to share another game – not knowing that they were simply passing on a malware-laden game to friends and family.

Gunpoder has been seen targeting Android users in at least 13 different countries, including Iraq, Thailand, India, Indonesia, South Africa, Russia, France, Mexico, Brazil, Saudi Arabia, Italy, the United States, and Spain.

“Overall, the Gunpoder malware family contains a number of activities associated with adware. However, as we've previously discussed, a number of malicious functionalities exist as well,” said researchers in their summary.

“Examples of this include the ability to collect very sensitive information from victims, propagation via SMS messages, and the ability to execute other payloads.

“The inclusion of the Airpush advertisement library causes many antivirus programs to simply label Gunpoder samples as adware, which is often not blocked by default. This allows some of the more malicious activity present in Gunpoder to continue unnoticed.”

David Kennerley, senior manager of the threat research team at Webroot, told SCMagazineUK.com that the use of adware advertising libraries was a clever component.

“As Android malware goes, ‘Gunpoder' isn't more technically sophisticated than any other; it's using the same scamming techniques that the security industry observes daily for fraudulent revenue capabilities, while also grooming the victim for possible future attacks by profiling and reconnaissance,” he said.

“The possible inclusion of the known adware advertising libraries as a way to distract anti-virus companies and intended victims away from the real malicious activities of the app is particularly clever.  Anti-virus companies are building advanced automated classification systems, but as this malware has shown, it can still be incorrectly classified. Another level of screening needs to be added as detection is simple once the malware is known and understood."

He added that Android malware was "undoubtedly" on the rise, with thousands of new unique Android files being created daily.

“If possible, users should keep away from third party app stores and repositories as these are a main vector for infection.  Google Play, while not perfect is definitely a safer choice.  Take note of the permissions an app is requesting – does a simple game need to send SMS messages or read your contacts list?”

In related news, G Data Software says there were nearly 5,000 new Android malware files created on a daily basis during Q1 of 2015.