Malware descriptions

Tic Tac Toe with a twist

UPDATE / OCT, 15.

Further to this blog post, describing malicious functions of a mobile Trojan camouflaged as the TicTacToe game app, Lacoon Mobile Security company stated that TicTacToe was developed by them as a proof-of-concept.

Kaspersky Lab would like to reiterate, that as a security company, we detect all forms of malicious program, regardless of their origin or purpose. We recieved the samples through malware exchange with other antivirus companies and it was not marked as a proof-of-concept at this time. We saw several potentially malicious functions in this app – and a thorough analysis of TicTacToe revealed that the game code accounted for less than 30% of the executable file’s size. The rest is functionality appeared for monitoring user and obtaining personal data. It is for this reason that we began the investigation and reported the incident to the public.

We respect and support other security companies who aspire to the development of mobile technologies, but we also believe that proof-of-concept programs should be marked clearly and shouldn’t demonstrate fully-operational functions, to avoid situations where malicious users replicate the techniques.

Attempts by cybercriminals to disguise malware as useful applications are common to the point of being commonplace. However, the developers of Gomal, a new mobile Trojan, not only achieved a new level of camouflage by adding Tic Tac Toe game to their malicious program, but also implemented interesting techniques which are new to this kind of malware.

It all started with a Tic Tac Toe game being sent to us for analysis. At first glance, the app looked quite harmless:

Tic Tac Toe with a twist

However, the list of permissions requested by the game made us wonder. Why would it need to access the Internet, the user’s contacts and the SMS archive or to be able to process calls and record sound? We analyzed the ‘game’ and it turned out to be a piece of multi-purpose spyware. The malicious app is now detected by Kaspersky Lab products as Trojan-Spy.AndroidOS.Gomal.a.

A thorough analysis of the malicious program showed that the game code accounts for less than 30% of the executable file’s size. The rest is functionality for spying on the user and stealing personal data.

Game code is marked in  green, malicious functionality – in red

Game code is marked in green, malicious functionality – in red

What does this functionality include? First and foremost, the malware has sound recording functions, which are now standard for mobile spyware:

Tic Tac Toe with a twist

It also has SMS-stealing functionality:

Tic Tac Toe with a twist

In addition, the Trojan collects information about the device and sends all the data collected to its masters’ server. But Trojan-Spy.AndroidOS.Gomal.a has something really curious up its sleeve – a package of interesting libraries distributed with it.

Tic Tac Toe with a twist

The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.

After obtaining root access, the Trojan gets down to work. For example, it steals emails from Good for Enterprise, if the app is installed on the smartphone. The application is positioned as a secure email client for corporate use, so the theft of data from it can mean serious problems for the company where the owner of the device works. In order to attack Good for Enterprise, the Trojan uses the console to get the ID of the relevant process (ps command) and reads virtual file /proc//maps. The file contains information about memory blocks allocated to the application.

Tic Tac Toe with a twist

After getting the list of memory blocks, the malware finds the block [heap] containing the application’s string data and creates its dump using one more library from its package. Next, the dump file created is searched for signatures characteristic of emails and the messages found are sent to the cybercriminals’ server.

Gomal also steals data from logcat – the logging service built into Android that is used for application debugging. Developers very often have their applications outputting critically important data to Logcat even after the apps have been released. This enables the Trojan to steal even more confidential data from other programs.

As a result, the seemingly harmless game of Tic Tac Toe gives cybercriminals access to an enormous amount of the user’s personal data and corporate data belonging to his employer. The techniques used by Gomal were originally implemented in Windows Trojans, but now, as we can see, they have moved on to Android malware. And, most dangerously, the principles upon which this technique is based can be used to steal data from applications other than Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programs will appear in the near future.

To reduce the risk of infection by mobile malware we recommend that users:

  • Do not activate the “Install applications from third-party sources” option
  • Only install applications from official channels (Google Play, Amazon Store, etc.)
  • When installing new apps, carefully study which rights they request
  • If the requested rights do not correspond with the app’s intended functions, do not install the app
  • Use protection software

Update:

Trojan-Spy.AndroidOS.Gomal.a uses an old version of the exploit, which is effective on Samsung devices running Android 4.0.4 or earlier. This particular version of the malware could not successfully attack a corporate email client on devices with newer firmware.
So far, we have not seen any attempts to infect our users with the Gomal Trojan. However, even though this sample is not currently active in-the-wild, we detect it so we will be able to block any future attacks by mobile malicious programs based on this proof-of-concept malware.

Tic Tac Toe with a twist

Your email address will not be published. Required fields are marked *

 

  1. Jim

    In your research have you found that the device needs to be ‘rooted’ before the malware can initiate its advanced functions (e.g. dumping of logcat)? Or does this malware effectively root the device as part of its attack?

    Cheers,

    Jim

    1. Snout

      I’m guessing this is answered by the paragraph about halfway through the article….

      …”The package includes an exploit used to obtain root privileges on the Android device. The extended privileges give the app access to various services provided by Linux (the operating system on which Android is based), including the ability to read process memory and /maps.”

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox