Android malware uses ad framework to hide in Nintendo gaming app
Wed 8 Jul 2015
A new strain of Android virus attacks through Nintendo games, stealing personal data from the user and making them pay for the application, according to cybersecurity experts Palo Alto Networks.
The malware family, which the firm has dubbed Gunpoder, includes three variants which disguise themselves as an open source Nintendo Entertainment System emulator app used to play classic Nintendo games from the 80s and early 90s on mobile devices. The ‘app’ is available across third-party app stores.
Chong Zheng and Zhi Xu of Palo Alto’s Unit 42 research department explained that anti-malware systems were struggling to identify Gunpoder’s malicious code as it is packaged with adware library Airpush.
“The malware samples successfully use these advertisement libraries to hide malicious behaviours from detection by antivirus engines,” they said. “While antivirus engines may flag Gunpoder as being adware, by not flagging it as being overtly malicious, most engines will not prevent Gunpoder from executing,” they added.
Gunpoder can attack in a number of actions such as gathering browser bookmarks and history, diffusing itself by sending SMS messages to other devices, displaying fake adverts and executing other malicious code on the infected Android.
“They’re trying to build a profile of people so they can target them for spearfishing or other malicious activity in the future,” said Palo Alto senior threat intelligence manager Scott Simkin.
When users launch a Gunpoder app they are presented with a fraudulent emulator licence costing between $0.20 and $0.49 (£0.13 – £0.32) payable via PayPal or online payment platform Skrill.
Gunpoder’s targets currently seem to reside in Brazil, Mexico, the U.S., Thailand, India, Indonesia, Iraq, Russia, France, Saudi Arabia, South Africa, Italy and Spain, according to Palo Alto.
The researchers added that the virus was programmed to not send itself to a saved contact if the user is based in China.
