Palo Alto Networks’ threat intelligence team, Unit 42, has just uncovered “Gunpoder” – a new family of Android malware that evades all antivirus products on the VirusTotal web service.
Until recently, Gunpoder has been classified by antivirus engines as “benign” or “adware”, demonstrating the fine line when distinguishing between malware and adware.
It named this malware family “Gunpoder” based on the main malicious component name, and the Unit 42 team observed 49 unique samples across three different variants. This finding highlights the fine line between “adware,” which isn’t traditionally prevented by antivirus products, and malware, with its ability to cause harm.
Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware. While researching the sample, we observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which we believe characterizes this family as being malware, such as:
- Collecting sensitive information from users
- Propagating itself via SMS message
- Potentially pushing fraudulent advertisements
- Ability to execute additional payloads
Gunpoder targets Android users in at least 13 different countries, including Iraq, Thailand, India, Indonesia, South Africa, Russia, France, Mexico, Brazil, Saudi Arabia, Italy, the United States, and Spain. One interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China.
Please find the link to the full research findings here.
