An Evolution of Android Malware “When stealing data isn’t enough meet…GoManag …“ (Part 2)

by

Share this news now.

In our continued series of how Android malware authors continue adding functionality to their work we take a look at GoManag. First seen last year, targeting Chinese speakers, GoManag is a Trojan that installs as a service so it can run in the background, collects device information and downloads payloads.  Its odd name comes from part of a URL it attempts to contact to.

Malicious GoManag app running in the background as the name “Google Search (Enhanced)”

The first variant contained the following permissions:

ACCESS_NETWORK_STATE

INTERNET

WAKE_LOCK

READ_SMS

WRITE_EXTERNAL_STORAGE

READ_PHONE_STATE

It has functionality to do the following things in the background:

-read text messages

- Uninstall security app 360Safe

-Get phone information

- Download and install APKs

The newer variant contains the same permissions as the first, but with these added permissions:

ACCESS_WIFI_STATE

CHANGE_WIFI_STATE

RECEIVE_SMS

SEND_SMS

WRITE_APN_SETTINGS

WRITE_SMS

The new variant does adds to the existing functionality of the previous version:

- Send SMS

- Collects sent SMS Addresses

- Blacklist Numbers

- Delete Addresses

- Uninstall APKs

In just a couple of months the capabilities of this spyware has grown quite a bit.  Something like this is hard to spot running on your Android device.  Would you think something called “Google Search (Enhanced)” would be malicious?  This is where it’s important to have Webroot SecureAnywhere installed on your Android device to be able detect this well hidden spyware and other malicious apps like it.

If you’re attending the RSA conference this week in San Francisco and want to know more about the process behind Andorid malware stop by room 104 at 10:40 a.m. on day 4 of the conference (Thursday, March 1st) to see Senior Threat Research Analyst Armando Orozco and Webroot’s Manager of Threat Research, Grayson Milbourne present “Cracking Open the Phone: An Android Malware Automated Analysis Primer”. Hope to see you there!


Share this news now.
An Evolution of Android Malware “When stealing data isn’t enough meet...GoManag ...“ (Part 2) by

Tags:



About the Author

Name: Nathan Collier
Role: Threat Team Member

Share this news now.

Nathan is a Senior Threat Research Analyst for Webroot, having been with the company since October 2009.  He started has career working on PC malware, but now spends most of his time in the mobile landscape researching malware on Android devices.  Because of his early adaptation to mobile security, Nathan has seen the exponential growth of mobile malware and is highly experienced in protecting Webroot customers from mobile threats. He also enjoys frequently traveling with his flight attendant wife, Megan, and is a competitive endurance mountain bike racer in Colorado.


Share this news now.
An Evolution of Android Malware “When stealing data isn’t enough meet...GoManag ...“ (Part 2) by

Trackbacks

  1. [...] there’s blog.webroot.com, whose post An Evolution of Android Malware “When stealing data isn’t enough meet…GoManag …“ (Part 2) seems to describe this thing. Share [...]