{"id":6205,"date":"2012-02-29T17:36:30","date_gmt":"2012-03-01T00:36:30","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=6205"},"modified":"2018-01-30T10:40:26","modified_gmt":"2018-01-30T17:40:26","slug":"an-evolution-of-android-malware-when-stealing-data-isnt-enough-meet-gomanag-part-2","status":"publish","type":"post","link":"https://www.webroot.com/blog/2012\/02\/29\/an-evolution-of-android-malware-when-stealing-data-isnt-enough-meet-gomanag-part-2\/","title":{"rendered":"An Evolution of Android Malware \u201cWhen stealing data isn\u2019t enough meet…GoManag …\u201c (Part 2)"},"content":{"rendered":"

In our continued series of how Android malware authors continue adding functionality to their work we take a look at GoManag. First seen last year, targeting Chinese speakers, GoManag is a Trojan that installs as a service so it can run in the background, collects device information and downloads payloads.\u00a0 Its odd name comes from part of a URL it attempts to contact to.<\/p>\n

Malicious GoManag app running in the background as the name \u201cGoogle Search (Enhanced)\u201d<\/p>\n

\"\"<\/a><\/p>\n

The first variant contained the following permissions:<\/p>\n

ACCESS_NETWORK_STATE<\/p>\n

INTERNET<\/p>\n

WAKE_LOCK<\/p>\n

READ_SMS<\/p>\n

WRITE_EXTERNAL_STORAGE<\/p>\n

READ_PHONE_STATE<\/p>\n

It has functionality to do the following things in the background:<\/p>\n

-read text messages<\/p>\n

\"\"<\/a><\/p>\n

– Uninstall security app 360Safe<\/p>\n

\"\"<\/a><\/p>\n

-Get phone information<\/p>\n

\"\"<\/a><\/p>\n

– Download and install APKs<\/p>\n

\"\"<\/a><\/p>\n

The newer variant contains the same permissions as the first, but with these added permissions:<\/p>\n

ACCESS_WIFI_STATE<\/p>\n

CHANGE_WIFI_STATE<\/p>\n

RECEIVE_SMS<\/p>\n

SEND_SMS<\/p>\n

WRITE_APN_SETTINGS<\/p>\n

WRITE_SMS<\/p>\n

The new variant does adds to the existing functionality of the previous version:<\/p>\n

– Send SMS<\/p>\n

\"\"<\/a><\/p>\n

– Collects sent SMS Addresses<\/p>\n

\"\"<\/a><\/p>\n

– Blacklist Numbers<\/p>\n

\"\"<\/a><\/p>\n

– Delete Addresses<\/p>\n

\"\"<\/a><\/p>\n

– Uninstall APKs<\/p>\n

\"\"<\/a><\/p>\n

In just a couple of months the capabilities of this spyware has grown quite a bit.\u00a0 Something like this is hard to spot running on your Android device.\u00a0 Would you think something called \u201cGoogle Search (Enhanced)\u201d would be malicious?\u00a0 This is where it’s important to have Webroot SecureAnywhere installed on your Android device to be able detect this well hidden spyware and other malicious apps like it.<\/p>\n

If you’re attending the RSA conference this week in San Francisco and want to know more about the process behind Andorid malware stop by room 104 at\u00a010:40 a.m. on day 4 of the conference (Thursday, March 1st) to see\u00a0Senior Threat Research Analyst Armando Orozco and Webroot’s Manager of Threat Research, Grayson Milbourne present\u00a0“Cracking Open the Phone: An Android Malware Automated Analysis Primer”. Hope to see you there!<\/p>\n","protected":false},"excerpt":{"rendered":"

In our continued series of how Android malware authors continue adding functionality to their work we take a look at GoManag. First seen last year, targeting Chinese speakers, GoManag is a Trojan that installs as a service so it can run in the background, collects device information and downloads payloads.\u00a0 Its odd name comes from […]<\/p>\n","protected":false},"author":65,"featured_media":17051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4037,8631,8629,9119,10249,10251,3615,10247,10245,4359,10241,3557,4065,3477,5247,10001,10243,4061,3471,5439],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6205"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=6205"}],"version-history":[{"count":3,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6205\/revisions"}],"predecessor-version":[{"id":13657,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/6205\/revisions\/13657"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17051"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=6205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=6205"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=6205"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=6205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}