June 20, 2011

UPDATE: Security Alert: Android Trojan GGTracker Charges Premium Rate SMS Messages

UPDATE: You can now download the full GGTracker Teardown by Lookout Mobile Security.

The Threat

Lookout has identified a new Android Trojan, GGTracker, which is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market.  The Trojan is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent.  This can lead to unapproved charges to a victim’s phone bill.

All Lookout Free and Premium users are protected against the GGTracker Trojan. Lookout Safe Browsing (part of Lookout Premium) also detects and blocks access to the URLs involved in serving and operating these malicious applications.

Who is affected?

The Trojan targets users in the United States by interacting with a number of premium SMS subscription services without consent.  We believe that Android users are directed to install this Trojan after clicking on a malicious in-app advertisement. If the Trojan is installed, it may subscribe the user to one or several premium rate SMS subscription services.   To our knowledge, the malicious application is not found in the Android Market.

How it works

We believe Android users are shown an advertisement that directs them to a malicious website that resembles the Android Market installation screen.

The website entices a user to click-through to download and install an application (in one case, a fake battery optimizer packaged as t4t.pwower.management, and in another a porn app packaged as com.space.sexypic). If the user clicks the install button, the malicious app will begin to download and dialogue appears to direct the user to install via the download notification.

Once activated, GGTracker registers the victim for premium subscription services that would normally require the user to reply or enter a pin on a webpage. The Trojan does this by  contacting another server in the background. Malicious behavior is primarily driven on the back-end server with the device used to intercept crucial confirmation data in order to charge users without their consent.  For example, in one of the services a user must typically answer 10 questions, enter a device’s phone number and type a PIN code received via SMS in order to sign up for the premium service.  The back-end server component of GGTracker will do all of this in the background without the user’s knowledge, or even the ability for the victim to see what’s happening. Charges may be up to $9.99.

How to Stay Safe

Lookout Free and Premium users are already protected from this Trojan. In addition, with Safe Browsing, a Lookout Premium feature, users will also be warned against visiting the malicious websites. As the frequency of these threats increase, there are a few things you can do to stay safe:

  • After clicking on an advertisement, pay close attention to the page and URL to make sure it matches the website it claimed to have sent you to.
  • Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. If they claim to have sent you to the Android Market, check to make sure you are actually in the Market before downloading anything.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS messages, strange charges on your phone bill or unusual network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan. For extra protection, make sure your security app can also protect against malicious websites.

You can now download the full GGTracker Teardown by Lookout Mobile Security. If you have questions about this or other malware, feel free to contact us at security-at-lookout.com.

44 comments
  1. Marguerite says:

    Hi Tim, would you please give me the malware sample? And I use it for signature generation purposes for Kingsoft Anti-virus software.

  2. [...] nos alertan desde My Lookout la nueva amenaza que posiblemente haya sido creada por el mismo grupo de hackers que estaba detras [...]

  3. Eric the Grey says:

    This malware has also been seen in combination with apps using an advertisment plug-in (?) in their legitimate free apps. The plug-in is called AirPush. I’ve had to go and remove the apps that was causing this.

    The indication that you have AirPush is a red star with a white dot appearing in your notification aea. If you open it, you get directed to these pages and prompted to install.

    There is an “AirPush Detector” in the real droid marketplace that can tell you what applications are using this.

    EtG

  4. [...] | Lookout Blog Articoli correlati:34 App infette sull’Android Market: ecco la lista completaIn arrivo il [...]

  5. [...] We’ve already talked about phishing at length on the blog, but let me explain drive-by downloads. Last August, we wrote about an SMS Trojan, in which an innocent-seeming movie player app infected a phone with malware that caused the phone to send expensive text messages without the user’s knowledge.  This type of malware can also infect a phone or compromise user data when the user visits a web page that triggers a download with or without his consent. For example, earlier this week we identified a malicious website that resembles the Android Market installation screen and tricks people into installing an Android Trojan. [...]

  6. Just to be safe, don’t download software you don’t plan to use or mobile applications you not sure of. With the advent of smarter mobile phones, some of us are enticed to install whatever it is we find cool or attractive, even if we don’t know how to use it or even if it will only clutter our phones.

    Also, some reputable mobile apps repositories or trusted sources can have malicious programs. They’re not 100% malware-free. So just be careful.

  7. [...] to the Lookout blog, GGTracker is a Trojan (a malicious program concealed within otherwise harmless software). Its [...]

  8. [...] addthis_options = "twitter,facebook,email,favorites,print,stumbleupon";Researchers from Lookout Mobile Security are warning users of Android-based mobile devices about a new malicious application that bypasses [...]

  9. [...] this Android Trojan is automatically downloaded to a user’s phone after he or she visits a malicious Web page that imitates the Android Market. According to Lookout, the Trojan is able to sign up victims for a number of premium SMS [...]

  10. [...] be wary of what you click (or tap) while browsing the Web. In late June, mobile security company Lookout discovered malicious advertisements aimed at smartphone users and designed to trick them into installing infected apps. Some types of [...]

  11. [...] browsing the Web. In late June, mobile security company Lookout discovered malicious advertisements aimed at smartphone users and designed to trick [...]

  12. [...] ads that direct users to a malicious website that triggers malware to download automatically. GGTracker was the first mobile malware we’ve encountered to use this tactic. In an Update Attack, an [...]

  13. Kedar says:

    One of the best security suites around for Android. Lookout, keep up the awesome work!

  14. [...] пользователя после того, как последний посетит  вредоносную Web-страницу, имитирующую Android Market. По сведениям Lookout, этот троян способен подписать [...]

  15. [...] while browsing the Web. in late June, mobile security company Lookout discovered malicious advertisements aimed at smartphone users and designed to trick them [...]

  16. [...] ATT (T) network, but its still-dominant presence is attracting malware attacks from every side. An Android Trojan called GGTracker has been uncovered, with a new trick up its sleeve. It’s one of the first known instances of a malicious website [...]

  17. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  18. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  19. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  20. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $ 10 a month by surreptitiously sending out premium text messages via the customer&#821…. [...]

  21. [...] that have been well refined in the world of Windows malware. I mean, it’s basically the same social engineering technique as was used by GGTracker; only, it doesn’t try to send SMS messages to fee-based services. It makes its money the old [...]

  22. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  23. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  24. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  25. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. [...]

  26. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on a diversion Angry Birds forked to an app in Google’s Android Market that, when installed, attempted to charge users $10 a month by secretly promulgation out reward content messages around a customer&#821…. [...]

  27. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on a diversion Angry Birds forked to an app in Google’s Android Market that, when installed, attempted to charge users $10 a month by secretly promulgation out reward content messages around a customer&#821…. [...]

  28. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $ 10 a month by surreptitiously sending out premium text messages via the customer&#821…. [...]

  29. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on a diversion Angry Birds forked to an app in Google’s Android Market that, when installed, attempted to charge users $10 a month by secretly promulgation out reward content messages around a customer&#821…. [...]

  30. [...] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages vi…. [...]

  31. John says:

    This is a serious issue for anyone having android enabled mobile. You need to make sure that you don’t open such links. I would recommend installing some good antivirus softwares.

  32. [...] looking for ways to profit from the growing mobile market.  In June, Lookout uncovered and blocked GG Tracker, sophisticated Android malware designed to steal money through premium text messages. This week, [...]

  33. [...] here: The Official Lookout Blog | UPDATE: Security Alert: Android Trojan … Tweet This [...]

  34. [...] more: The Official Lookout Blog | UPDATE: Security Alert: Android Trojan … automatically-downloadedmalicious-webpagetrojan Leave a Reply ? i-Gallery Already the last [...]

  35. [...] used, that malware writer can charge you money. Some instances saw charges of up to $9.99 with the GGTracker Android infection, an attack which focused on US users. More recently, the RuFraud scam was [...]

  36. Enormously educational bless you, I reckon your trusty visitors might probably want a whole lot more well written articles along these lines keep up the excellent effort.

  37. Gabriel Cole says:

    Extremely helpful appreciate it, It looks like your followers could very well want far more blog posts of this nature carry on the good effort.

  38. Billybob says:

    A really good answer, full of ratoiniatly!

  39. na telefon says:

    Nice post. I used to be checking constantly this blog and I am impressed! Very useful info specially the last phase :) I handle such information a lot. I was looking for this certain info for a very lengthy time. Thanks and best of luck.

  40. Just wish to say your article is as amazing. The clearness in your put up is just nice and that i can think you are knowledgeable on this subject. Fine with your permission let me to grasp your feed to stay up to date with imminent post. Thanks one million and please carry on the gratifying work.

  41. [...] example, in the spring of 2011, Lookout identified a Trojan app calledGGTracker that was distributed via malicious websites that mirrored the Android Market. Once downloaded it [...]

  42. You should get engaged in a competitors for top-of-the-line blogs on the web. I’ll suggest this site!

Leave a comment