June 20, 2011

UPDATE: Security Alert: Android Trojan GGTracker Charges Premium Rate SMS Messages

UPDATE: You can now download the full GGTracker Teardown by Lookout Mobile Security.

The Threat

Lookout has identified a new Android Trojan, GGTracker, which is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market.  The Trojan is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent.  This can lead to unapproved charges to a victim’s phone bill.

All Lookout Free and Premium users are protected against the GGTracker Trojan. Lookout Safe Browsing (part of Lookout Premium) also detects and blocks access to the URLs involved in serving and operating these malicious applications.

Who is affected?

The Trojan targets users in the United States by interacting with a number of premium SMS subscription services without consent.  We believe that Android users are directed to install this Trojan after clicking on a malicious in-app advertisement. If the Trojan is installed, it may subscribe the user to one or several premium rate SMS subscription services.   To our knowledge, the malicious application is not found in the Android Market.

How it works

We believe Android users are shown an advertisement that directs them to a malicious website that resembles the Android Market installation screen.

The website entices a user to click-through to download and install an application (in one case, a fake battery optimizer packaged as t4t.pwower.management, and in another a porn app packaged as com.space.sexypic). If the user clicks the install button, the malicious app will begin to download and dialogue appears to direct the user to install via the download notification.

Once activated, GGTracker registers the victim for premium subscription services that would normally require the user to reply or enter a pin on a webpage. The Trojan does this by  contacting another server in the background. Malicious behavior is primarily driven on the back-end server with the device used to intercept crucial confirmation data in order to charge users without their consent.  For example, in one of the services a user must typically answer 10 questions, enter a device’s phone number and type a PIN code received via SMS in order to sign up for the premium service.  The back-end server component of GGTracker will do all of this in the background without the user’s knowledge, or even the ability for the victim to see what’s happening. Charges may be up to $9.99.

How to Stay Safe

Lookout Free and Premium users are already protected from this Trojan. In addition, with Safe Browsing, a Lookout Premium feature, users will also be warned against visiting the malicious websites. As the frequency of these threats increase, there are a few things you can do to stay safe:

  • After clicking on an advertisement, pay close attention to the page and URL to make sure it matches the website it claimed to have sent you to.
  • Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. If they claim to have sent you to the Android Market, check to make sure you are actually in the Market before downloading anything.
  • Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS messages, strange charges on your phone bill or unusual network activity.
  • Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan. For extra protection, make sure your security app can also protect against malicious websites.

You can now download the full GGTracker Teardown by Lookout Mobile Security. If you have questions about this or other malware, feel free to contact us at security-at-lookout.com.

  1. Marguerite says:

    Hi Tim, would you please give me the malware sample? And I use it for signature generation purposes for Kingsoft Anti-virus software.

  2. Eric the Grey says:

    This malware has also been seen in combination with apps using an advertisment plug-in (?) in their legitimate free apps. The plug-in is called AirPush. I’ve had to go and remove the apps that was causing this.

    The indication that you have AirPush is a red star with a white dot appearing in your notification aea. If you open it, you get directed to these pages and prompted to install.

    There is an “AirPush Detector” in the real droid marketplace that can tell you what applications are using this.


  3. Just to be safe, don’t download software you don’t plan to use or mobile applications you not sure of. With the advent of smarter mobile phones, some of us are enticed to install whatever it is we find cool or attractive, even if we don’t know how to use it or even if it will only clutter our phones.

    Also, some reputable mobile apps repositories or trusted sources can have malicious programs. They’re not 100% malware-free. So just be careful.

  4. […] ads that direct users to a malicious website that triggers malware to download automatically. GGTracker was the first mobile malware we’ve encountered to use this tactic. In an Update Attack, an […]

  5. Kedar says:

    One of the best security suites around for Android. Lookout, keep up the awesome work!

  6. Vayne says:

    The person and company behind this is Lucas Brown and Lee Brown from HasOffers.com. They’ve been scamming Mobile for a very long time and now they’re doing it with their new company HasOffers.com which is another scam.

  7. […] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. […]

  8. […] Kevin Mahaffey, Lookout’s cofounder, says that battery ads on the game Angry Birds pointed to an app in Google’s Android Market that, when installed, tried to charge users $10 a month by surreptitiously sending out premium text messages via the customer&#8217…. […]

  9. John says:

    This is a serious issue for anyone having android enabled mobile. You need to make sure that you don’t open such links. I would recommend installing some good antivirus softwares.

  10. Enormously educational bless you, I reckon your trusty visitors might probably want a whole lot more well written articles along these lines keep up the excellent effort.

  11. Gabriel Cole says:

    Extremely helpful appreciate it, It looks like your followers could very well want far more blog posts of this nature carry on the good effort.

  12. Billybob says:

    A really good answer, full of ratoiniatly!

  13. na telefon says:

    Nice post. I used to be checking constantly this blog and I am impressed! Very useful info specially the last phase 🙂 I handle such information a lot. I was looking for this certain info for a very lengthy time. Thanks and best of luck.

  14. Just wish to say your article is as amazing. The clearness in your put up is just nice and that i can think you are knowledgeable on this subject. Fine with your permission let me to grasp your feed to stay up to date with imminent post. Thanks one million and please carry on the gratifying work.

  15. You should get engaged in a competitors for top-of-the-line blogs on the web. I’ll suggest this site!

Leave a comment