Security Alert: Gamex Trojan Hides in Root-Required Apps - Tricking Users into Downloads

In the past week Lookout has identified Gamex, a new Android Trojan concealed in repackaged versions of legitimate applications that require root access to the phone. Gamex functionality is split across three components that cooperate to infect the device, communicate with its host, and silently install applications on the device. The Trojan was first discovered on alternative markets via Lookout's Mobile Threat Network and so far the overall user impact is currently estimated as low. The threat has been detected and blocked—all Lookout users are protected.

‍How it works

‍Gamex piggybacks on repackaged versions of applications that require root access, such as file managers, ad blockers, and device performance boosters. When a user grants root access to the application, Gamex abuses this privilege to install another application to the device's /system partition to act as a privileged installation service. A third component communicates with a remote server, downloads apps, and triggeres their installation.  Gamex also reports the installation of these applications, along with the IMEI and IMSI, to a remote server. We believe that this information is used to operate and/or report installations to a malicious affiliate app promotion network.If you're interested in the more technical details of how Gamex works, continue reading beyond our tips.Here are some tips to keep your phone secure, against constellation malware such as Gamex

       
• Only download apps from trusted sources, such as reputable app stores and download sites. Read through the permissions, and remember to look at the developer name, reviews and star ratings.
       
• Be alert for unusual behaviors on your phone, which could indicate that your phone is infected. These behaviors may include unusual text messages, strange charges to your phone bill, and suddenly decreased battery life.
       
• Download a mobile security app for your phone that scans every app you download. For extra protection, make sure your security app can also warn you when navigating to unsafe websites.
       
• Make sure to download firmware updates as soon as they are available for your device.

Gamex Technical Summary

‍App Dropper In each sample we've analyzed to-date, the dropper application has been a re-packaged version of a legitimate application that requires root access - including file managers, ad blockers, and performance boosters. When this dropper app is launched, the injected code requests root access and, if granted, copies an embedded package - com.android.setting - to /system/app/ComAndroidSetting.apk. This package is embedded in the repackaged app as assets/logos.png and trivially obfuscated.com.android.settingThis payload contains a broadcast receiver for a custom action intent. The intent is used to activate the payload and to interact with it as a privileged installation service. When starting, this payload reports IMEI, IMSI and what we interpret as a "campaign id" to its C&C as:

<url>/inputex/index.php?s=/Interface/keinter/a1/<IMEI>/a2/<IMSI>/a3/<CMP_PID>.

If not already installed, it installs a third payload - com.android.update – embedded as assets/icon.png and, again, encoded by trivial xor.com.android.update This payload interacts with the C&C service and processes app installation requests, delegating installation to com.android.setting. Its functionality is triggered by a combination of timers and observation of screen state changes.

‍Screen State Broadcast Receiver

‍com.android.update receives SCREEN_ON and SCREEN_OFF broadcasts. When the device screen is turned off, all installed apps are started and communicate with <url>/inputex/index.php?s=/Interface/neiinter/a1/<IMEI>/nam/<app>. If any apps  are started during this process, the device's home screen is launched when SCREEN_ON occurs.Subsequent App Installs

       
• Handler 1 - Every 10 minutes, a call is made to a URL specified in com.android.update's assets/logo.png. This call fetches a page of roughly 10 apps and if they are not currently installed inserts them into a database to be downloaded.
       
• Handler 2 - A separate handler will download an app that hasn't yet been downloaded, but this is conditional on device network state – occurring every 60 seconds on WiFi or 30 minutes otherwise.
       
• Handler 3 – A third handler checks for downloaded apps every 60 seconds. If an application is installed, this handler will sleep for 4 hours before installing a subsequent app.  Installation is delegated to com.android.setting by a broadcast intent.