Kaspersky Lab has detected a new mobile Trojan that targets Android devices while camouflaged as an innocent game of Tic-Tac-Toe (noughts and crosses).
The Gomal Trojan collects info about the devices it infects and sends all that data to its master server. But this malicious programme also has new functions that are rarely seen in this type of malware.
Gomal has all the usual spyware functionality. It can record sounds, process calls and steal SMS. In addition it possesses mechanisms that provide access to various Linux services, attacking the operating system on which Android is based. In particular, the Trojan can read the process memory, jeopardising many communication applications. For example, it can steal emails from Good for Enterprise. That application is positioned as a secure email client for corporate use, so data theft here could mean serious problems for the company where the device owner works.
“This seemingly harmless game of TicTacToe gives cybercriminals access to an enormous amount of the user’s personal data and corporate data belonging to his employer,” says Anton Kivva, antivirus analyst at Kaspersky Lab. “The techniques used by Gomal were originally implemented in Windows Trojans, but now we can see they have moved on to Android malware.
“What’s more alarming is that this technique can be adapted to steal data from other applications as well as Good for Enterprise – it is likely that a range of mobile malware designed to attack popular email clients, messengers and other programmes will appear in the near future.”
To reduce the risk of infection by mobile malware, Kaspersky offers the following advice for users:
* Do not activate the “Install applications from third-party sources” option;
* Only install applications from official channels (Google Play, Amazon Store, etc);
* When installing new apps, carefully study which rights they request;
* If the requested rights do not correspond with the app’s intended functions, do not install the app; and
* Use protection software.
* The following communication has been received from Karen Reynolds, vice-president: corporate communications at Good Technology, in response to the above article:
On Friday, a blog from Kaspersky Lab was posted, warning of a ‘new’ Android Malware from Gomal developers, called TicTacToe. This TicTacToe app is, in fact, not a new app at all but was a proof-of-concept app that Lacoon Mobile Security originally presented at BlackHat 2013, without the cooperation of Good Technology.
Friday’s blog inaccurately stated that the proof-of-concept app was introduced onto an Android device and affected only Good for Enterprise. What the post neglected to mention was that Lacoon’s original demo was only effective in one of two cases:
* In the face of the Samsung Exynos memory access bug (CVE-2012-6422), which was patched by Samsung more than a year and a half ago; and
* If the app was granted universal permission to read all physical memory, meaning that the device needed to be already ‘rooted’.
The rooting of the device and granting of the necessary privileges can be detected by Good’s root detection technology. The default settings in Good Technology solutions have root detection enabled, and Good strongly recommends using this capability in its documentation. This attack is therefore ineffective in recommended deployments of Good’s products. The post also failed to mention that this attack would apply to any mobile application, not just Good for Enterprise.
The blog post that the SC Magazine article is based on is misleading, both because this is not real malware and because this proof-of-concept attack is impotent in normal deployments. Furthermore, this supposed malware is also not publicly available or ‘in the wild’ for hackers to use but has only been deployed in test environments.
Lacoon and Good Technology have worked closely together since the original 2013 presentation was presented, as both companies understand the importance of making the mobile world a safer place for the enterprise.
