December 11, 2011
Security Alert: Android Trojan GGTracker Charges Premium Rate SMS Messages
The threat
Lookout has identified a new Android Trojan, GGTracker, which is automatically downloaded to a user’s phone after visiting a malicious webpage that imitates the Android Market. The Trojan is able to sign-up a victim to a number of premium SMS subscription services without the user’s consent. This can lead to unapproved charges to a victim’s phone bill.All Lookout Free and Premium users are protected against the GGTracker Trojan. Lookout Safe Browsing (part of Lookout Premium) also detects and blocks access to the URLs involved in serving and operating these malicious applications.
Who is affected?
The Trojan targets users in the United States by interacting with a number of premium SMS subscription services without consent. We believe that Android users are directed to install this Trojan after clicking on a malicious in-app advertisement. If the Trojan is installed, it may subscribe the user to one or several premium rate SMS subscription services. To our knowledge, the malicious application is not found in the Android Market.
How it works
We believe Android users are shown an advertisement that directs them to a malicious website that resembles the Android Market installation screen.The website entices a user to click-through to download and install an application (in one case, a fake battery optimizer packaged as t4t.pwower.management, and in another a porn app packaged as com.space.sexypic). If the user clicks the install button, the malicious app will begin to download and dialogue appears to direct the user to install via the download notification.Once activated, GGTracker registers the victim for premium subscription services that would normally require the user to reply or enter a pin on a webpage. The Trojan does this by contacting another server in the background. Malicious behavior is primarily driven on the back-end server with the device used to intercept crucial confirmation data in order to charge users without their consent. For example, in one of the services a user must typically answer 10 questions, enter a device's phone number and type a PIN code received via SMS in order to sign up for the premium service. The back-end server component of GGTracker will do all of this in the background without the user’s knowledge, or even the ability for the victim to see what’s happening. Charges may be up to $9.99.
Lookout Free and Premium users are already protected from this Trojan. In addition, with Safe Browsing, a Lookout Premium feature, users will also be warned against visiting the malicious websites. As the frequency of these threats increase, there are a few things you can do to stay safe:
- After clicking on an advertisement, pay close attention to the page and URL to make sure it matches the website it claimed to have sent you to.
- Only download apps from trusted sources, such as reputable app stores and download sites. Remember to look at the developer name, reviews, and star ratings. If they claim to have sent you to the Android Market, check to make sure you are actually in the Market before downloading anything.
- Be alert for unusual behavior on your phone. This behavior could be a sign that your phone is infected. These behaviors may include unusual SMS messages, strange charges on your phone bill or unusual network activity.
- Download a mobile security app for your phone that scans every app you download to ensure it’s safe. Lookout users automatically receive protection against this Trojan. For extra protection, make sure your security app can also protect against malicious websites.
You can now download the full GGTracker Teardown by Lookout Mobile Security. If you have questions about this or other malware, feel free to contact us at security-at-lookout.com.