HQ/EMEAFind out how we can help your business
The latest threat to Android users is a newly discovered variant of the Gorilla Android malware. Based on reports, its primary function is to compromise financial and personal information through SMS interception.
Developed in Kotlin, the new malware seems to be in its early stages but already displays advanced capabilities for evasion, establishing persistence, and data extraction.
Researchers noted that the malware’s code is unprotected, featuring excessive logging and unnecessary classes indicating ongoing development. Despite these basic elements, the malware cleverly requests permissions such as READ_PHONE_STATE and READ_PHONE_NUMBERS.
This permission would allow it to access SIM card details and phone numbers, showing its developers’ strategic grasp of Android’s security model.
Moreover, it can bypass battery optimisations and sustain long-term access through Android services, allowing ongoing monitoring without immediate detection.
The new Gorilla Android malware is capable of SMS interception and command-and-control.
One primary function of the new Gorilla Android malware is SMS interception. After setting itself as the default SMS handler, it organises intercepted messages into categories like “Banks” and “Yandex.”
This information is sent back to an attacker-controlled C2 server via WebSockets at the URL ws[:]//$URL/ws/devices/?device_id=$android_id&platform=android.
This communication transmits the collected data and permits the server to issue commands such as sending SMS, changing settings, or collecting device information.
In addition, the malware uses multiple tactics to avoid detection and remain functional. It utilises foreground services to ensure continued operation, necessitating the FOREGROUND_SERVICE permission (T1541 – Foreground Persistence).
Gorilla slows its heartbeat service on devices from brands like Huawei or Honor to evade aggressive battery-saving measures on specific Android devices.
It also prompts users to disregard battery optimisations to guarantee its ongoing function.
Furthermore, tags such as “State Authority” and “Important” in its C2 panel imply that Gorilla may aim for more than financial theft, as it might also engage in espionage or surveillance activities.
Researchers noted that an unused WebViewActivity class in its code suggests potential plans for phishing attacks. These could leverage WebView to showcase fraudulent banking login pages and extract user credentials.
Although Gorilla is still in its developmental stage, its future development could present serious threats if more sophisticated features are added.
Security researchers need to watch its evolution closely, as upcoming versions may introduce capabilities for capturing one-time passwords (OTP) or executing phishing attacks using advanced techniques.
