4:51 AM
The trojan, named Android.Gmobi.1, or just Gmobi, was discovered this month by Dr.Web security researchers, which pinpointed its origin to a software development kit (SDK) that the developers of the affected firmware images and Android apps used to automate some features inside their products.
Dr.Web didn't provide the name of the SDK but said it helped developers automate the task of showing notifications on an Android smartphone.
Gmobi is specialized in showing ads
The way the trojan operates is simple. Once the device is connected to the Internet or wakes up after being asleep for more than a minute, it will start collecting information on the device and send it to a C&C server.
This includes details such as the user's emails, roaming availability, GPS coordinates, mobile network data, device technical details, and if the user has Google Play installed on his device.
Once these details reach the server, it replies with commands to update the local ads database, add shortcuts for various advertisements on the home screen, display an ad via a notification box, show a notification that when tapped starts an app, or install another app covertly, if the app/firmware through which the trojan operates has the necessary privileges.
Gmobi can show ads in the status bar, via dialogs, interactive dialogs, on top of other apps, on top of the screen (if no app is running), or launch a local browser or Google Play to a specified page.
Removing the trojan is impossible in some cases
Unfortunately, because the trojan is directly embedded in the firmware, removing this threat via an antivirus or by uninstalling the firmware might alter normal OS behavior. For these cases, users have to wait for OEMs to issue new versions of their firmware.
As for the apps where the SDK was used, Dr.Web says that they've informed the developers, and most of them have patched or are in the process of updating their code. The researchers did give out the name of one of the smartphones where Gmobi was detected, which is Micromax AQ5001.
Affected apps included two Trend Micro apps, Dr. Safety and Dr. Booster, and the ASUS WebStorage apps. Dr.Web says that Trend Micro has already patched their applications.
