Android malware disguises itself as adware

SINGAPORE - A new family of Android malware is evading detection by anti-virus products by pretending to be adware.

Palo Alto Networks said in a statement today (July 13) that this malware family, which they have dubbed "Gunpoder" based on the name of the main malicious component, targets Android users in at least 13 countries, including Thailand, India, Indonesia, Italy, The United States, and Spain.

Palo Alto said in a blog that an "interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China".

Anti-virus engines have been reporting samples of Gunpoder as "benign" or "adware" since they were uploaded to VirusTotal since November last year, the researchers reported. VirusTotal is a free online service that analyses files and URLs to detect viruses, worms, trojans and other malware.

The researchers said that Gunpoder "contained many characteristics of adware" and "embeds a popular adware library within". However, they also discovered "overtly malicious activities" such as collecting sensitive information from users, propagating itself through SMS messages, potentially pushing fraudulent advertisements, and having the ability to "execute additional payloads".

By masquerading as adware, antivirus engines will fail to stop the malicious codes from running, said the researchers.

The researchers said in their blog that infected users could face large telephone bills, caused by the malware sending SMS messages.