Thursday, May 1, 2025
HomeCyber Security NewsGorilla Android Malware Intercepts SMS to Steal One-Time Passwords

Gorilla Android Malware Intercepts SMS to Steal One-Time Passwords

Published on

SIEM as a Service

Follow Us on Google News

In a concerning development within the Android ecosystem, a new malware variant known as “Gorilla” has been identified, primarily targeting financial and personal information through SMS interception.

Written in Kotlin, Gorilla appears to be in its developmental infancy, yet it already showcases sophisticated mechanisms for evasion, persistence, and data extraction.

Gorilla’s code lacks obfuscation and includes excessive logging and unused classes, hallmarks of a software still under active development.

- Advertisement - Google News

Despite these rudimentary aspects, the malware has demonstrated a strategic understanding of Android’s security model by requesting permissions like READ_PHONE_STATE and READ_PHONE_NUMBERS, enabling it to access SIM card details and phone numbers.

Its ability to bypass battery optimizations and maintain persistent access through Android services underscores its potential for long-term monitoring without raising immediate suspicion.

SMS Interception and Command & Control

One of the Gorilla’s core functionalities is its focus on SMS interception (T1582 – SMS Control).

After promoting itself to the default SMS handler, it categorizes collected messages into tags like “Banks” and “Yandex,” indicating its primary focus on financial transactions.

This data is then relayed back to a command and control (C2) server via WebSockets at the URL ws://$URL/ws/devices/?device_id=$android_id&platform=android.

Gorilla Android Malware
Command and Control panel of the Gorilla.

This communication not only sends back the harvested information but also allows the server to push commands like sending SMS, updating settings, or retrieving device information.

Stealth and Persistence

Gorilla employs various strategies to remain undetected and operational. It uses foreground services to maintain execution, which requires the FOREGROUND_SERVICE permission (T1541 – Foreground Persistence).

To circumvent aggressive battery-saving features prevalent in some Android devices, Gorilla delays its heartbeat service execution, particularly on devices from brands like Huawei or Honor.

Gorilla Android Malware
Apps section of victim device.

Moreover, it is cleverly asks users to ignore battery optimizations, ensuring it can keep running.

The presence of tags like “State Authority” and “Important” within its C2 panel suggests Gorilla might not just be after financial gain but could also serve espionage or surveillance purposes.

According to the Catalyst researchers, the inclusion of an unused WebViewActivity class hints at potential future uses for phishing attacks, exploiting WebView to display fraudulent banking login pages to harvest credentials.

While Gorilla is in its nascent stages, its evolution could pose significant threats if additional features are implemented.

Security researchers must continue monitoring its development closely, as future iterations might introduce methods to capture one-time passwords (OTP) or deploy phishing attacks through sophisticated means like USSD codes.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Managing Shadow IT Risks – CISO’s Practical Toolkit

Managing Shadow IT risks has become a critical challenge for Chief Information Security Officers...

Application Security in 2025 – CISO’s Priority Guide

Application security in 2025 has become a defining concern for every Chief Information Security...

Preparing for Quantum Cybersecurity Risks – CISO Insights

Quantum cybersecurity risks represent a paradigm shift in cybersecurity, demanding immediate attention from Chief...

Securing Digital Transformation – CISO’s Resource Hub

In today’s hyper-connected world, securing digital transformation is a technological upgrade and a fundamental...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...