Gorilla Android Malware Intercepts SMS to Steal One-Time Passwords

In a concerning development within the Android ecosystem, a new malware variant known as “Gorilla” has been identified, primarily targeting financial and personal information through SMS interception.

Written in Kotlin, Gorilla appears to be in its developmental infancy, yet it already showcases sophisticated mechanisms for evasion, persistence, and data extraction.

Gorilla’s code lacks obfuscation and includes excessive logging and unused classes, hallmarks of a software still under active development.

Despite these rudimentary aspects, the malware has demonstrated a strategic understanding of Android’s security model by requesting permissions like READ_PHONE_STATE and READ_PHONE_NUMBERS, enabling it to access SIM card details and phone numbers.

Its ability to bypass battery optimizations and maintain persistent access through Android services underscores its potential for long-term monitoring without raising immediate suspicion.

SMS Interception and Command & Control

One of the Gorilla’s core functionalities is its focus on SMS interception (T1582 – SMS Control).

After promoting itself to the default SMS handler, it categorizes collected messages into tags like “Banks” and “Yandex,” indicating its primary focus on financial transactions.

This data is then relayed back to a command and control (C2) server via WebSockets at the URL ws://$URL/ws/devices/?device_id=$android_id&platform=android.

This communication not only sends back the harvested information but also allows the server to push commands like sending SMS, updating settings, or retrieving device information.

Stealth and Persistence

Gorilla employs various strategies to remain undetected and operational. It uses foreground services to maintain execution, which requires the FOREGROUND_SERVICE permission (T1541 – Foreground Persistence).

To circumvent aggressive battery-saving features prevalent in some Android devices, Gorilla delays its heartbeat service execution, particularly on devices from brands like Huawei or Honor.

Moreover, it is cleverly asks users to ignore battery optimizations, ensuring it can keep running.

The presence of tags like “State Authority” and “Important” within its C2 panel suggests Gorilla might not just be after financial gain but could also serve espionage or surveillance purposes.

According to the Catalyst researchers, the inclusion of an unused WebViewActivity class hints at potential future uses for phishing attacks, exploiting WebView to display fraudulent banking login pages to harvest credentials.

While Gorilla is in its nascent stages, its evolution could pose significant threats if additional features are implemented.

Security researchers must continue monitoring its development closely, as future iterations might introduce methods to capture one-time passwords (OTP) or deploy phishing attacks through sophisticated means like USSD codes.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!