Cyber Security News

Gorilla Android Malware Intercepts SMS to Steal One-Time Passwords

In a concerning development within the Android ecosystem, a new malware variant known as “Gorilla” has been identified, primarily targeting financial and personal information through SMS interception.

Written in Kotlin, Gorilla appears to be in its developmental infancy, yet it already showcases sophisticated mechanisms for evasion, persistence, and data extraction.

Gorilla’s code lacks obfuscation and includes excessive logging and unused classes, hallmarks of a software still under active development.

Despite these rudimentary aspects, the malware has demonstrated a strategic understanding of Android’s security model by requesting permissions like READ_PHONE_STATE and READ_PHONE_NUMBERS, enabling it to access SIM card details and phone numbers.

Its ability to bypass battery optimizations and maintain persistent access through Android services underscores its potential for long-term monitoring without raising immediate suspicion.

SMS Interception and Command & Control

One of the Gorilla’s core functionalities is its focus on SMS interception (T1582 – SMS Control).

After promoting itself to the default SMS handler, it categorizes collected messages into tags like “Banks” and “Yandex,” indicating its primary focus on financial transactions.

This data is then relayed back to a command and control (C2) server via WebSockets at the URL ws://$URL/ws/devices/?device_id=$android_id&platform=android.

Gorilla Android MalwareGorilla Android Malware
Command and Control panel of the Gorilla.

This communication not only sends back the harvested information but also allows the server to push commands like sending SMS, updating settings, or retrieving device information.

Stealth and Persistence

Gorilla employs various strategies to remain undetected and operational. It uses foreground services to maintain execution, which requires the FOREGROUND_SERVICE permission (T1541 – Foreground Persistence).

To circumvent aggressive battery-saving features prevalent in some Android devices, Gorilla delays its heartbeat service execution, particularly on devices from brands like Huawei or Honor.

Apps section of victim device.

Moreover, it is cleverly asks users to ignore battery optimizations, ensuring it can keep running.

The presence of tags like “State Authority” and “Important” within its C2 panel suggests Gorilla might not just be after financial gain but could also serve espionage or surveillance purposes.

According to the Catalyst researchers, the inclusion of an unused WebViewActivity class hints at potential future uses for phishing attacks, exploiting WebView to display fraudulent banking login pages to harvest credentials.

While Gorilla is in its nascent stages, its evolution could pose significant threats if additional features are implemented.

Security researchers must continue monitoring its development closely, as future iterations might introduce methods to capture one-time passwords (OTP) or deploy phishing attacks through sophisticated means like USSD codes.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Claude AI Abused in Influence-as-a-Service Operations and Campaigns

Claude AI, developed by Anthropic, has been exploited by malicious actors in a range of…

29 minutes ago

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…

9 hours ago

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…

10 hours ago

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…

13 hours ago

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…

14 hours ago

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…

16 hours ago