New Android Malware Family Evades Antivirus Detection by Using Popular Ad Libraries

posted by: and on July 7, 2015 5:00 AM

filed in: Malware, Threat Prevention, Unit 42
tagged: , , , , , , ,

NOTICE: We have updated this blog to clarify that Airpush is not responsible for Gunpoder. Airpush’s platform was abused by the malware author to hide malicious activity.

Executive Summary

Unit 42 discovered a new family of Android malware that successfully evaded all antivirus products on the VirusTotal web service. We named this malware family “Gunpoder” based on the main malicious component name, and the Unit 42 team observed 49 unique samples across three different variants. This finding highlights the fine line between “adware,” which isn’t traditionally prevented by antivirus products, and malware, with its ability to cause harm.

Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware. While researching the sample, we observed that while it contained many characteristics of adware, and indeed embeds a popular adware library within it, a number of overtly malicious activities were also discovered, which we believe characterizes this family as being malware, such as:

  • Collecting sensitive information from users
  • Propagating itself via SMS message
  • Potentially pushing fraudulent advertisements
  • Ability to execute additional payloads

Gunpoder targets Android users in at least 13 different countries, including Iraq, Thailand, India, Indonesia, South Africa, Russia, France, Mexico, Brazil, Saudi Arabia, Italy, the United States, and Spain. One interesting observation from the reverse engineering of Gunpoder is that this new Android family only propagates among users outside of China.

Unit 42 investigated Gunpoder using the Palo Alto Networks AutoFocus service, and released protections for users of WildFire, Threat Prevention and Mobile Security Manager for all currently known Gunpoder variants. Thanks to Palo Alto Networks unique prevention capabilities across the attack lifecycle, future members of the Gunpoder malware family could also potentially be blocked.

Evading Detection

By examining the reverse-engineered samples, we found the malware author applied several unique techniques to evade antivirus detection:

  • The  Gunpoder malware includes legitimate advertisement libraries within the samples. Those ad libraries are easily detected and may also include aggressive behaviors. The malware samples successfully use these advertisement libraries to hide malicious behaviors from detection by antivirus engines. While antivirus engines may flag Gunpoder as being adware, by not flagging it as being overtly malicious, most engines will not prevent Gunpoder from executing. Figure 1 shows the VirusTotal scan results on one sample.
  • Users who have executed Gunpoder are shown a notification that includes the legitimate advertising library. We believe the notification was intentionally added in order to use the legitimate library as a scapegoat.
  • Gunpoder samples embed malicious code within popular Nintendo Entertainment System (NES) emulator games, which are based on an open source game framework ( Palo Alto Networks has witnessed a trend of malware authors re-packaging open source Android applications with malicious code. Gonpoder makes use of this technique, which makes it difficult to distinguish malicious code when performing static analysis.
  • Gunpoder targets users not residing in China. Samples observed support online payments, including PayPal, Skrill, Xsolla and CYPay.

gunpoder 1

Figure 1. Gunpoder sample pretends to be adware and successfully passes the antivirus scan

Let the Gunpoder Begin

Gunpoder samples pretend to be NES games.  After installation, the malware will present a declaring statement when opened for the first time (Fig 2). This statement explicitly tells users that this app is ad-supported and allows the advertising library to collect information from the device. We strongly believe that the malware author intentionally added the legitimate advertising library as the scapegoat so that it could inconspicuously attribute its malicious behaviors to the  library.

Once launched, the app will actively pop up a dialog to ask users to pay for a “lifelong” license of this game (Fig 2). If the user clicks the “Great! Certainly!” button, a payment dialog will pop up, including PayPal, Skrill, Xsolla (the transaction link is no longer active) and CYPay. Users need to register a new PayPal or Skrill account or log in in to their existing account to pay $0.29 or $0.49. The CYPay supports offline gift voucher redeeming. Additionally, this payment dialog will pop up when users click the “Cheats” option within this app. In fact, the malware author added this malicious payment function into this “Cheats” option, which is free in the original app.

gunpoder 3

Figure 2. Fake service subscription view

The malware samples are repackaged from an open source NES emulator framework ( In April 2014, Palo Alto Networks observed the trend of generating mobile malware from free open source projects. It is likely that this trend will continue in the future.

By comparing the code between Gunpoder and the open source project, it was determined that the malware author added the payment functionality, as shown below (Fig 3). The payment dialog is shown in Fig 4.


Figure 3. Payment code added by the malware author into the open source framework

gunpoder 5

Figure 4. Dialog pop up for payment (the charge will be USD 0.29)

Propagation via SMS and Google Short URLs

This Gunpoder family propagates by sending SMS to selected contacts with links to download Gunpoder. Due to the size of SMS messages, the download links are Google short URLs: (active in June 2015), (not active in June 2015).

The propagation SMS messages will be sent out in two scenarios. The first is when the main activity is paused by the user. This makes it very difficult for most dynamic analysis antivirus engines to trigger the sending behaviors (Fig 5).

The second scenario occurs when the user refuses to make a payment to activate the cheating mode (i.e. clicking the “Next Time” button in Fig 2). In this case, Gunpoder will ask the user to share a “fun game,” which is actually a variant of this malware family (Fig 6).

Interestingly enough, the Gunpoder sample will detect the country of the user. If the user is not located in China, this app will automatically send an SMS message, which contains a variant downloading link, to random selected friends in the background (Fig 7).

 Figure 5. Sending SMS when the main activity is paused

gunpoder 7

Figure 6. Sharing the malware variants with friends


Figure 7. Send a downloading link of variants to randomly selected contacts

Country-Based Application Promotions

The Gunpoder samples will also pop up advertisements to promote other applications. In the code, we see the malware sample targeting as many as 13 different countries. For each country, the author uses specific URLs for downloading promoted applications. However, these download links are not active at the time of writing this post. From the debug code identified within the same sample, the name “Wang Chunlei” (Chinese) was discovered. This name is quite possibly the name of the malware author (Fig 8).


Figure 8. Malware targets 13 different countries

Potential Fraudulent Advertisements

The Gunpoder malware family was discovered to aggressively push fraudulent advertisements to victims via the legitimate advertisement library (Fig. 9). A fraudulent advertisement is one that attempts to trick a victim into clicking on it using subversive techniques. The fraudulent advertisement page attempts to mimic a Facebook page. It requests that victims finish a number of surveys and asks them to install various applications in order to receive a gift.

The captured Gunpoder logs were found to include information about these logs as well. The malware collects and uploads very detailed user/device information from the victim, including the victim’s device id, device model and current location.

gunpoder 11

Figure 9. Fraudulent advertisements pushed by Gunpoder through the legitimate library

Private Information Stealer

It was discovered that Gunpoder steals victims’ browser history and bookmark information (Fig. 10).

Figure 10. Steal browser history and bookmarks

Additionally, Gunpoder will collect information about all installed packages on the victim’s device. It also provides capabilities for executing payloads. The dynamic code for loading and executing the payload after decrypting reside in “com.fcp.a” and “com.fx.a” components.


Thus far, Palo Alto Networks has observed 49 unique samples of the Gunpoder family. We have found three different groups of variants within this family. By comparing samples of the various Gunpoder variants, we were able to make many observations about the evolution of Gunpoder.

Specifically, variants of group 1 (12 samples) can propagate via SMS and entice users to make a payments. Variants of group 2 (16 samples) can only entice users to make a payment, and variants of group 3 (21 samples) do not contain SMS propagation or entice users to make payments. Group 3 was discovered to be the newest of the Gunpoder malware variants.

Furthermore, the same certificate signed the first and second variants, while a different certificate signed the third variant. While the certificate varies between these groupings of variants, we highly suspect that the same malware author wrote all of these samples. A number of constant variables remain consistent between all three variants, such as the following that was identified in “”

SHARE_CONTENT = “a fun game\uff0c^_^”

For a list of hashes of the three Gunpoder variants, please refer to the Appendix.

We observed that several samples mentioned above could be downloaded from two third-party app stores: and

Users will have a large bill, if they are tricked. The fake payment costs users only about $0.49 or $0.29, but the bill caused by sending SMS is much more than this. The total amount of the SMS bill depends on how many contacts reside in users’ devices.


Overall, the Gunpoder malware family contains a number of activities associated with adware. However, as we’ve previously discussed, a number of malicious functionalities exist as well. Examples of this include the ability to collect very sensitive information from victims, propagation via SMS messages, and the ability to execute other payloads.

The inclusion of a legitimate advertisement library causes many antivirus programs to simply label Gunpoder samples as adware, which is often not blocked by default. This allows some of the more malicious activity present in Gunpoder to continue unnoticed.


Palo Alto Networks released protections for users of WildFire, Threat Prevention and Mobile Security Manager for all currently known Gunpoder variants. Due to Palo Alto Networks unique prevention capabilities across the attack lifecycle, future members of the Gunpoder malware family could also potentially be blocked.


Group 1:













Group 2:

















Group 3:






















38 Pingbacks & Trackbacks

Post Your Comment