Threat Descriptions

Trojan:Android/GGTracker.A

Classification

Category :

Malware

Type :

Trojan

Platform :

Android

Aliases :

Trojan:Android/GGTracker.A, Trojan:Android/GGTracker.A, GGTracker GGTracker.A

Summary

Trojan:Android/GGTracker.A sends SMS messages to premium-rate numbers without the user's knowledge or consent; it also steals information from the infected device.

Removal

Once the scan is complete, the F-Secure security product will ask if you want to uninstall the file, move it to the quarantine or keep it installed on your device.

Trojan:Android/GGTracker.A can be uninstalled by following the steps below:

  • Go to Settings
  • Go to Applications
  • Go to Manage Applications
  • Select the application
  • Press "Clear data"
  • Press "Uninstall"
  • Select "OK" when asked for confirmation and wait

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Distribution

Trojan:Android/GGTracker.A is distributed via a malicious website, where it is promoted as (fake) applications, using the following APK names:

  • t4t.power.management
  • com.space.sexypic

Permissions requested by 'com.space.sexypic' and 't4t.power.management', respectively

Social engineering tricks are used to convince the user to download and install the applications.

At the time of writing, the malicious distribution website and all remote sites contacted by the trojan are either offline or are blocked by our Browsing Protection.

Activity

On execution, the trojan performs the following activities:

  • Sends an SMS message to premium-rate phone numbers that subscribe the device to receive SMS-based services

  • Sends the infected device's phone number to the following URL in order to track the trojan's installations

    • hxxp://ggtrack.org/SM1c?device_id=[PHONE_NUMBER]&adv_sub=[PHONE_NUMBER]
  • Blocks SMS messages from the following numbers
    • 99735
    • 46621
    • 96512
    • 33335
    • 36397
    • 55991
    • 55999
    • 56255
    • 00033335
    • 00036397
  • Collects the following information and forwards it to a remote website:
    • Phone number
    • Carrier
    • SMS message content
    • SMS message sender
    • Application version
    • SDK version