virus logo Virus

Riskware/GoneSixty!Android

description-logoAnalysis

Riskware/GoneSixty!Android targets Android mobile phones. It advertises as being capable to upload personal data found on the phone (contacts, SMS, calls etc) onto a remote web site in less than 60 seconds.

Figure 1. The remote web site where information is uploaded.
This application is risky when installed on a phone without the owner's consent.
To install on a phone, a spy must have physical access to the phone. The spy might also install GoneSixty using an already installed backdoor running on the phone, or using some social engineering to convince the victim he/she must install the application. Those are generic possibilities to install any spying tool, but there hasn't been any report of malicious installation using such techniques.


Technical Details


When the application is launched, it uploads all information to a remote website: 
http://[REMOVED]s.com/upload.php
The information is POSTed using HTTP, where the POST data consists of the following value pairs:
  • code: generated value of the code to retrieve information on the remote website
  • data: private information is Base64 encoded:
    • contacts: display name and phone number
    • sms: address, type, date and body
    • call: number, type, data and duration
    • url: visited url
To read the uploaded data on the remote web site, one must enter a 5-digit code (a sort of PIN). This code is randomly generated as follows:
  • generate a random integer
  • perform a MD5 hash of the integer
  • take the 5 first digits of the hash


Figure 2. Application is uploading data. Displays code to retrieve data
The spy may they view the stolen data:

Figure 3. Uploaded data visible on the remote website
Finally, the application automatically tries to uninstall:

Figure 4. The application automatically triggers uninstallation. Physical access to the phone is however required to accept uninstallation or not

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

ID 3189246
Released Sep 30, 2011
Description
Updated		 Oct 25, 2011
Aliases Android.Spyware.GoneSixty.A (BitDefender), Android.Spyware.GoneSixty.A (F-Secure), Android.Spyware.GoneSixty.A (G-Data), not-a-virus:Monitor.AndroidOS.Gonca.a (KAV)
Platform Profile Android platform