A Tic-tac-toe game is actually a new mobile trojan – detected as Trojan-Spy,AndroidOS.Gomal.a, or Gomal – targeting Android devices.
Gomal is capable of recording audio from the microphone, stealing incoming SMS messages, stealing device information such as cell phone number, obtaining root privileges, dumping memory regions of some processes in order to obtain sensitive data, and stealing data from the device log, Victor Chebyshev, a Kaspersky Lab expert, told SCMagazine.com in a Friday email correspondence.
“We suppose that the trojan is being spread via unofficial application stores, forums or via SMS spam – [the] exact attack vector is still unknown,” Chebyshev said, going on to add, “There is still no information from our users and we don't see any attack attempts. We suppose that it's an APT attack against some individual person.”
Upon obtaining root access, the trojan will pilfer emails from Good for Enterprise if the application is installed, according to a Friday post, which adds that the Tic-tac-toe game code only accounts for less than 30 percent of the file's size, with the remainder being used for the data theft and spying.
Packaging trojans in mobile games is common – there are multiple cases of attackers doing so using the popular Angry Birds, Chebyshev said, explaining that people should install a security solution to remove the Gomal threat and remain protected.
Gomal uses many techniques initially incorporated into Windows trojans, the post indicates.
UPDATE: In a statement sent to SCMagazine.com on Sunday, Good for Enterprise developer Good Technology said that the Tic-tac-toe app is a proof-of-concept app that Lacoon Mobile Security presented at Black Hat 2013, without the cooperation of Good Technology. Lacoon confirmed this in a Sunday email correspondence. Lacoon's demonstration was only effective in the face of Samsung Exynos memory access vulnerability CVE-2012-6422, which has since been patched, or if the device had been 'rooted,' the statement indicates. "The rooting of the device and granting of the necessary privileges can be detected by Good's root detection technology," according to the statement. "The default settings in Good Technology solutions have root detection enabled, and Good strongly recommends using this capability in its documentation. This attack is therefore ineffective in recommended deployments of Good's products." The statement indicates that the malware is not available in the wild and that the attack would apply to any mobile application.
110 Reykjavik, Iceland