Palo Alto Networks researchers Cong Zheng and Zhi Xu are warning of a new form of malware that is masquerading as a paid Nintendo emulator for Android devices.
The Gunpoder malware takes the form of an app packaged with the Airpush ad library making it difficult for anti-virus engines to detect.
Zheng and Xu say the ads help cloak its data-stealing capabilities and attempts to spread itself over SMS.
"Gunpoder samples pretend to be NES games," the pair say.
Samples of Gunpoder have been uploaded to VirusTotal since November 2014, with all antivirus engines reporting either “benign” or “adware” verdicts, meaning legacy controls would not prevent installation of this malware.
"The malware samples successfully use these advertisement libraries to hide malicious behaviors from detection by antivirus engines."
The pair say Gunpoder repackages the popular Nintendo Entertainment System open source game framework with malcode, a feat which is becoming something of a trend in VXer circles. That makes spotting malicious code through static analysis more difficult.
They say Airpush is likely used as a scapegoat such that anti-virus engines will be happy to flag it as a more benign annoyance, rather than the malicious data-stealing, payload-dropping malware that it is.
The app will harvest web bookmarks and histories, and has the ability for various payloads to be delivered.
VXers rub salt into user wounds and possibly increase their app's superficial legitimacy by asking yours to purchase a lifetime license through services like PayPal.
The malware will send SMS when users activate certain functions in the game in such a way that it beats dynamic antivirus analysis. It will not send SMS when users are located in China, perhaps in an effort to avoid attracting attention of local law enforcement. ®