Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
Trojan:AndroidOS/GGSmart.A is a trojan that affects devices running Android OS, such as certain mobile phones. The trojan sends device data to a remote server and may download other malware. The trojan may be bundled in other apps that are downloaded from third-party Android markets.
Threat behavior
Trojan:AndroidOS/GGSmart.A is a trojan that affects devices running Android OS, such as certain mobile phones. The trojan sends device data to a remote server and may download other malware. The trojan may be bundled in other apps that are downloaded from third-party Android markets.
Installation
This trojan may be bundled in other apps that are downloaded from third-party Android markets. Upon installation, it displays the following information on the device, outlining its capabilities and requirements:
Trojan:AndroidOS/GGSmart.A is capable of performing the following actions:
Accessing the device's SD card (including modifying and deleting the card contents)
Modifying the device's settings and system files
Gaining highest privilege on the device's operating system via exploit
Downloading and installing other arbitrary and potentially malicious files onto the device
Sending phone information to a remote server
Payload
Downloads arbitrary files The Trojan:AndroidOS/GGSmart.A installer contains encrypted files named "data_2" and "data_3". These files contain the C&C server address from where the trojan can download other possibly malicious applications. The downloaded files may be saved as "shells.zip" and can contain a GingerBreak exploit (CVE-2011-1823) which is executed by a script contained in the code. The exploit is capable of rooting the phone which can provide a vector to silently install other possibly malicious Android package (.APK) files and not trigger user suspicion.
Sends device data to a remote server The malware may gather the following information stored on the device to send to a remote server via HTTP POST