Ddos 
A newly discovered Android malware dubbed Gorilla is quietly emerging as a serious threat, according to a technical analysis by Prodaft’s Threat Intelligence team. While Gorilla appears to be in its early stages of development, its evolving features, clever use of Android services, and hints of broader surveillance capabilities suggest it could mature into a powerful tool for both financial theft and espionage.
“Gorilla does not yet employ obfuscation techniques, indicating that it may still be under active development,” the report notes, “however, it already includes mechanisms to evade battery optimizations, maintain persistent access, and collect sensitive information from infected devices.”
Written in Kotlin, Gorilla requests to become the default SMS application, allowing it to intercept, read, and send text messages. Once granted, it collects incoming SMS messages and tags them based on their content—examples from the command-and-control (C2) panel include “Banks” and “Yandex,” revealing its interest in financial communications.
To extend surveillance capabilities, Gorilla requests READ_PHONE_STATE and READ_PHONE_NUMBERS permissions to access SIM data and phone numbers. It also continuously sends this data—along with device details like model, Android version, installed apps, and screen status—back to the attackers via a WebSocket connection.
“Collected SMS messages are categorized with tags like ‘Banks’ and ‘Yandex,’” the report states. “Gorilla waits for new commands while sending heartbeats to the C2 server every 10 seconds.”
Each infected device is labeled in the attacker’s C2 panel using one of three tags:
- State Authority
- Important
- Trash
This tagging system indicates a dual-use model: while initial behavior points to financially motivated theft, the “State Authority” tag hints at potential espionage operations, perhaps for nation-state or politically driven surveillance.
“The presence of these specific tags indicates the malware may also be used for broader surveillance or espionage purposes,” Prodaft warns.
To stay persistent, Gorilla uses a foreground service—a technique that requires Android’s FOREGROUND_SERVICE permission. To avoid termination by aggressive battery optimization settings (especially on Huawei and Honor devices), it prompts users to exempt it from battery-saving features, and adjusts its heartbeat intervals dynamically.
“If the manufacturer string contains ‘Honor’ or ‘Huawei,’ it introduces a longer delay between its heartbeat service executions,” the report adds.
Prodaft analysts highlight Gorilla’s excessive logging and multiple unused classes, which point to its evolving nature. Among these dormant features are:
- WebViewActivity: Likely intended for future phishing attacks by displaying fake banking pages to steal credentials.
- USSDReceiver: A unique class that listens for a dialed code (*#0000#) to trigger malware functions—a novel persistence or control mechanism that could be weaponized later.
“It is possible that future versions of Gorilla may utilize this class for such purposes,” the report speculates, referring to WebViewActivity.
While currently in an early stage of development, Gorilla demonstrates the capacity to evolve into a more sophisticated threat. Its focus on SMS interception, C2 communication, and evasion techniques poses a risk to Android users.
Related Posts:
- Massive Android SMS Stealer Campaign Uncovered: Over 100,000 Malicious Apps Targeting Global Users
- Facebook have been collecting call logs and SMS metadata for several years
- FIN7’s New Stealth Weapon: AnubisBackdoor Emerges in the Wild
About The Author
