At the end of last week, researchers at Kaspersky Lab announced to the media that they had identified a new trojan targeting Android smartphones, disguised as a Tic Tac Toe (also known as “Noughts and crosses”) game.
According to the Russian security firm, the Gomal Trojan hid behind the disguise of a seemingly harmless game to steal information from home and corporate users:
Gomal has all the usual spyware functionality. It can record sounds, process calls and steal SMS. In addition it possesses mechanisms that provide access to various Linux services, attacking the operating system on which Android is based. In particular, the Trojan can read the process memory, jeopardizing many communication applications. For example, it can steal emails from Good for Enterprise. That application is positioned as a secure email client for corporate use, so data theft here could mean serious problems for the company where the device owner works.
Sounds nasty, right?
Perhaps, like me, you would be interested in hearing who created this particular spyware game.
Well, hold onto your seats – because I can reveal that the creators are none other than… an anti-virus company!
Yes, mobile anti-malware firm Lacoon Mobile Security has issued a statement that not only claims authorship of the spying code, but also says that the “new mobile Trojan” uncovered by Kaspersky is in fact a proof-of-concept app that it originally presented at BlackHat 2013 and RSA 2014.
Indeed, I understand that the app’s code contains strings and URLs related to Lacoon Mobile Security, and examination of data sent by the app shows that it is passed to a domain belonging to the security firm.
Quite why Kaspersky’s research team didn’t spot that during their investigation that is unclear.
But perhaps most worrying is how did Kaspersky’s researchers get hold of the sample?
Lacoon claims that the spyware Tic Tac Toe game, which exploits a memory access vulnerability (CVE-2012-6422) patched by Samsung on its Exynos chips more than 18 months ago, has never been freely distributed:
This supposed malware is also not publicly available or ‘in the wild’ for hackers to use but has only been deployed in test environments.
But Kaspersky’s technical analysis says it was sent to its research team for analysis.
If someone malicious were to get their hands on Lacoon’s proof-of-concept spyware code, there is always the danger that it could be weaponised further and used for something more serious than a presentation at a security conference.
And maybe it would be smarter if firms building proof-of-concept spyware code for demonstrations in future ensured that there was a big fat message displayed at the beginning saying “This is PoC code, created by Lacoon Mobile Security. Contact us if you have any questions about it”.
I’m sure the presentation would still be effective, even if there was a message displayed explaining the code’s provenance.