A newly discovered Android malware dubbed Gorilla is quietly emerging as a serious threat, according to a technical analysis by Prodaftβs Threat Intelligence team. While Gorilla appears to be in its early stages of development, its evolving features, clever use of Android services, and hints of broader surveillance capabilities suggest it could mature into a powerful tool for both financial theft and espionage.
βGorilla does not yet employ obfuscation techniques, indicating that it may still be under active development,β the report notes, βhowever, it already includes mechanisms to evade battery optimizations, maintain persistent access, and collect sensitive information from infected devices.β
Written in Kotlin, Gorilla requests to become the default SMS application, allowing it to intercept, read, and send text messages. Once granted, it collects incoming SMS messages and tags them based on their contentβexamples from the command-and-control (C2) panel include βBanksβ and βYandex,β revealing its interest in financial communications.
To extend surveillance capabilities, Gorilla requests READ_PHONE_STATE and READ_PHONE_NUMBERS permissions to access SIM data and phone numbers. It also continuously sends this dataβalong with device details like model, Android version, installed apps, and screen statusβback to the attackers via a WebSocket connection.
Collected SMS messages are categorized with tags like βBanksβ and βYandex,ββ the report states. βGorilla waits for new commands while sending heartbeats to the C2 server every 10 seconds.β
Each infected device is labeled in the attackerβs C2 panel using one of three tags:
State AuthorityImportantTrashThis tagging system indicates a dual-use model: while initial behavior points to financially motivated theft, the βState Authorityβ tag hints at potential espionage operations, perhaps for nation-state or politically driven surveillance.
βThe presence of these specific tags indicates the malware may also be used for broader surveillance or espionage purposes,β Prodaft warns.
To stay persistent, Gorilla uses a foreground serviceβa technique that requires Androidβs FOREGROUND_SERVICE permission. To avoid termination by aggressive battery optimization settings (especially on Huawei and Honor devices), it prompts users to exempt it from battery-saving features, and adjusts its heartbeat intervals dynamically.
βIf the manufacturer string contains βHonorβ or βHuawei,β it introduces a longer delay between its heartbeat service executions,β the report adds.
Prodaft analysts highlight Gorillaβs excessive logging and multiple unused classes, which point to its evolving nature. Among these dormant features are:
WebViewActivity: Likely intended for future phishing attacks by displaying fake banking pages to steal credentials.USSDReceiver: A unique class that listens for a dialed code (*#0000#) to trigger malware functionsβa novel persistence or control mechanism that could be weaponized later.βIt is possible that future versions of Gorilla may utilize this class for such purposes,β the report speculates, referring to WebViewActivity.
While currently in an early stage of development, Gorilla demonstrates the capacity to evolve into a more sophisticated threat. Its focus on SMS interception, C2 communication, and evasion techniques poses a risk to Android users.