![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![[DEALS] The All-in-One Microsoft Office Pro 2019 for Windows: Lifetime License + Windows 11 Pro Bundle (89% off) & Other Deals Up To 98% Off](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![Is this too much for a modular monolith system? [closed]](https://i.sstatic.net/pYL1nsfg.png)
_Andreas_Prott_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![What features do you get with Gemini Advanced? [April 2025]](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2024/02/gemini-advanced-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Shares Official Trailer for 'Long Way Home' Starring Ewan McGregor and Charley Boorman [Video]](https://www.iclarified.com/images/news/97069/97069/97069-640.jpg)
![Apple Watch Series 10 Back On Sale for $299! [Lowest Price Ever]](https://www.iclarified.com/images/news/96657/96657/96657-640.jpg)
![EU Postpones Apple App Store Fines Amid Tariff Negotiations [Report]](https://www.iclarified.com/images/news/97068/97068/97068-640.jpg)
![Apple Slips to Fifth in China's Smartphone Market with 9% Decline [Report]](https://www.iclarified.com/images/news/97065/97065/97065-640.jpg)
New Gorilla Android Malware Intercept SMS Messages to Steal OTPs
A sophisticated new Android malware strain called “Gorilla” has emerged in the cybersecurity landscape, specifically designed to intercept SMS messages containing one-time passwords (OTPs). This malicious software operates stealthily in the background, exploiting Android’s permission system to gain access to sensitive information on infected devices. Initial analysis suggests that Gorilla primarily targets banking customers and […] The post New Gorilla Android Malware Intercept SMS Messages to Steal OTPs appeared first on Cyber Security News.
A sophisticated new Android malware strain called “Gorilla” has emerged in the cybersecurity landscape, specifically designed to intercept SMS messages containing one-time passwords (OTPs).
This malicious software operates stealthily in the background, exploiting Android’s permission system to gain access to sensitive information on infected devices.
Initial analysis suggests that Gorilla primarily targets banking customers and users of popular services like Yandex, categorizing stolen SMS messages for easier exploitation by the attackers.
The malware leverages critical Android permissions including READ_PHONE_STATE and READ_PHONE_NUMBERS to access SIM card information and retrieve phone numbers from infected devices.
Once installed, Gorilla establishes a persistent connection to its command and control (C2) infrastructure using WebSocket protocols, following the format “ws://$URL/ws/devices/?device_id=$android_id&platform=android” to maintain constant communication with its operators.
This connection allows the malware to receive commands and exfiltrate sensitive data in real-time.
Catalyst researchers identified that Gorilla employs an unusual technique to evade detection by avoiding the use of getInstalledPackages or getInstalledApplications APIs, which would require the REQUEST_INSTALLED_PACKAGES permission that might raise suspicion.
Instead, the malware queries launcher intents to determine package names, application names, and versions, allowing it to gather information about installed applications while maintaining a lower profile.
The malware’s C2 panel reveals a sophisticated operation, with stolen SMS messages methodically organized under tags such as “Banks” and “Yandex,” suggesting a targeted approach toward financial information and popular services.
This categorization enables attackers to quickly identify and exploit valuable authentication codes and sensitive information contained within intercepted messages.
At its core, Gorilla operates through a series of background services, ensuring persistent operation even when the user isn’t actively engaging with the device.
To comply with Android requirements, these services utilize the startForeground API along with the FOREGROUND_SERVICE permission to display a notification, effectively masking its malicious activity as legitimate system processes.
Technical Analysis: Command Structure and Capabilities
The malware’s command structure reveals three primary action types, each serving specific functions in the attack chain.
.webp)
The “device_info” command extracts and transmits detailed information about the infected device to the attackers.
The “update_settings” command, while currently appearing dormant as it only logs receipt without further action, likely enables remote configuration of the malware’s behavior.
Most critically, the “send_sms” command allows attackers to send SMS messages from the infected device to specified recipients with custom message text.
// Command handling structure in Gorilla malware
// Three primary command types:
device_info // Transmits device information
update_settings // Currently inactive but logs receipt
send_sms // Allows remote SMS sending with specified textWhile actively exploiting SMS interception capabilities, Gorilla includes components that suggest planned expansion of its functionality.
The presence of an unused WebViewActivity class is particularly concerning, as this component typically renders HTML content and is commonly leveraged in banking malware to display convincing phishing pages that harvest banking credentials or credit card information.
The malware also contains an intriguing but currently inactive persistence mechanism in the form of a USSDReceiver class.
This component is designed to listen for the dialed code “*#0000#” and launch the MainActivity when detected. While not currently registered or active, this mechanism could provide attackers with an additional method to ensure the malware remains operational even after attempts to remove it.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post New Gorilla Android Malware Intercept SMS Messages to Steal OTPs appeared first on Cyber Security News.
.webp?#)