The adware, named Android/Gmobi.A by Avira, is used to send phone owners targeted advertisements. It is linked to a software development kit (SDK) that automates the display of advertisement images and notifications.
Gmobi has been found in the firmware of nearly 40 budget Android smartphones and in a few popular apps such as the Micromax AQ5001 and ASUS WebStorage. Users with the software built into their device firmware may be unable to remove it without endangering the stability of their devices.
The primary security risk in Gmobi lies in its ability – depending on the original permissions given by the device owner – to broadcast a range of private data about the device owner and install additional apps to the device.
“Aside from the advertisements, it is also a security risk,” said Mihai Grigorescu, Android analyst at Avira. “It could be considered a backdoor thanks to its ability to receive remote commands to install other packages.”
Gmobi goes to work collecting user data once the device gets connected to the internet. Some of the details sent to the remote Command & Control server include data on emails, roaming availability, GPS coordinates, mobile network data, device ID, and the installation of Google Play.
The server responds with directions on where and how to serve up advertisements: It updates the local ads database, places ad shortcuts on the home screen, puts ads in a notification box, charts user responses, and potentially start or install additional apps.