Guerilla is an Android malware that was distributed within 15 apps that perform legitimate functions, available via the Google Play store. When the malicious app is installed, an executable file begins to run that contains a hard-coded URL to call to the C2 server. Once connected, the app downloads a backdoor from the C2 server that capable of handling multiple commands. The malicious backdoor reports back infected device information such as phone manufacturer, type, brand, MAC address, etc. that is then used to initiate an aggressive ad-clicking function to generate income. Although the adware will create a huge amount of traffic, the user may never notice the behavior due to the covert nature of the malware. The backdoor initially installed on the infected device can be used to remotely install a malicious payload at any time.

Technical Details

  • SophosLabs provides technical analysis of Guerillahere.