Gunpoder is a piece of malware that hides inside of a paid Android app that emulates the Nintendo Entertainment System (NES). The malicious code is hidden within the Airpush adware library, causing the system to mark the code as adware instead of malware, allowing it to execute. Once on the device, the malware can send SMS messages to the victim’s contacts containing Google shortened URLs. SMS messages are sent by the malware in two cases, the first being when the main activity is paused by the user, and the second is when the user refuses to pay to activate “the cheating mode.” Gunpoder will display fraudulent ads to attempt to trick the user into clicking on it. It can also steal browser history, bookmark information, collect information about installed packages on the device, and execute payloads. Gunpoder has been found to affect victims from 13 countries, including the US. VilmaTech provides instructions on their website for how to remove the Gunpoder virus from infected devices.


Technical Details

  • Palo Alto Networks provides more technical details here.

One example of the Gunpoder mobile malware variant. Image Source: Palo Alto Networks