This application requires Javascript for optimal performance.

Riskware/GoneSixty!Android - Released Sep 30, 2011 - Last Updated Oct 25, 2011

Alias/es

Android.Spyware.GoneSixty.A (BitDefender), Android.Spyware.GoneSixty.A (F-Secure), Android.Spyware.GoneSixty.A (G-Data), not-a-virus:Monitor.AndroidOS.Gonca.a (KAV)

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

Detailed Analysis

Riskware/GoneSixty!Android targets Android mobile phones. It advertises as being capable to upload personal data found on the phone (contacts, SMS, calls etc) onto a remote web site in less than 60 seconds.

Figure 1. The remote web site where information is uploaded.
This application is risky when installed on a phone without the owner's consent.
To install on a phone, a spy must have physical access to the phone. The spy might also install GoneSixty using an already installed backdoor running on the phone, or using some social engineering to convince the victim he/she must install the application. Those are generic possibilities to install any spying tool, but there hasn't been any report of malicious installation using such techniques.



Technical Details


When the application is launched, it uploads all information to a remote website: 
http://[REMOVED]s.com/upload.php
The information is POSTed using HTTP, where the POST data consists of the following value pairs:
  • code: generated value of the code to retrieve information on the remote website
  • data: private information is Base64 encoded:
    • contacts: display name and phone number
    • sms: address, type, date and body
    • call: number, type, data and duration
    • url: visited url
To read the uploaded data on the remote web site, one must enter a 5-digit code (a sort of PIN). This code is randomly generated as follows:
  • generate a random integer
  • perform a MD5 hash of the integer
  • take the 5 first digits of the hash


Figure 2. Application is uploading data. Displays code to retrieve data

The spy may they view the stolen data:

Figure 3. Uploaded data visible on the remote website

Finally, the application automatically tries to uninstall:

Figure 4. The application automatically triggers uninstallation. Physical access to the phone is however required to accept uninstallation or not

Recommended Action

    FortiGate Systems

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

    FortiClient Systems

  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Reference: ID - 3189246