Generic Characteristics

Com.rock.gota is a powerful malware that wreaks havoc in developing countries.This type of malware comes pre-installed on low-end smartphones and incorporated into Android apps, being primarily designed to display download software, adverts and to collect confidential information.

Com.rock.gota has been identified under the following names in these devices:

  • Multilaser (Brazil) – Multilaser Update
  • Smart 12 (Myanmar) – Software Update
  • Sapphire H7S (Myanmar) – Software Update
  • Singtech P10 (Myanmar) – Mobile Care

The app com.rock.gota is used to send fraudulent transaction requests, both in Brazil and Myanmar.

This app cannot be found in Google’s App Store. Uninstalling is not a valid option, as it requires rooting access and therefore leads to warranty voidance. This threat affects multiple developing countries.

Threat Behavior

This threat acts right at the moment a smartphone is powered. Once the phone was turned on for the very first time after purchase, it initiated numerous encrypted data transmissions. It communicates with a server located at this address: http://api.rock.fotapro.com/.  We found out that this site is connected to an unsecured server located in Singapore and operated by Gmobi.

While monitoring the device and without accepting the terms & conditions of the virus com.rock.gota, the network traces showed huge spikes of downloads of advertising materials in the background. These materials did not become visible to the user. One such request lead to downloading the materials found on this link: http://cdn3.dd.fotapro.net/files/48649f226927c698a2074f127ea4e82a

example of code files

 

This points to a creative of a Uber promotional campaign:

fake uber ad

This pre-installed app, or virus, com.rock.gota, identified by Secure-D experts, was attempting to purchase services in a fraudulent manner, without having the consent of users. This app has been already  documented by antivirus company Dr. Web as collecting precious information from users’ devices, such as address, phone, city, and phone unique identifiers.

Com.rock.gota cannot be uninstalled by users, unless they undergo an advanced rooting procedure which may void their warranty. Analysts from D-secure have witnessed similar findings in devices purchased in Myanmar – Singtech P10, Smart 12 4G Super Star and Sapphire H7S.

Consequences on the Users

After numerous in-house tests, we came to the conclusion that millions of customers based in 8 emerging markets are at risk of fraudulent attempts, including but not limited to Brazil, Malaysia and Myanmar.

The consequences to the users are quite severe:

— Systematic collection & transfer of personal data without the consent of users

— Depletion of data allowance: this represent a huge issue in emerging markets. For example, in Brazil, 1 GB of prepaid internet subscription equals 6 hours of work on minimum wage

— Fraudulent transaction: this is probably the harshest consequence of them all. In emerging markets, people can only pay for digital services with prepaid airtime. For example, in Africa, over 94% of users have no account at a financial institution. Thus, they tend to recharge their prepaid plans with a lot of money, money that is at risk at disappearing.

Cure

In order to remedy the problem and to ensure the Com.rock.gota malware is out of a device, there are certain steps that need to be taken.

Here is what you need to do:

  1.  Start from the Home Screen
  2. Open the Apps menu by tapping on the button
  3. Scroll through the Apps to locate “Settings”
  4. Scroll down and tap ”Apps” to display a list of apps
  5. Ensure that you view all apps by selecting “Show System”
  6. Check if com.rock.gota is installed by scrolling down or searching for Software
  7. Uninstall the app