We recently received a copy of a seemingly innocent and useful application called G-Archiver. On the surface it appears to be “your one click Gmail backup solution.”
Digging into the code a bit (and by a bit I mean a very little bit) it becomes quite clear that the author had another purpose for this application in mind. Being written in .NET, our disassembler provides a nice class hierarchy when provided with the binary. I only had to open the file SM.dll to make it blatantly clear that this guy is harvesting email credentials.
Take a look at the following disassembly. In the first shot you can see the application composing an email to the author containing the victim’s GMail login details.
The second screenshot shows the send routine where the author sends himself the victim login details.
I have taken the liberty of blurring out the author’s email address and password, which appeared in plain text. He made no attempt to encrypt or obfuscate them at all. It doesn’t really matter though, as it appears an informed, disgruntled user has already gone and changed the login credentials and security question.