New Trojan for Android steals confidential information and delivers advertisements

 Android-Trojan in apps on Google Play

Malware for Android that makes money for attackers by delivering advertisements is continuously becoming more and more wide spread. This time, yet another Android-Trojan with spyware functions named Android.Spy.277.origin infected more than 100 apps on Google Play. More than 100 Google Play apps found to contain advertising spyware.

This Trojan for Android steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store.

The majority of applications that are used to distribute Android.Spy.277.origin are bogus versions of various popular software. Attackers borrowed names and appearances of legitimate programs in order to attract users and, thus, increase downloads of the Trojan.

Security specialists from Russian company Doctor Web found different utilities, photo editing and animated wallpaper apps, graphical shells, and other programs, among these fake apps. At that, most of them do not possess the ability to perform the mentioned task. In total, Doctor Web security researchers registered more than 100 applications infected by Android.Spy.277.origin, and the number of downloads exceeded 3,200,000. Doctor Web has already informed Google about this incident. Therefore, some of these malicious programs are not available on Google Play anymore.

Android.Spy.277.origin

Added to Dr.Web virus database: 2016-04-01
Virus description was added: 2016-04-01

SHA1: 89dee7086968dda688703304fd4b5163476b7f44

Once one of the above-mentioned malicious applications is launched, the Trojan transmits the following information on the device to the server:

  • Email address connected to a Google user account
  • IMEI identifier
  • OS version
  • SDK system version
  • Device model
  • Screen resolution
  • Google Cloud Messaging identifier (GCM id)
  • Cell phone number
  • User’s geolocation
  • CPU type
  • MAC address of the power adapter
  • the “user_agent” parameter generated using a special algorithm
  • Mobile network operator
  • Network connection type
  • Network subtype
  • Availability of root access
  • Whether an infected application has administrator privileges
  • Name of an infected application
  • Presence of a Google Play application on the device

At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application. In addition, it requests parameters necessary for advertising. Android.Spy.277.origin can execute the following commands:

“show_log”—enable or disable logging;
“install_plugin”—install a plug-in hidden inside the malicious application;
“banner”, “interstitial”, “video_ads”—display different types of advertisements (including, on top of the OS interface and other applications);
“notification”—display a notification with the received parameters;
“list_shortcut”—create shortcuts with received parameters on the home screen (tapping these shortcuts leads to opening of specified sections in Google Play);
“redirect_gp”—open a webpage with a specified address in Google Play;
“redirect_browse”—open a specified webpage in a preinstalled browser;
“redirect_chrome”—open a specified webpage in Chrome;
“redirect_fb”—open a Facebook webpage specified by the command.

As you can see below, the Trojan can intimidate the user, for example, by allegedly claiming that the device’s battery is damaged, and offering to download unwanted applications to fix it:

Trojan for Android 01Trojan for Android 02

The following examples demonstrate advertisements that are displayed in the notification bar and advertising shortcuts, tapping which leads to webpages of advertised applications published on Google Play:

Trojan for Android 03Trojan for Android 04Trojan for Android 05

It is noteworthy that a plug-in hidden in the Trojan’s program package possesses the same features as the Android.Spy.277.origin itself. Once the Trojan receives instructions from the server, it tries to install this plug-in, masquerading it as an important update. Therefore, the device, in fact, contains two copies of Android.Spy.277.origin—thus, even if the original version of the Trojan is deleted, there is still its counterpart, which continues to deliver advertisements.

The Trojan is currently known to compromise the following applications:

com.true.icaller
com.appstorenew.topappvn
com.easyandroid.free.ios6
com.entertainmentphotoedior.photoeffect
lockscreenios8.loveslockios.com.myapplication
com.livewallpaper.christmaswallpaper
com.entertainment.drumsetpro
com.entertainment.nocrop.nocropvideo
com.entertainment.fastandslowmotionvideotool
com.sticker.wangcats
com.chuthuphap.xinchu2016
smartapps.cameraselfie.camerachristmas
com.ultils.scanwifi
com.entertainmenttrinhduyet.coccocnhanhnhat
com.entertainment.malmath.apps.mm
com.newyear2016.framestickertet
com.entertainment.audio.crossdjfree
com.igallery.styleiphone
com.crazystudio.mms7.imessager
smartapps.music.nhactet
com.styleios.phonebookios9
com.battery.repairbattery
com.golauncher.ip
com.photo.entertainment.blurphotoeffect.photoeffect
com.irec.recoder
com.Jewel.pro2016
com.tones.ip.ring
com.entertainment.phone.speedbooster
com.noelphoto.stickerchristmas2016
smartapps.smstet.tinnhantet2016
com.styleios9.lockscreenchristmas2016
com.stickerphoto.catwangs
com.ultils.frontcamera
com.phaotet.phaono2
com.video.videoplayer
com.entertainment.mypianophone.pianomagic
com.entertainment.vhscamcorder
com.o2yc.xmas
smartapps.musictet.nhacxuan
com.inote.iphones6
christmas.dhbkhn.smartapps.christmas
com.bobby.carrothd
om.entertainment.camera.fisheyepro
com.entertainment.simplemind
com.icall.phonebook.io
com.entertainment.photo.photoeditoreffect
com.editphoto.makecdcover
com.tv.ontivivideo
smartapps.giaixam.gieoquedaunam
com.ultils.frontcamera
com.applock.lockscreenos9v4
com.beauty.camera.os
com.igallery.iphotos
com.calculator.dailycalories
com.os7.launcher.theme
com.trong.duoihinhbatchu.chucmungnammoi
com.apppro.phonebookios9
com.icamera.phone6s.os
com.entertainment.video.reversevideo
com.entertainment.photoeditor.photoeffect
com.appvv.meme
com.newyear.haitetnew
com.classic.redballhd
com.entertainmentmusic.musicplayer.styleiphoneios
com.camera.ios8.style
com.countdown.countdownnewyear2016
com.photographic.iphonecamera
com.contactstyle.phonebookstyleofios9
com.entertainment.blurphotobackground.photoeffect.cameraeditor.photoeffect
com.color.christmas.xmas
com.bottle.picinpiccamera
com.entertainment.videocollagemaker
com.wallpaper.wallpaperxmasandnewyear2016
com.ultils.lockapp.smslock
com.apppro.phonebookios9
com.entertainment.myguitar.guitarpro
com.sticker.stickerframetet2016
com.bd.android.kmlauncher
com.entertainment.batterysaver.batterydoctor
com.trong.jumpy.gamehaynhatquadat
com.entertainmentphotocollageeditor
smartapps.smsgiangsinh.christmas2016
smartapps.musicchristmas.christmasmusichot
com.golauncher.ip
com.applock.lockscreenos9v4
com.imessenger.ios
com.livewall.paper.xmas
com.main.windows.wlauncher.os.wp
com.entertainmentlaunchpad.launchpadultimate
com.fsoft.matchespuzzle
com.entertainment.photodat.image.imageblur
com.videoeditor.instashot
com.entertainment.hi.controls
com.icontrol.style.os
smartapps.zing.video.hot
com.photo.entertainment.photoblur.forinstasquare
com.entertainment.livewallpaperchristmas
com.entertainment.tivionline
com.iphoto.os
com.tool.batterychecker
com.photo.multiphotoblur
smartapps.nhactet.nhacdjtet
com.runliketroll.troll
com.jinx.metalslug.contra

Softwaregold.net Team strongly recommends Android users to pay careful attention to applications they are going to download, and install programs developed only by reputable companies.

Source: http://www.drweb.com/

Check Also

Protect Your Mobile Device

How to Protect Your Mobile Device from Viruses

Viruses are becoming harder and harder to detect, and with many different sources, it can …

Leave a Reply

Your email address will not be published. Required fields are marked *