Malware for Android that makes money for attackers by delivering advertisements is continuously becoming more and more wide spread. This time, yet another Android-Trojan with spyware functions named Android.Spy.277.origin infected more than 100 apps on Google Play. More than 100 Google Play apps found to contain advertising spyware.
This Trojan for Android steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store.
Security specialists from Russian company Doctor Web found different utilities, photo editing and animated wallpaper apps, graphical shells, and other programs, among these fake apps. At that, most of them do not possess the ability to perform the mentioned task. In total, Doctor Web security researchers registered more than 100 applications infected by Android.Spy.277.origin, and the number of downloads exceeded 3,200,000. Doctor Web has already informed Google about this incident. Therefore, some of these malicious programs are not available on Google Play anymore.
Added to Dr.Web virus database: 2016-04-01
Virus description was added: 2016-04-01
Once one of the above-mentioned malicious applications is launched, the Trojan transmits the following information on the device to the server:
- Email address connected to a Google user account
- IMEI identifier
- OS version
- SDK system version
- Device model
- Screen resolution
- Google Cloud Messaging identifier (GCM id)
- Cell phone number
- User’s geolocation
- CPU type
- MAC address of the power adapter
- the “user_agent” parameter generated using a special algorithm
- Mobile network operator
- Network connection type
- Network subtype
- Availability of root access
- Whether an infected application has administrator privileges
- Name of an infected application
- Presence of a Google Play application on the device
At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application. In addition, it requests parameters necessary for advertising. Android.Spy.277.origin can execute the following commands:
“show_log”—enable or disable logging;
“install_plugin”—install a plug-in hidden inside the malicious application;
“banner”, “interstitial”, “video_ads”—display different types of advertisements (including, on top of the OS interface and other applications);
“notification”—display a notification with the received parameters;
“list_shortcut”—create shortcuts with received parameters on the home screen (tapping these shortcuts leads to opening of specified sections in Google Play);
“redirect_gp”—open a webpage with a specified address in Google Play;
“redirect_browse”—open a specified webpage in a preinstalled browser;
“redirect_chrome”—open a specified webpage in Chrome;
“redirect_fb”—open a Facebook webpage specified by the command.
As you can see below, the Trojan can intimidate the user, for example, by allegedly claiming that the device’s battery is damaged, and offering to download unwanted applications to fix it:
The following examples demonstrate advertisements that are displayed in the notification bar and advertising shortcuts, tapping which leads to webpages of advertised applications published on Google Play:
It is noteworthy that a plug-in hidden in the Trojan’s program package possesses the same features as the Android.Spy.277.origin itself. Once the Trojan receives instructions from the server, it tries to install this plug-in, masquerading it as an important update. Therefore, the device, in fact, contains two copies of Android.Spy.277.origin—thus, even if the original version of the Trojan is deleted, there is still its counterpart, which continues to deliver advertisements.
The Trojan is currently known to compromise the following applications:
Softwaregold.net Team strongly recommends Android users to pay careful attention to applications they are going to download, and install programs developed only by reputable companies.