25,000 devices may have been affected by new Trojans on Google Play
July 25, 2013
The programs, discovered by Doctor Web's analysts, belong to the Vietnamese developer AppStore Jsc. They are disguised as audio players and a video player that displays adult content.
The table below is based on Google Play statistics. It provides information about the number of users who have installed these applications:
|Application title||Package name||Installations|
|Phim Sex HD-Free||phimsex.videoxxx.clipsex.phimnguoilon.phimconheo.tinhduc||5000–10000|
|Zing MP3 - BXH Music||phimsexy.mp3.zing.vn.nhaccuatui.bangxephang.bxh.nhachot||5000–10000|
|Phim Nguoi Lon - Audio 18+||zingmp3.audio18.truyennguoilon.audiotinhduc||1000–5000|
The total number of installations of these three programs ranges between 11,000 and 25,000.
These applications appear harmless. However, they incorporate an extra apk-file that contains an Android.SmsSend Trojan. While running these carrier applications, dubbed Android.MulDrop, Android.MulDrop.1, and Android.MulDrop.2 by Dr.Web, can prompt the user to download the content they need, but their consent initiates the installation of another application rather than the downloading of files. For example, the video player program offers to get the user new adult clips.
If the careless user agrees to install a suspicious application, the Trojan Android.SmsSend.512 will be installed on the device. The program covertly sends short messages to the short number 8775 which is specified in the malware's configuration file. It is noteworthy that this Trojan really does enable a user to view adult video clips. Apparently, the attackers implemented this feature to avoid unnecessary suspicion.
As for the second and third Trojan carriers, they contain malware dubbed Android.SmsSend.513.origin. It operates similarly to Android.SmsSend.517, but, unlike the latter, it acquires information about short numbers from a command and control server.
Devices running Dr.Web for Android are well protected from these malicious programs whose signatures were promptly added to the virus database.