April 21, 2015

Doctor Web security researchers have discovered a dangerous Trojan for Android devices. This malware tries to acquire root privileges to stealthily download, install, or remove applications upon cybercriminals’ command. Moreover, this malicious program gathers detailed information about the infected mobile device and sends it to the virus makers. In addition to it, this Trojan can display annoying advertisements.

A new malicious program named Android.Toorch.1.origin is incorporated into a torch application and can be distributed by cybercriminals via popular websites with downloadable software.

Furthermore, this malware can be downloaded to mobile devices with the help of numerous aggressive advertisement modules embedded into different applications. Android.Toorch.1.origin can infect a device only if the user themselves installs this malicious program. However, due to the fact that the Trojan is distributed under the guise of a legitimate application, potential victims are very likely to install it on their devices. Android.Toorch.1.origin operates like any other ordinary torch application, and the user cannot detect that something is amiss.

Once the Trojan is launched, it establishes a connection to the command and control server and uploads the following data about the infected device:

• Current time
• Current location
• IMEI
• Device’s unique ID generated by the Trojan
• Trojan’s version
• Root access availability
• Availability of an active Wi-Fi connection
• OS version
• Current system language
• Device model and manufacturer
• Trojan’s package name
• Network connection type

At the same time, Android.Toorch.1.origin tries to acquire root privileges by using the com.apkol.root package modified by cybercriminals. If the Trojan succeeds, it extracts the NetworkProvider.apk application (can also be detected as Android.Toorch.1.origin) from its program package and installs it into the system directory /system/app. Then the Trojan launches the system service that corresponds to the application. Some modifications of NetworkProvider.apk can contain an additional module with the name GDataAdapter. Once it is installed in the system directory using the same method, it ensures the constant running of NetworkProvider.apk relaunching the application if necessary.

In turn, the NetworkProvider.apk program contains another component of Android.Toorch.1.origin. This component has been added to the Dr.Web virus database under the name of Android.Toorch.2.origin. Using the DexClassLoader class, Android.Toorch.2.origin is loaded into the RAM, and once it is successfully launched, it receives the configuration file from the command and control server. Then this module performs its further malicious activity in accordance with the commands specified in the file. In particular, the Trojan can send cybercriminals the signal about its successful launch, initiate its own update, upload to the remote command and control server detailed information regarding the infected device (including its GPS coordinates) and installed applications. However, the main function of this module is to stealthily download, install, and remove applications upon cybercriminals’ command. Since the Trojan has root privileges, all these actions are executed without user consent.

It should be noted that Android.Toorch.1.origin contains an advertising platform Adware.Avazu.1.origin which displays advertisements on the screen of the infected device every time the user installs a new application. Other modifications of this Trojan can install the same module on the system as a separate application incorporated into the GoogleSettings.apk component (which has the same functionality as the NetworkProvider.apk module).

Android.Toorch.1.origin installs different malicious modules into the system directory which is not scanned by Dr.Web anti-virus solutions for Android during an express scan. This makes the Trojan highly dangerous. Even if the original malicious torch application is removed, the components installed by it stay on the system and continue to execute their malicious activity. Therefore, right after Android.Toorch.1.origin is discovered for the first time, it is very important to run a full scan on the infected mobile device.

Doctor Web security researchers have created a special utility that can help victims of the Trojan’s activity to remove all malicious components from their mobile devices. To cure an infected smartphone or a tablet, download the utility, install it, run the application, and follow its instructions on the screen of your device. Once the Trojan is successfully removed from the device, the root privileges will be cancelled. If you had had access to the root privileges before your Android device got infected, you may need to reassign them.