June 15, 2016
Android.PWS.Vk.3 is distributed via the “Music from VK” («Музыка из ВК») application published on Google Play. The developer’s name is MixHard. Doctor Web analysts have informed Google about this Trojan. So far, Android.PWS.Vk.3 was still available for downloading.
The Trojan is implemented as a fully-featured VK audio player. If the user wants to listen to music, they should enter their user profile by typing the login and the password. Yet, in fact, all this private information is immediately sent to the C&C server, which means that attackers get full control over the user’s VK profile.
Doctor Web specialists registered the attempts of virus makers to sell user profiles hacked with Android.PWS.Vk.3 on underground hacking forums. Besides, cybercriminals can use these VK profiles to generate traffic for various VK communities.
Attackers have already tried to distribute Android.PWS.Vk.3 via Google Play—for example, as the Music for VK and Music VK applications by Dobrandrav. However, both of these apps are not available for download any more. In total, about 12,000 users have installed the Trojan on their devices.
The Trojan’s authors have created their own VK community, which has more than 44,600 subscribers. All the members are offered to download Android.PWS.Vk.3 on their mobile devices.
In addition, attackers published one more application named “Music and video for VK” («Музыка и видео для ВК») and developed by Gomunkul. At present, this player does not contain the payload.
Despite its apparent harmlessness, this player may become a full-blown Trojan once attackers decide to modify one of its parameters (or add any functions including malicious ones) and update the malicious program. If this happens, the Trojan will continuously prompt the user to install a plug-in necessary for its operation. It should be noted that the plug-in and Android.PWS.Vk.3 have the same security certificate.
More than 1,000,000 users have currently downloaded the player and can fall victim to the Trojan at any time. Because of the danger that this player represents for Android devices, it was added to our virus database under the name of Android.Click.123.
Doctor Web strongly advises users to install only official applications and protect their devices with anti-virus software. Android.PWS.Vk.3 and the Android.Click.123 riskware are successfully detected and removed by Dr.Web for Android—thus, they do not pose any threat for our users.
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.