Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

New Trojan found in Google Play: Doctor Web uncovers social media account stealing scheme

June 15, 2016

Doctor Web specialists found a new Trojan being spread via Google Play applications. This malicious program named Android.PWS.Vk.3 targets VK («ВКонтакте», the largest European online social network) users stealing login credentials for their profiles.

Android.PWS.Vk.3 is distributed via the “Music from VK” («Музыка из ВК») application published on Google Play. The developer’s name is MixHard. Doctor Web analysts have informed Google about this Trojan. So far, Android.PWS.Vk.3 was still available for downloading.

screen Android.PWS.Vk.3 #drweb

The Trojan is implemented as a fully-featured VK audio player. If the user wants to listen to music, they should enter their user profile by typing the login and the password. Yet, in fact, all this private information is immediately sent to the C&C server, which means that attackers get full control over the user’s VK profile.

screen Android.PWS.Vk.3 #drweb screen Android.PWS.Vk.3 #drweb screen Android.PWS.Vk.3 #drweb

Doctor Web specialists registered the attempts of virus makers to sell user profiles hacked with Android.PWS.Vk.3 on underground hacking forums. Besides, cybercriminals can use these VK profiles to generate traffic for various VK communities.

Attackers have already tried to distribute Android.PWS.Vk.3 via Google Play—for example, as the Music for VK and Music VK applications by Dobrandrav. However, both of these apps are not available for download any more. In total, about 12,000 users have installed the Trojan on their devices.

screen Android.PWS.Vk.3 #drweb screen Android.PWS.Vk.3 #drweb

The Trojan’s authors have created their own VK community, which has more than 44,600 subscribers. All the members are offered to download Android.PWS.Vk.3 on their mobile devices.

screen Android.PWS.Vk.3 #drweb

In addition, attackers published one more application named “Music and video for VK” («Музыка и видео для ВК») and developed by Gomunkul. At present, this player does not contain the payload.

screen Android.PWS.Vk.3 #drweb

Despite its apparent harmlessness, this player may become a full-blown Trojan once attackers decide to modify one of its parameters (or add any functions including malicious ones) and update the malicious program. If this happens, the Trojan will continuously prompt the user to install a plug-in necessary for its operation. It should be noted that the plug-in and Android.PWS.Vk.3 have the same security certificate.

screen Android.PWS.Vk.3 #drweb

More than 1,000,000 users have currently downloaded the player and can fall victim to the Trojan at any time. Because of the danger that this player represents for Android devices, it was added to our virus database under the name of Android.Click.123.

Doctor Web strongly advises users to install only official applications and protect their devices with anti-virus software. Android.PWS.Vk.3 and the Android.Click.123 riskware are successfully detected and removed by Dr.Web for Android—thus, they do not pose any threat for our users.

More about this Trojan

Protect your Android device with Dr.Web now

Buy online Buy on Google Play Free download

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040