Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

Doctor Web detected malicious plug-in in some Google Play apps

June 23, 2016

Although Google Play is still considered to be the most secure Android app store, from time to time, attackers try to spoil its reputation by spreading their malicious programs via this catalog. One of such programs is Android.Valeriy.1.origin detected by Doctor Web specialists. This Trojan is intended to distribute malware and to subscribe users to various chargeable services, making money on victims’ carelessness.

The Android.Valeriy.1.origin Trojan is implemented as a malicious plug-in incorporated into benign applications. It is distributed by ZvonkoMedia LLC, Danil Prokhorov, and horshaom in six different Android apps published on Google Play:

  • Battery Booster;
  • Power Booster;
  • Blue Color Puzzle;
  • Blue And White;
  • Battery Checker;
  • Hard Jump - Reborn 3D.

These programs, which are games and service tools, have been downloaded by more than 15,500 users. Besides, Doctor Web security researchers registered over 55,000 downloads of these applications after they gained access to the Trojan’s C&C server. Our specialists have already informed Google about this incident. So far, applications containing Android.Valeriy.1.origin were still available for downloading.

Android.Valeriy.1.origin #drweb

Android.Valeriy.1.origin #drweb Android.Valeriy.1.origin #drweb

Android.Valeriy.1.origin #drweb Android.Valeriy.1.origin #drweb

Once one of these applications is launched, Android.Valeriy.1.origin connects to the server and gets instructions containing a specially generated link. The Trojan follows this link that leads to some website that provides the Trojan with the endpoint URL, depending on various parameters. In most cases, this URL leads to a dubious webpage in order to get their mobile phone number and subscribe them to chargeable services. For example, the user can be offered to view some adult content or download popular software, which is, in fact, available for free on Google Play. Despite the fact that all information regarding subscription conditions is available on the webpage, the user can easily pass it unnoticed and specify their phone number.

Android.Valeriy.1.origin #drweb Android.Valeriy.1.origin #drweb

Android.Valeriy.1.origin #drweb Android.Valeriy.1.origin #drweb

Android.Valeriy.1.origin opens one of these websites in WebView and displays it as an advertisement. Then it starts monitoring all incoming SMS messages. If the user gives their phone number, a confirmation code for subscription is then sent. However, Android.Valeriy.1.origin intercepts and blocks all these messages. As a result, the victim does not have any idea that they are subscribed to some services and, therefore, a certain subscription fee will be written off from the user’s mobile account every day.

The Trojan can also perform another function—download software, including malicious programs. For instance, Doctor Web specialists detected the Android.DownLoader.355.origin downloader Trojan. Besides, instructions for Android.Valeriy.1.origin may contain various JavaScript scripts that are executed using WebView. These features can be implemented to covertly tap on interactive elements, advertisements and links on browsed webpages—for example, to confirm the phone number specified by the user or to increase various traffic statistics.

If you do not want to fall victim to these fraudulent schemes, we recommend you to pay careful attention to all pop-up messages and notifications and warn you against entering your phone number into suspicious input forms.

Most of applications compromised with Android.Valeriy.1.origin are protected with a special packer that complicates their analysis. However, Dr.Web for Android detects Android.Valeriy.1 and Android.Packed.1 and removes them from mobile devices. Therefore, they do not pose any threat to our users.

More about this Trojan

Protect your Android device with Dr.Web now

Buy online Buy on Google Play Free download

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments