November 10, 2016

Doctor Web’s specialists have discovered a new Trojan, dubbed Android.MulDrop.924, on Google Play. This Trojan covertly downloads applications and prompts users to install them. In addition, it displays annoying advertisements.

Android.MulDrop.924 is spread via Google Play as an application named “Multiple Accounts: 2 Accounts”, which has already been downloaded over a million times. This malware program facilitates the use of several user accounts simultaneously in games and other software programs installed on a device. However, benign as it may seem, this application hides malicious functionality about which victims are not informed. Doctor Web’s security researchers have already warned Google about this incident; however, at the time this news article went to posted, Android.MulDrop.924 was still available for downloading.

The Trojan has a unique modular architecture. Part of its functionality is located in two auxiliary modules, which are encrypted and hidden inside a PNG image in the resource catalog of Android.MulDrop.924. Once launched, the Trojan extracts and copies these modules to its local directory in the section /data and then loads them into the memory.

One of these components not only performs benign functions but also contains several advertising plug-ins used by the Trojan’s authors to generate income. The malicious module Android.DownLoader.451.origin is one of them—it covertly downloads applications and invites users to install them. In addition, it can display advertisements on the status bar of a device.

Apart from Google Play, Android.MulDrop.924 is being spread via other application stores. One of its modifications is incorporated into an earlier version of the application “Multiple Accounts: 2 Accounts”. It is signed with a third-party certificate and, like the module Android.DownLoader.451.origin, contains the additional malicious plug-in Android.Triada.99 that downloads exploits to get root privileges on an infected device. The module can also download and install other applications. The fact that this modification is signed by another certificate proves that it is modified and distributed by another group of attackers who are unrelated to the creators of the original Trojan.

Dr.Web for Android successfully detects all the known versions of Android.MulDrop.924 and its components so they do not pose any threat to our users.