Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

Doctor Web registers more than one million downloads of Android Trojan from Google Play

November 10, 2016

Doctor Web’s specialists have discovered a new Trojan, dubbed Android.MulDrop.924, on Google Play. This Trojan covertly downloads applications and prompts users to install them. In addition, it displays annoying advertisements.

Android.MulDrop.924 is spread via Google Play as an application named “Multiple Accounts: 2 Accounts”, which has already been downloaded over a million times. This malware program facilitates the use of several user accounts simultaneously in games and other software programs installed on a device. However, benign as it may seem, this application hides malicious functionality about which victims are not informed. Doctor Web’s security researchers have already warned Google about this incident; however, at the time this news article went to posted, Android.MulDrop.924 was still available for downloading.

screen Android.MulDrop.924 #drweb

The Trojan has a unique modular architecture. Part of its functionality is located in two auxiliary modules, which are encrypted and hidden inside a PNG image in the resource catalog of Android.MulDrop.924. Once launched, the Trojan extracts and copies these modules to its local directory in the section /data and then loads them into the memory.

One of these components not only performs benign functions but also contains several advertising plug-ins used by the Trojan’s authors to generate income. The malicious module Android.DownLoader.451.origin is one of them—it covertly downloads applications and invites users to install them. In addition, it can display advertisements on the status bar of a device.

screen Android.MulDrop.924 #drweb screen Android.MulDrop.924 #drweb screen Android.MulDrop.924 #drweb

Apart from Google Play, Android.MulDrop.924 is being spread via other application stores. One of its modifications is incorporated into an earlier version of the application “Multiple Accounts: 2 Accounts”. It is signed with a third-party certificate and, like the module Android.DownLoader.451.origin, contains the additional malicious plug-in Android.Triada.99 that downloads exploits to get root privileges on an infected device. The module can also download and install other applications. The fact that this modification is signed by another certificate proves that it is modified and distributed by another group of attackers who are unrelated to the creators of the original Trojan.

Dr.Web for Android successfully detects all the known versions of Android.MulDrop.924 and its components so they do not pose any threat to our users.

Protect your Android device with Dr.Web now

Buy online Buy on Google Play Free download

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040