Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

More than a million downloads: Doctor Web detects yet another Android Trojan on Google Play

July 5, 2017

Doctor Web specialists found a game on Google Play that contains a loader Trojan. This malicious application can covertly download, install and run other software. More than a million mobile device owners have downloaded this Trojan.

The malicious application, dubbed Android.DownLoader.558.origin, is embedded in the popular game BlazBlue, which has been downloaded by more than a million users. This Trojan is part of a special software package (SDK, Software Development Kit) named Excelliance, which is designed to computerize and simplify Android program updates.

In contrast with the standard update procedure, when an old version of an application is entirely replaced with a new one, the SDK indicated above allows needed components to be loaded separately without reinstalling the entire software package. This allows developers to keep the version of software installed on mobile devices current even if users do not keep track of the release of new versions. However, Excelliance operates as a loader Trojan because it can download and run unchecked application components. This update method violates Google Play rules because it is dangerous.

screen Android.DownLoader #drweb

Android.DownLoader.558.origin begins working upon the initial launch of the program or the game into which it has been embedded. The Trojan, along with other application elements, is extracted from the directory with its resources and decrypted. After that, it loads on its own every time the mobile device connects to the Internet, even if the user no longer launches the infected application.

The Trojan module tracks network activity and tries to connect to its command and control server. Depending on the server settings, Android.DownLoader.558.origin can be ordered to download one or another program component. For example, in the case of BlazBlue, the module offers to download missing files and updates, if available.

screen Android.DownLoader #drweb

screen Android.DownLoader #drweb

screen Android.DownLoader #drweb

Besides the application’s additional resources and updates, Android.DownLoader.558.origin can download separate APK, DEX and ELF files. Furthermore, in some cases these files can be launched without user knowledge. For example, the code of loaded DEX files is executed automatically and doesn’t require any action on the part of the mobile device owner.

Meanwhile, while the downloaded APK files are being installed, the user sees a standard dialog box; however, if Android.DownLoader.558.origin has root access in the system, it can install them imperceptibly. That is the main danger of SDK Excelliance. At any moment, its authors can issue a command to load objects that have nothing at all to do with the main application, for example, advertising modules, third-party programs and even other Trojans that can be downloaded outside Google Play and run without permission.

Doctor Web specialists have informed Google about the dangerous behavior of the Trojan component in SDK, which is used in the game BlazBlue. However, at the moment this news article was posted, the game version containing Android.DownLoader.558.origin was still available for download on Google Play.

Applications containing this Trojan are successfully detected by Dr.Web for Android anti-virus products as Android.RemoteCode.81.origin; therefore, this spyware does not pose any threat to our users.

More about this Trojan

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040