July 5, 2017

Doctor Web specialists found a game on Google Play that contains a loader Trojan. This malicious application can covertly download, install and run other software. More than a million mobile device owners have downloaded this Trojan.

The malicious application, dubbed Android.DownLoader.558.origin, is embedded in the popular game BlazBlue, which has been downloaded by more than a million users. This Trojan is part of a special software package (SDK, Software Development Kit) named Excelliance, which is designed to computerize and simplify Android program updates.

In contrast with the standard update procedure, when an old version of an application is entirely replaced with a new one, the SDK indicated above allows needed components to be loaded separately without reinstalling the entire software package. This allows developers to keep the version of software installed on mobile devices current even if users do not keep track of the release of new versions. However, Excelliance operates as a loader Trojan because it can download and run unchecked application components. This update method violates Google Play rules because it is dangerous.

Android.DownLoader.558.origin begins working upon the initial launch of the program or the game into which it has been embedded. The Trojan, along with other application elements, is extracted from the directory with its resources and decrypted. After that, it loads on its own every time the mobile device connects to the Internet, even if the user no longer launches the infected application.

The Trojan module tracks network activity and tries to connect to its command and control server. Depending on the server settings, Android.DownLoader.558.origin can be ordered to download one or another program component. For example, in the case of BlazBlue, the module offers to download missing files and updates, if available.

Besides the application’s additional resources and updates, Android.DownLoader.558.origin can download separate APK, DEX and ELF files. Furthermore, in some cases these files can be launched without user knowledge. For example, the code of loaded DEX files is executed automatically and doesn’t require any action on the part of the mobile device owner.

Meanwhile, while the downloaded APK files are being installed, the user sees a standard dialog box; however, if Android.DownLoader.558.origin has root access in the system, it can install them imperceptibly. That is the main danger of SDK Excelliance. At any moment, its authors can issue a command to load objects that have nothing at all to do with the main application, for example, advertising modules, third-party programs and even other Trojans that can be downloaded outside Google Play and run without permission.

Doctor Web specialists have informed Google about the dangerous behavior of the Trojan component in SDK, which is used in the game BlazBlue. However, at the moment this news article was posted, the game version containing Android.DownLoader.558.origin was still available for download on Google Play.

Applications containing this Trojan are successfully detected by Dr.Web for Android anti-virus products as Android.RemoteCode.81.origin; therefore, this spyware does not pose any threat to our users.

More about this Trojan