January 16, 2018
Android.RemoteCode.127.origin is a part of a framework (SDK, Software Development Kit) called 呀呀云 (Ya Ya Yun). Developers use it to extend the functionality of their applications. Particularly, it allows gamers to maintain communication with each other. However, besides the indicated possibilities, the platform performs the Trojan’s functions. It covertly downloads malicious modules from a remote server.
Once the programs with the embedded SDK are launched, Android.RemoteCode.127.origin makes a request to the command and control (C&C) server. As a response, it can receive a command to download and launch malicious modules capable of many actions. Doctor Web specialists intercepted and inspected one such module, and dubbed it Android.RemoteCode.126.origin. Once launched, it connects to its C&C server and receives a link to download an allegedly benign image.
In fact, this graphic file conceals another Trojan module, which is an updated version of Android.RemoteCode.126.origin. Virus analysts have already encountered this method of masking malicious objects in images (steganography). For example, it was applied by the Trojan detected in 2016 and dubbed Android.Xiny.19.origin.
Once decrypted and launched, a new version of the Trojan module (detected by Dr.Web as Android.RemoteCode.125.origin) begins operating simultaneously with an old one, duplicating its functions. This module then downloads another image with a hidden malicious component. It was named Android.Click.221.origin.
Its main purpose is to covertly open websites and click on their items, such as links and banners. To do that, Android.Click.221.origin downloads a script from the address indicated by the C&C server. The Trojan provides the script with the possibility to perform various actions on a webpage, including simulating clicks on indicated items. Thus, if the Trojan’s task includes following links and advertisements, cybercriminals profit from inflating website traffic stats and clicking on banners. However, it is not the only functionality of Android.RemoteCode.127.origin, because virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications.
Doctor Web specialists found 27 games on Google Play that used Trojan SDK. More than 4,500,000 mobile device owners downloaded them. The applications with embedded Android.RemoteCode.127.origin are listed in the table below:
|Application package name
|Era of Arcania
|Clash of Civilizations
|Sword and Magic
|خاتم التنين - Dragon Ring (For Egypt)
|樂舞 - 超人氣3D戀愛跳舞手遊
|Kıyamet Kombat Arena
|Never Find Me - 8v8 real-time casual game
|King of Warship: National Hero
|King of Warship:Sail and Shoot
|Sword and Magic
|Depends on a device model
|Gumballs & Dungeons：Roguelike RPG Dungeon crawler
|Warship Rising - 10 vs 10 Real-Time Esport Battle
|Thủy Chiến - 12 Vs 12
|頂上三国 - 本格RPGバトル
Virus analysts informed Google about the detection of the Trojan component in the indicated applications. However, at the moment this news article was posted, they were still available for download. It is recommended that owners of Android smartphones and tablets delete installed games that were installed with Android.RemoteCode.127.origin. Dr.Web for Android successfully detects programs containing Android.RemoteCode.127.origin and this Trojan poses no threat to our users.
Your Android needs protection
- The first Russian Anti-virus for Android
- More than 135 million downloads on Google Play alone
- Free for users of Dr.Web home products
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.