Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Doctor Web detects infected games on Google Play with more than 4,500,000 downloads

January 16, 2018

Doctor Web virus analysts have found several games on Google Play that contain Android.RemoteCode.127.origin. It covertly downloads and launches additional modules that perform various malicious actions. For example, they simulate user actions by covertly opening websites and clicking on their items.

Android.RemoteCode.127.origin is a part of a framework (SDK, Software Development Kit) called 呀呀云 (Ya Ya Yun). Developers use it to extend the functionality of their applications. Particularly, it allows gamers to maintain communication with each other. However, besides the indicated possibilities, the platform performs the Trojan’s functions. It covertly downloads malicious modules from a remote server.

Once the programs with the embedded SDK are launched, Android.RemoteCode.127.origin makes a request to the command and control (C&C) server. As a response, it can receive a command to download and launch malicious modules capable of many actions. Doctor Web specialists intercepted and inspected one such module, and dubbed it Android.RemoteCode.126.origin. Once launched, it connects to its C&C server and receives a link to download an allegedly benign image.

screen Android.RemoteCode.126.origin #drweb

In fact, this graphic file conceals another Trojan module, which is an updated version of Android.RemoteCode.126.origin. Virus analysts have already encountered this method of masking malicious objects in images (steganography). For example, it was applied by the Trojan detected in 2016 and dubbed Android.Xiny.19.origin.

Once decrypted and launched, a new version of the Trojan module (detected by Dr.Web as Android.RemoteCode.125.origin) begins operating simultaneously with an old one, duplicating its functions. This module then downloads another image with a hidden malicious component. It was named Android.Click.221.origin.

screen Android.RemoteCode.126.origin #drweb

Its main purpose is to covertly open websites and click on their items, such as links and banners. To do that, Android.Click.221.origin downloads a script from the address indicated by the C&C server. The Trojan provides the script with the possibility to perform various actions on a webpage, including simulating clicks on indicated items. Thus, if the Trojan’s task includes following links and advertisements, cybercriminals profit from inflating website traffic stats and clicking on banners. However, it is not the only functionality of Android.RemoteCode.127.origin, because virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications.

Doctor Web specialists found 27 games on Google Play that used Trojan SDK. More than 4,500,000 mobile device owners downloaded them. The applications with embedded Android.RemoteCode.127.origin are listed in the table below:

Program nameApplication package nameVersion
Hero Missioncom.dodjoy.yxsm.global1.8
Era of Arcaniacom.games37.eoa2.2.5
Clash of Civilizationscom.tapenjoy.warx0.11.1
Sword and Magiccom.UE.JYMF&hl1.0.0
خاتم التنين - Dragon Ring (For Egypt)com.reedgame.ljeg1.0.0
perang pahlawancom.baiduyn.indonesiamyth1.1400.2.0
樂舞 - 超人氣3D戀愛跳舞手遊com.baplay.love1.0.2
Fleet Glorycom.entertainment.mfgen.android1.5.1
Kıyamet Kombat Arenacom.esportshooting.fps.thekillbox.tr1.1.4
Love Dancecom.fitfun.cubizone.love1.1.2
Never Find Me - 8v8 real-time casual gamecom.gemstone.neverfindme1.0.12
惡靈退散-JK女生の穿越冒險com.ghosttuisan.android0.1.7
King of Warship: National Herocom.herogames.gplay.kowglo1.5.0
King of Warship:Sail and Shootcom.herogames.gplay.kowsea1.5.0
狂暴之翼-2017年度最具人氣及最佳對戰手遊com.icantw.wings0.2.8
武動九天com.indie.wdjt.ft11.0.5
武動九天com.indie.wdjt.ft21.0.7
Royal flushcom.jiahe.jian.hjths2.0.0.2
Sword and Magiccom.linecorp.LGSAMTHDepends on a device model
Gumballs & Dungeons:Roguelike RPG Dungeon crawlercom.qc.mgden.android0.41.171020.09-1.8.6
Soul Awakeningcom.sa.xueqing.en1.1.0
Warship Rising - 10 vs 10 Real-Time Esport Battlecom.sixwaves.warshiprising1.0.8
Thủy Chiến - 12 Vs 12com.vtcmobile.thuychien1.2.0
Dance Togethermusic.party.together1.1.0
頂上三国 - 本格RPGバトルcom.yileweb.mgcsgja.android1.0.5
靈魂撕裂com.moloong.wjhj.tw1.1.0
Star Legendscom.dr.xjlh11.0.6

Virus analysts informed Google about the detection of the Trojan component in the indicated applications. However, at the moment this news article was posted, they were still available for download. It is recommended that owners of Android smartphones and tablets delete installed games that were installed with Android.RemoteCode.127.origin. Dr.Web for Android successfully detects programs containing Android.RemoteCode.127.origin and this Trojan poses no threat to our users.

More about the Trojan

Your Android needs protection
Use Dr.Web

Free download

  • The first Russian Anti-virus for Android
  • More than 135 million downloads on Google Play alone
  • Free for users of Dr.Web home products
#Google_Play, #Android, #mobile, #Trojan, #application_markets

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040