Doctor Web: an Android Trojan on Google Play gains money for virus writers using an invisible advertisement
April 26, 2018
Android.RemoteCode.152.origin - the new version of Android.RemoteCode.106.origin Trojan known since 2017, Doctor Web published the article about it in November. This malicious program was a software module that software developers were embedding into their applications and were distributing through the Google Play catalog. The main function of Android.RemoteCode.106.origin is the silent downloading and launching of the auxiliary plug-ins designed for downloading advertising web pages and clicking on banners located on them. The new version of the Trojan performs similar actions.
After the first launch of the application, which contains the built-in Trojan, Android.RemoteCode.152.origin automatically starts working at certain intervals and starts itself after each device reboot. Therefore, its operation does not require the device owner to continually use the infected application.
At the launch, the malicious program downloads one of the Trojan modules (added to Dr.Web virus database as Android.Click.249.origin) from the managing server and launches it. This component downloads and launches another module based on the MobFox SDK advertising platform. This platform is designed for monetizing applications. With its use, the Trojan silently creates various advertisements and banners, and then clicks on them, earning money for criminals. In addition, Android.RemoteCode.152.origin connects to the mobile marketing network AppLovin, through which it also downloads advertisements for additional income.
Doctor Web virus analysts have detected several applications in the Google Play catalog , which contained this Trojan as built-in. All of them were various games, which total amount of downloads has exceeded 6 500 000. Doctor Web specialists notified Google Corporation about the programs found, and at the time of the publication of this article some of the applications were successfully deleted from Google catalog. At the same time, some applications have been updated clear of this malicious module.
Android.RemoteCode.152.origin has been detected in the following programs:
- Beauty Salon - Dress Up Game, version 5.0.8;
- Fashion Story - Dress Up Game, version 5.0.0;
- Princess Salon - Dress Up Sophie, version 5.0.1;
- Horror game - Scary movie quest, version 1.9;
- Escape from the terrible dead, version 1.9.15;
- Home Rat simulator, version 2.0.5;
- Street Fashion Girls - Dress Up Game, version 6.07;
- Unicorn Coloring Book, version 134.
In addition, Doctor Web specialists have further analyzed and identified the Trojan in several other applications that had already been removed from the catalog:
- Subwater Subnautica, version 1.7;
- Quiet, Death!, version 1.1;
- Simulator Survival, version 0.7;
- Five Nigts Survive at Freddy Pizzeria Simulator, version 12;
- Hello Evil Neighbor 3D, version 2.24;
- The Spire for Slay, version 1.0;
- Jumping Beasts of Gang, version 1.9;
- Deep Survival, vesion 1.12;
- Lost in the Forest, version 1.7;
- Happy Neighbor Wheels, version 1.41;
- Subwater Survival Simulator, version 1.15;
- Animal Beasts, version 1.20.
An example of software with the built-in Android.RemoteCode.152.origin Trojan are shown on the following pictures:
To reduce the possibility of mobile devices being infected by malicious programs, Doctor Web specialists recommend installing applications only from known and trusted developers. Antivirus products like Dr.Web for Android detect and successfully remove all known modifications of the Trojans described in this article, so they do not represent danger for our users.
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.