Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Your tickets

Profile

Back to news

Doctor Web: an Android Trojan on Google Play gains money for virus writers using an invisible advertisement

April 26, 2018

Doctor Web specialists have detected the applications with the built-in Trojan Android.RemoteCode.152.origin in Google Play catalog, which has been downloaded more than 6 500 000 times in total. This malicious program silently downloads and launches additional modules, containing adware plug-ins. By using them, the Trojan downloads invisible ads and clicks on them, so criminals gain rewards.

Android.RemoteCode.152.origin - the new version of Android.RemoteCode.106.origin Trojan known since 2017, Doctor Web published the article about it in November. This malicious program was a software module that software developers were embedding into their applications and were distributing through the Google Play catalog. The main function of Android.RemoteCode.106.origin is the silent downloading and launching of the auxiliary plug-ins designed for downloading advertising web pages and clicking on banners located on them. The new version of the Trojan performs similar actions.

After the first launch of the application, which contains the built-in Trojan, Android.RemoteCode.152.origin automatically starts working at certain intervals and starts itself after each device reboot. Therefore, its operation does not require the device owner to continually use the infected application.

At the launch, the malicious program downloads one of the Trojan modules (added to Dr.Web virus database as Android.Click.249.origin) from the managing server and launches it. This component downloads and launches another module based on the MobFox SDK advertising platform. This platform is designed for monetizing applications. With its use, the Trojan silently creates various advertisements and banners, and then clicks on them, earning money for criminals. In addition, Android.RemoteCode.152.origin connects to the mobile marketing network AppLovin, through which it also downloads advertisements for additional income.

Doctor Web virus analysts have detected several applications in the Google Play catalog , which contained this Trojan as built-in. All of them were various games, which total amount of downloads has exceeded 6 500 000. Doctor Web specialists notified Google Corporation about the programs found, and at the time of the publication of this article some of the applications were successfully deleted from Google catalog. At the same time, some applications have been updated clear of this malicious module.

Android.RemoteCode.152.origin has been detected in the following programs:

  • Beauty Salon - Dress Up Game, version 5.0.8;
  • Fashion Story - Dress Up Game, version 5.0.0;
  • Princess Salon - Dress Up Sophie, version 5.0.1;
  • Horror game - Scary movie quest, version 1.9;
  • Escape from the terrible dead, version 1.9.15;
  • Home Rat simulator, version 2.0.5;
  • Street Fashion Girls - Dress Up Game, version 6.07;
  • Unicorn Coloring Book, version 134.

In addition, Doctor Web specialists have further analyzed and identified the Trojan in several other applications that had already been removed from the catalog:

  • Subwater Subnautica, version 1.7;
  • Quiet, Death!, version 1.1;
  • Simulator Survival, version 0.7;
  • Five Nigts Survive at Freddy Pizzeria Simulator, version 12;
  • Hello Evil Neighbor 3D, version 2.24;
  • The Spire for Slay, version 1.0;
  • Jumping Beasts of Gang, version 1.9;
  • Deep Survival, vesion 1.12;
  • Lost in the Forest, version 1.7;
  • Happy Neighbor Wheels, version 1.41;
  • Subwater Survival Simulator, version 1.15;
  • Animal Beasts, version 1.20.

An example of software with the built-in Android.RemoteCode.152.origin Trojan are shown on the following pictures:

#Dr.Web #Dr.Web

#Dr.Web #Dr.Web

To reduce the possibility of mobile devices being infected by malicious programs, Doctor Web specialists recommend installing applications only from known and trusted developers. Antivirus products like Dr.Web for Android detect and successfully remove all known modifications of the Trojans described in this article, so they do not represent danger for our users.

[More information regarding Android.RemoteCode.152.origin]

#Android, #Google_Play, #ad_software, #Trojan

Your Android needs protection!
Use Dr.Web

Free download

  • First Russian anti-virus for Android
  • Over 135 million downloads—just from Google Play!
  • Available free of charge for users who purchase Dr.Web home products

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2018

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040