FOR CUSTOMERS

Close

Library
My library

+ Add to library

Search
Search

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

A query form

Call us

+7 (495) 789-45-86

Forum

Your tickets

New ticket

Call us

+7 (495) 789-45-86

Profile

EN

RU CN DE EN ES FR IT JP KZ UZ PL BY
Close
News

News by topic

Virus alerts
The Anti-virus Times
News boxes
Press center

Back to the news list

Doctor Web detects Downloader Trojan in VPN client for Android

October 18, 2018

Downloader Trojans are malware that cybercriminals use to spread other Trojans. Doctor Web’s malware analysts have found one of these downloaders on Google Play. It was hiding in software designed to connect to private virtual networks (VPN).

The Trojan, dubbed Android.DownLoader.818.origin, was embedded into the Turbo VPN, an Unlimited Free VPN & Proxy, downloaded by over 11,000 Android mobile device users. The name of the malicious application is very similar to the popular VPN client “Turbo VPN”, an unlimited free VPN & fast security VPN by Innovative Connecting, which has nothing to do with this fake. Trying to make Android.DownLoader.818.origin look similar to the well-known VPN software, creators of the Trojan wanted to mislead potential victims and increase the number of downloads.

Android.DownLoader.818.origin #drweb

When launched, Android.DownLoader.818.origin requested read and write permissions. After that, it prompted the user to grant it administrator privileges on the mobile device.

Android.DownLoader.818.origin #drweb Android.DownLoader.818.origin #drweb

Android.DownLoader.818.origin indeed made it possible to work with the VPN, since the attackers borrowed the data from the open-source project, OpenVPN for Android, when creating the Trojan. However, those who had installed the application could not use it: after being granted the necessary system privileges, Android.DownLoader.818.origin removed its icon from the list of programs on the main screen. Following that, the Trojan VPN client would not launch.

When the malware was hidden from the user, it downloaded an APK file from a remote server in the background and saved it to the memory card. It then kept prompting the user to install the downloaded application until the user agreed. See the sample dialog below shown by Android.DownLoader.818.origin to install the program:

Android.DownLoader.818.origin #drweb

When Android.DownLoader.818.origin was being analysed, the downloaded file was the Trojan Android.HiddenAds.710designed to display ads. However, depending on the server settings and the goals of attackers, Android.DownLoader.818.origin may download and try to install any other malicious or unwanted application.

Doctor Web experts notified Google about the dangerous software found on Google Play and it has been promptly removed from the list.

Dr.Web for Android successfully detects and removes all the indicated Trojans from mobile devices, so they do not pose any threat to our users.

#Android, #Google_Play, #malware, #trojan

Your Android needs protection!
Use Dr.Web

Free download

  • First Russian anti-virus for Android
  • Over 135 million downloads—just from Google Play!
  • Available free of charge for users who purchase Dr.Web home products

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments