October 18, 2018
The Trojan, dubbed Android.DownLoader.818.origin, was embedded into the Turbo VPN, an Unlimited Free VPN & Proxy, downloaded by over 11,000 Android mobile device users. The name of the malicious application is very similar to the popular VPN client “Turbo VPN”, an unlimited free VPN & fast security VPN by Innovative Connecting, which has nothing to do with this fake. Trying to make Android.DownLoader.818.origin look similar to the well-known VPN software, creators of the Trojan wanted to mislead potential victims and increase the number of downloads.
When launched, Android.DownLoader.818.origin requested read and write permissions. After that, it prompted the user to grant it administrator privileges on the mobile device.
Android.DownLoader.818.origin indeed made it possible to work with the VPN, since the attackers borrowed the data from the open-source project, OpenVPN for Android, when creating the Trojan. However, those who had installed the application could not use it: after being granted the necessary system privileges, Android.DownLoader.818.origin removed its icon from the list of programs on the main screen. Following that, the Trojan VPN client would not launch.
When the malware was hidden from the user, it downloaded an APK file from a remote server in the background and saved it to the memory card. It then kept prompting the user to install the downloaded application until the user agreed. See the sample dialog below shown by Android.DownLoader.818.origin to install the program:
When Android.DownLoader.818.origin was being analysed, the downloaded file was the Trojan Android.HiddenAds.710designed to display ads. However, depending on the server settings and the goals of attackers, Android.DownLoader.818.origin may download and try to install any other malicious or unwanted application.
Doctor Web experts notified Google about the dangerous software found on Google Play and it has been promptly removed from the list.
Dr.Web for Android successfully detects and removes all the indicated Trojans from mobile devices, so they do not pose any threat to our users.#Android, #Google_Play, #malware, #trojan
Your Android needs protection!
- First Russian anti-virus for Android
- Over 135 million downloads—just from Google Play!
- Available free of charge for users who purchase Dr.Web home products
Tell us what you think
To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.