Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Doctor Web detects Downloader Trojan in VPN client for Android

October 18, 2018

Downloader Trojans are malware that cybercriminals use to spread other Trojans. Doctor Web’s malware analysts have found one of these downloaders on Google Play. It was hiding in software designed to connect to private virtual networks (VPN).

The Trojan, dubbed Android.DownLoader.818.origin, was embedded into the Turbo VPN, an Unlimited Free VPN & Proxy, downloaded by over 11,000 Android mobile device users. The name of the malicious application is very similar to the popular VPN client “Turbo VPN”, an unlimited free VPN & fast security VPN by Innovative Connecting, which has nothing to do with this fake. Trying to make Android.DownLoader.818.origin look similar to the well-known VPN software, creators of the Trojan wanted to mislead potential victims and increase the number of downloads.

Android.DownLoader.818.origin #drweb

When launched, Android.DownLoader.818.origin requested read and write permissions. After that, it prompted the user to grant it administrator privileges on the mobile device.

Android.DownLoader.818.origin #drweb Android.DownLoader.818.origin #drweb

Android.DownLoader.818.origin indeed made it possible to work with the VPN, since the attackers borrowed the data from the open-source project, OpenVPN for Android, when creating the Trojan. However, those who had installed the application could not use it: after being granted the necessary system privileges, Android.DownLoader.818.origin removed its icon from the list of programs on the main screen. Following that, the Trojan VPN client would not launch.

When the malware was hidden from the user, it downloaded an APK file from a remote server in the background and saved it to the memory card. It then kept prompting the user to install the downloaded application until the user agreed. See the sample dialog below shown by Android.DownLoader.818.origin to install the program:

Android.DownLoader.818.origin #drweb

When Android.DownLoader.818.origin was being analysed, the downloaded file was the Trojan Android.HiddenAds.710designed to display ads. However, depending on the server settings and the goals of attackers, Android.DownLoader.818.origin may download and try to install any other malicious or unwanted application.

Doctor Web experts notified Google about the dangerous software found on Google Play and it has been promptly removed from the list.

Dr.Web for Android successfully detects and removes all the indicated Trojans from mobile devices, so they do not pose any threat to our users.

#Android, #Google_Play, #malware, #trojan

Your Android needs protection!
Use Dr.Web

Free download

  • First Russian anti-virus for Android
  • Over 135 million downloads—just from Google Play!
  • Available free of charge for users who purchase Dr.Web home products

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040