December 1, 2020
The app, “Eye Care - Your close Eye Care Assistant,” has been available on Google Play since 2018, but the trojan functionality only appeared in 2019, beginning with version 1.2.11. The malicious versions of this app were added to the Dr.Web virus database as Android.Mixi.44.origin.
At first glance this app appears harmless and operates as would be expected. Upon launch, however, it covertly executes malicious functions.
Android.Mixi.44.origin collects and sends the following information about the infected device to the C&C server:
- The unique user ID the trojan generates
- The unique device ID
- The Google advertisement ID
- The OS version
- The app version containing the trojan
- The Play Store app version installed on the device
- The WebView engine version
One of its functions is to fraudulently monetize app installations. To do so, Android.Mixi.44.origin continuously tracks when the user installs and removes the apps, recording all related data.
Upon connecting to the C&C server, the trojan receives a URL that leads to the list of web addresses it should visit visit. Within the interval of several seconds it covertly loads each of them inside the invisible WebView. If the resulting link from the redirection chain leads to the page of an app hosted on Google Play, but this app hasn’t been installed on the device yet, the trojan remembers its packet name and the time the link was loaded. It then simply waits for the user to install the necessary application. When Android.Mixi.44.origin detects a successful installation, it sends the app’s packet name with the referral ID to the advertising analytics service that tracks the successfully completed advertising tasks. In this way, the trojan attempts to deceive the analytics service and misappropriate credit from the installation the user performed to the malicious actors.
If the resulting link from the server task leads to the application page on Google Play, and this app has already been installed, and the trojan has the information about it, Android.Mixi.44.origin attempts to deceive the service the same way – by sending it the app’s packet name with the hackers’ referral ID.
Android.Mixi.44.origin also operates as a clicker when the URLs it opens lead to various websites. The trojan visits the websites without user knowledge or consent, increasing the site popularity, which results in affiliate services becoming payable to the scammers.
Upon receiving a command from a C&C server, the trojan can also load various web pages and display them on top of other app windows and the operating system UI. To do so, it exploits the Toast Overlay vulnerability that’s been known for several years. Devices running Android OS up to 7.1 are affected. The trojan creates a pop-up Toast-type notification that covers other graphic elements. It then inserts a WebView with the targeted web page loaded into it, into the notification. With that, the content of the page can be anything: an ad banner, video or even a phishing website.
So, Android.Mixi.44.origin functions primarily to demonstrate ads, artificially increase the popularity of various websites, and to be potentially involved in phishing attacks. At the same time, this trojan belongs to a family of multifunctional malware that covers a wide range of tasks. Selected modifications of this family are capable of obtaining root privileges, covertly installing and uninstalling other apps and performing other malicious actions. With that, some of these trojans have been found in the system directories of Android devices. One of them is the Android.Mixi.36.origin. To silently install downloaded apps, it uses a potentially dangerous tool, Tool.SilentInstaller.7.origin. The Android.Mixi.42.origin, which is a modification of Android.Mixi.44.origin, can be found among those apps. It has the same functionality but can also download and covertly run applications.
Dr.Web for Android anti-virus products successfully detect all known modifications of Android.Mixi.44.origin and other trojans of this family, keeping our users well protected. To delete Android malware and other threats from the system directories of your device, Dr.Web Security Space for Android and root access are required. You can also use Dr.Web Security Space for Android to verify whether your device is exposed to the Toast Overlay vulnerability.
More details about Android.Mixi.44.origin
More details about Toast Overlay vulnerability
Your Android needs protection.
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
Tell us what you think
You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.