My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

25,000 devices may have been affected by new Trojans on Google Play

July 25, 2013

Russian anti-virus company Doctor Web has discovered several malicious programs on Google Play that install Android.SmsSend Trojans on mobile devices. The Trojans send short messages to premium numbers and deplete subscriber accounts. Google was promptly notified about the incident.

The programs, discovered by Doctor Web's analysts, belong to the Vietnamese developer AppStore Jsc. They are disguised as audio players and a video player that displays adult content.

The table below is based on Google Play statistics. It provides information about the number of users who have installed these applications:

Application title Package name Installations
Phim Sex HD-Free phimsex.videoxxx.clipsex.phimnguoilon.phimconheo.tinhduc

Zing MP3 - BXH Music 5000–10000
Phim Nguoi Lon - Audio 18+ zingmp3.audio18.truyennguoilon.audiotinhduc 1000–5000

The total number of installations of these three programs ranges between 11,000 and 25,000.

These applications appear harmless. However, they incorporate an extra apk-file that contains an Android.SmsSend Trojan. While running these carrier applications, dubbed Android.MulDrop, Android.MulDrop.1, and Android.MulDrop.2 by Dr.Web, can prompt the user to download the content they need, but their consent initiates the installation of another application rather than the downloading of files. For example, the video player program offers to get the user new adult clips.

If the careless user agrees to install a suspicious application, the Trojan Android.SmsSend.512 will be installed on the device. The program covertly sends short messages to the short number 8775 which is specified in the malware's configuration file. It is noteworthy that this Trojan really does enable a user to view adult video clips. Apparently, the attackers implemented this feature to avoid unnecessary suspicion.

As for the second and third Trojan carriers, they contain malware dubbed Android.SmsSend.513.origin. It operates similarly to Android.SmsSend.517, but, unlike the latter, it acquires information about short numbers from a command and control server.

Devices running Dr.Web for Android are well protected from these malicious programs whose signatures were promptly added to the virus database.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments