Your browser is obsolete!

The page may not load correctly.

Free trial
Dr.Web for Android

Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support

Send a message

Call us

+7 (495) 789-45-86

Forum
Profile

Back to news

25,000 devices may have been affected by new Trojans on Google Play

July 25, 2013

Russian anti-virus company Doctor Web has discovered several malicious programs on Google Play that install Android.SmsSend Trojans on mobile devices. The Trojans send short messages to premium numbers and deplete subscriber accounts. Google was promptly notified about the incident.

The programs, discovered by Doctor Web's analysts, belong to the Vietnamese developer AppStore Jsc. They are disguised as audio players and a video player that displays adult content.

The table below is based on Google Play statistics. It provides information about the number of users who have installed these applications:

Application title Package name Installations
Phim Sex HD-Free phimsex.videoxxx.clipsex.phimnguoilon.phimconheo.tinhduc

5000–10000
Zing MP3 - BXH Music phimsexy.mp3.zing.vn.nhaccuatui.bangxephang.bxh.nhachot 5000–10000
Phim Nguoi Lon - Audio 18+ zingmp3.audio18.truyennguoilon.audiotinhduc 1000–5000

The total number of installations of these three programs ranges between 11,000 and 25,000.

These applications appear harmless. However, they incorporate an extra apk-file that contains an Android.SmsSend Trojan. While running these carrier applications, dubbed Android.MulDrop, Android.MulDrop.1, and Android.MulDrop.2 by Dr.Web, can prompt the user to download the content they need, but their consent initiates the installation of another application rather than the downloading of files. For example, the video player program offers to get the user new adult clips.

If the careless user agrees to install a suspicious application, the Trojan Android.SmsSend.512 will be installed on the device. The program covertly sends short messages to the short number 8775 which is specified in the malware's configuration file. It is noteworthy that this Trojan really does enable a user to view adult video clips. Apparently, the attackers implemented this feature to avoid unnecessary suspicion.

As for the second and third Trojan carriers, they contain malware dubbed Android.SmsSend.513.origin. It operates similarly to Android.SmsSend.517, but, unlike the latter, it acquires information about short numbers from a command and control server.

Devices running Dr.Web for Android are well protected from these malicious programs whose signatures were promptly added to the virus database.

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2017

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040