Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to news

Trojans covertly installing applications under Android

March 24, 2014

Some of the most common ways to make an illegal profit on the Chinese Android software market are to supplement popular applications with additional features and advertising modules, impose programs on users, and increase traffic on websites that distribute certain applications. To accomplish their tasks, attackers often make use of various malicious downloaders. Recently Doctor Web's analysts discovered a new family of such programs.

Implemented as an ordinary application for Android, Android.DownLoader.49.originis the most important member of the family. After installation, the Trojan is launched as a system service. It connects to a remote server and retrieves the list of programs it must download onto the compromised device. Some of the downloaded distribution files incorporate dex-files which are placed into the /cache/sysjar/ directory on the memory card. Then, the routine DexClassLoader is used to load their code into the device's memory. One of these binaries incorporates a Trojan downloader classified by Dr.Web as Android.DownLoader.43.origin. It can download various applications, including malware. Another file contains a dropper Trojan, which, depending on its version and the availability of root access, can install other malicious applications into the system directory.

screen

screen

In addition, Android.DownLoader.49.origin can also download other programs that are also installed without the user's consent. If root access is not available, the owner of the mobile device will see a standard system dialogue requesting permission to install the downloaded software.

The Trojan Android.DownLoader.43.origin can also connect to a remote server to obtain a list of apps to download and install on an infected device. It is noteworthy that other downloader Trojans capable of performing similar tasks are on this list, too. Thus, virus writers have created a chain of malicious programs that can spread each other and other applications and can install programs selected by criminals to suit a particular purpose. In total, Doctor Web's security researchers found about 10 similar Trojan downloaders, and the attackers' server hosts nearly 600 programs intended for unauthorized installation.

screen

The criminals behind the scheme are most likely interested in having various applications installed surreptitiously on target devices to increase the popularity of those applications and generate a per-installation profit. However, in addition to installing ordinary applications, the dropper can be instructed by the remote server to install other programs such as spying applications or SMS Trojans which can also generate income for their owners.

All the malignant applications described in this review are successfully detected by Dr.Web for Android and pose no threat to devices protected with the anti-virus.

Protect your Android handheld with Dr.Web now

Buy online Buy via Google Play Free of charge

Tell us what you think

You will be awarded one Dr.Webling per comment. To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments

The Russian developer of Dr.Web anti-viruses

Doctor Web has been developing anti-virus software since 1992

Dr.Web is trusted by users around the world in 200+ countries

The company has delivered an anti-virus as a service since 2007

24/7 tech support

© Doctor Web
2003 — 2019

Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040