My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Downloader Trojans generate profit for "mobile" cybercriminals

April 10, 2014

Russian anti-virus Doctor Web has repeatedly reported on the discovery of Trojans for Android that download different applications onto infected devices without user consent. Such illegal activities allow cybercriminals not only to successfully distribute their malicious software, but also to profit from the installation of legitimate programs by receiving a per installation fee. New Trojan downloaders acquired by Doctor Web's virus analysts once again confirm that criminals are getting increasingly interested in such malicious tools.

Doctor Web specialists have discovered new malicious applications spread with the aid of a dropper program that has entered the virus database as Android.MulDrop.18.origin.


When launched, this Trojan uses a special library file to decrypt two of its apk packages and employs the routine DexClassLoader (without any user involvement) to load corresponding dex files into the device's memory. The executable files are detected by Dr.Web as Android.DownLoader.57.origin and Android.DownLoader.60.origin.If activated successfully, the malicious programs retrieve from remote servers the list of applications they need to download onto the device. In response to the malware’s request, the command and control servers can, at set intervals, provide the downloaders with various files. Among them, both known and new malware belonging to several families, such as Android.SmsSend and Android.Backdoor, were identified by virus analysts. Thus, criminals can implement various attack scenarios involving specific types of malicious applications, ranging from common SMS Trojans to complex spying programs. Malicious downloaders can also be adopted to spread legitimate applications (including games), so that the resourceful criminals involved will get paid for their installation.


It is worth noting that when the Trojans attempt to install the downloaded programs, the users will have to confirm this action. However, the chance exists that some of them just won't give the matter sufficient consideration and will go ahead and agree to the installation.

Currently Doctor Web's security researchers also know of a second dropper modification, Android.MulDrop.18.origin, which, unlike the first one, contains other Trojan downloaders in non-encrypted form. These programs were added to the virus database as Android.DownLoader.59.origin and Android.DownLoader.61.origin. Their mechanism for communicating with a remote server is somewhat different from that which was implemented in Android.DownLoader.57.origin and Android.DownLoader.60.origin, but their ultimate goal is the same: to download and install other applications.

Protect your Android handheld with Dr.Web now

Buy online Buy via Google Play Free of charge

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments