My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Android system processes can be infected by Trojans

February 5, 2016

Virus makers continue to complicate architecture of malicious programs for Android. First samples had rather primitive structure, but their today’s counterparts, on the contrary, are almost equal to the fanciest Trojans for Windows. Doctor Web specialists registered a whole pack of multifunctional malicious programs for Android this February.

The pack consists of three associated Trojans dubbed Android.Loki.1.origin, Android.Loki.2.origin, and Android.Loki.3 respectively. The first one is launched with the help of the library that Dr.Web for Android detects as Android.Loki.6. Android.Loki.3 incorporates it into one of system processes—thus, Android.Loki.1.origin gains the system privileges. Android.Loki.1.origin is a service that can perform a wide variety of functions. For example, it can download any application from Google Play using a special link that indicates a user account of some affiliate program focused on generating income. Android.Loki.1.origin can also

  • Download and delete applications
  • Enable and disable applications and their components
  • Kill processes
  • Display notifications
  • Register any application as the Accessibility Service application
  • Update its components and download plug-ins from the server

The second component of this pack—Android.Loki.2.origin—installs different applications on the infected device and displays advertisements. However, it also acts as a spyware program as it collects and sends the following information:

  • IMEI identifier
  • IMSI identifier
  • MAC address
  • MCC (Mobile Country Code) identifier
  • MNC (Mobile Network Code) identifier
  • Version of the operating system
  • Screen resolution
  • Information about installed and available RAM of the device
  • Version of the operating system kernel
  • Device model
  • Device manufacturer
  • Version of the firmware
  • Serial number of the device

Once the information is sent to the server, the Trojan receives a configuration file necessary for its operation. In specific time periods, Android.Loki.2.origin connects to the server in order to accept instructions and send the following information:

  • Version of the configuration file
  • Version of the service provided by Android.Loki.1.origin
  • Current system language
  • Country
  • Information about Google account created by the user

Android.Loki.2.origin, in turn, receives a command either to install some application, which can be also downloaded from Google Play, or to display advertisements. A user can be redirected to some website or prompted to install some software if they tap the Trojan’s notifications. Upon a command from cybercriminals, Android.Loki.2.origin sends the information concerning

  • List of installed applications
  • Browser history
  • List of contacts
  • Call history
  • Current location

Finally, Android.Loki.3 can incorporate the library into the system_server process and execute commands from other Trojans of the Android.Loki family using root privileges. Thus, Android.Loki.3 is, in fact, a server that launches shell scripts—the Trojan receives a path to a script which needs to be executed, and Android.Loki.3 launches this script.

The Android.Loki Trojans store some of their components in Android system folders, which Dr.Web cannot access. Therefore, if you want to eliminate consequences of the infection, you should reflash your device using an original image of the operating system. However, before that, you need to create a backup copy of all important information stored on your device. Inexperienced users are recommended to contact a specialist.

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments