Android app with Clicker Trojan installed on over 100 million devices

Experts at Dr. Web have discovered that android apps with over 100 million installations are trojans with a clicker called Android.Click.312.origin.

Malware researchers from antivirus company Dr Web have discovered more than 33 Android apps in the Google Play Store, with more than 100 million installations that include the Tojan clicker, called Android.Click.312.origin.

The apps were all functional and included generic applications such as dictionaries, online maps, audio players, and barcode scanners.

"A Trojan is a malicious module classified by Dr.Web as Android.Click.312.origin. Built into standard applications – dictionaries, online maps, audio players, barcode scanners, and other software. "- read the analysis of the experts. "These programs are functional and seem harmless to owners of Android devices. In addition, when they start, Android.Click.312.origin launches malicious activity after just 8 hours, so as not to cause suspicion among users.

" To avoid detection, applications start all malicious activity after 8 hours from installation.

After implementation, Android.Click.312.origin collects information about the infected system and returns it to C2. The data collected by malware includes the manufacturer and model, the operating system version, the country of the user's location, the default system language, the user agent ID, the mobile operator name, internet connection type, screen options, time zone, and painful Trojan horse application.

The Command & Control server, on the other hand, sends the necessary settings to malware.

The Trojan is still active in the memory of infected devices and allows you to perform more malicious activity, such as advertising apps on Google Play, downloading websites, displaying advertisements or other content, and subscribing to users for costly premium services.

"Doctor Web specialists were unable to create the conditions for such sites to be downloaded, but for Android.Click.312.origin, the possible implementation of the cheating program is fairly simple. Because the Trojan informs the management server of the type of current Internet connection, if the connection is established through the mobile operator's network, the server can send a command to open the web site of one of the partner services that support WAP-Click technology. " continues the report. "This technology simplifies the connectivity of various premium services, but is often used by users to illegally subscribe to premium ser

vices." Each time a user installs a new app on an infected device through the Play Store or an APK installer, the malicious code notifies the C2 server, which in turn responds with URLs to open in a browser, invisible WebView, or Play. Shop.

origin_1 Researchers found 34 apps that included Android installed by more than 51.7 million users. The researchers also discovered a version of the Trojan called Android.Click.313.origin, which was downloaded by at least 50,000,000 people. The total number of mobile phone owners at risk by the Trojan exceeded 101.7 million. Here are some of the programs that have this clicker: Your company

has removed many of the reported apps, while some have been updated and removed from the malicious module.

Közösségi megosztás:

Be the first to comment

Leave a Reply