Changes aim to prevent any opportunities for malware developers to post their products in Google…
All these programs worked exactly as stated in the description, and for the owners of Android-devices looked completely harmless. In addition, the trojan started malicious activity only 8 hours after the first launch of the application, so as not to arouse suspicion among its victims.
Once started, the trojan sends the following information about the infected device to the management server:
In response, the server sends the necessary settings to the malware. Some functions of the malicious application are implemented using reflection, and these settings contain the names of methods and classes along with parameters for them.
These parameters are used, for example, to register the receiver of broadcast messages and the content observer, with the help of which the malware monitors the installation and updating of programs.
After installing a new application or downloading an APK-file by the Play Market client, the Trojan transfers information about this program to the management server along with some technical data about the device. In response, he receives addresses of sites that he opens in an invisible WebView, as well as links that he loads in a browser or Google Play directory.
Read also: For protection against hackers’ attacks, VBScript in Windows 7 and 8 will be disabled
Thus, depending on the settings of the control server and the instructions received from it, the Trojan can not only advertise applications on Google Play, but also quietly download any sites, including those with advertising (including video) or any other content. For example, after installing applications that included the Trojan, users complained about automatic subscriptions to expensive content provider services.
Specialists were not able to recreate the conditions for downloading such sites, but the potential implementation of this fraudulent scheme can be quite simple. Since the trojan informs the managing server about the type of current Internet connection, if there is a connection through the mobile operator’s network, the server can send a command to open the site of one of the partner services that support WAP-Click technology.
“The Trojan receives tasks that contain links. At the command of the Android.Click.312.origin server, it can follow these links, opening them in an invisible WebView. In addition, it is able to download websites in a browser, as well as open a link in the Google Play directory”, – report Doctor Web experts.
This technology simplifies connection to various premium services and is often used to illegally subscribe users to premium services. In some cases, user’s confirmation is not required to connect to such a service — a script placed on the same page can do this for him. He “clicks” on the confirmation button instead of the victim. Since the malware will open the page of the site in an invisible WebView, the whole procedure will pass without the awareness and participation of the user.
Read also: Participants of hacking forums majorly discuss ransomware
In total, Doctor Web experts identified 34 applications in which the malware was built; over 51.7 million users installed them. In addition, at least 50,000,000 people downloaded a modification of the same Trojan, named Android.Click.313.origin. Thus, the total number of mobile device owners threatened by this Trojan exceeded 101.7 million. The following is a list of applications in which the clicker was found:
Experts have already notified Google engineers about the Trojan, after it some of the infected applications were quickly removed from Google Play. In addition, updates have been released for several applications in which the Trojan component is already missing. However, at the time of the publication of the threat report, most applications still contained a malicious module and remained available for download through the official directory.
News-xbuhoxu.store is a domain that tries to force you into subscribing to its browser notifications…
News-xbadeyo.today is a site that tries to force you into clik to its browser notifications…
News-bbutohu.info is a site that tries to trick you into clik to its browser notifications…
News-bbucoxe.today is a domain that tries to force you into clik to its browser notifications…
News-xdetake.cc is a domain that tries to force you into clik to its browser notifications…
News-bbufiya.today is a domain that tries to force you into subscribing to its browser notifications…