Doctor Web detected malicious plug-in in some Google Play apps

[Petrovic]

Although Google Play is still considered to be the most secure Android app store, from time to time, attackers try to spoil its reputation by spreading their malicious programs via this catalog. One of such programs is Android.Valeriy.1.origin detected by Doctor Web specialists. This Trojan is intended to distribute malware and to subscribe users to various chargeable services, making money on victims’ carelessness.

 

The Android.Valeriy.1.origin Trojan is implemented as a malicious plug-in incorporated into benign applications. It is distributed by ZvonkoMedia LLC, Danil Prokhorov, and horshaom in six different Android apps published on Google Play:

• Battery Booster;
• Power Booster;
• Blue Color Puzzle;
• Blue And White;
• Battery Checker;
• Hard Jump - Reborn 3D.

 

These programs, which are games and service tools, have been downloaded by more than 15,500 users. Besides, Doctor Web security researchers registered over 55,000 downloads of these applications after they gained access to the Trojan’s C&C server. Our specialists have already informed Google about this incident. So far, applications containingAndroid.Valeriy.1.origin were still available for downloading.

 

 

 

Once one of these applications is launched, Android.Valeriy.1.origin connects to the server and gets instructions containing a specially generated link. The Trojan follows this link that leads to some website that provides the Trojan with the endpoint URL, depending on various parameters. In most cases, this URL a dubious webpage in order to get their mobile phone number and subscribe them to chargeable services. For example, the user can be offered to view some adult content or download popular software, which is, in fact, available for free on Google Play. Despite the fact that all information regarding subscription conditions is available on the webpage, the user can easily pass it unnoticed and specify their phone number.

 

 

 

Android.Valeriy.1.origin opens one of these websites in WebView and displays it as an advertisement. Then it starts monitoring all incoming SMS messages. If the user gives their phone number, a confirmation code for subscription is then sent. However,Android.Valeriy.1.origin intercepts and blocks all these messages. As a result, the victim does not have any idea that they are subscribed to some services and, therefore, a certain subscription fee will be written off from the user’s mobile account every day.

The Trojan can also perform another function—download software, including malicious programs. For instance, Doctor Web specialists detected theAndroid.DownLoader.355.origin downloader Trojan. Besides, instructions forAndroid.Valeriy.1.origin may contain various JavaScript scripts that are executed using WebView. These features can be implemented to covertly tap on interactive elements, advertisements and links on browsed webpages—for example, to confirm the phone number specified by the user or to increase various traffic statistics.

If you do not want to fall victim to these fraudulent schemes, we recommend you to pay careful attention to all pop-up messages and notifications and warn you against entering your phone number into suspicious input forms.

 

Article source

[pc71520]

Dr. Web has been such a great Anti-Malware vendor.