Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Trojan Downloaded Over 2.8 Million Times via Google Play

A newly spotted Android Trojan managed to infect over 150 applications in Google Play, for a total of more than 2.8 million downloads, Doctor Web security researchers warn.

A newly spotted Android Trojan managed to infect over 150 applications in Google Play, for a total of more than 2.8 million downloads, Doctor Web security researchers warn.

Detected as Android.Spy.305.origin, the Trojan is implemented as an advertising software development kit (SDK) that should enable developers generate income from application downloads. According to Doctor Web researchers, more than 7 developers have been using this SDK when building their applications and ended up embedding the Trojan into them.

The list of developers includes MaxMitek Inc, Fatty Studio, Gig Mobile, TrueApp Lab, Sigourney Studio, Doril Radio.FM, Finch Peach Mobile Apps, and Mothrr Mobile Apps, researchers reveal in a blog post. Their applications range from live wallpapers to image catalogs, utilities, photo editors, radio applications, and other types of software.

Overall, Doctor Web’s security researchers say, 155 dangerous applications were created using the aforementioned SDK, and they were downloaded over 2.8 million times. Moreover, many of these programs continued to be listed in Google Play even after Google was informed on the presence of Android.Spy.305.origin inside them.

Researchers observed that when one of the offending applications is launched, the Trojan attempts to connect to the command and control (C&C) server. Upon successful connection, the malware receives a command to download another module, detected as Android.Spy.306.origin.

Doctor Web says that this module contains the malicious payload that Android.Spy.305.origin uses. Moreover, the security researchers reveal that the Trojan was created to steal user information and send it to a remote server.

Among the personal details targeted by the malware, we can count: email address connected to the Google user account, list of installed applications, current system language, name of the device manufacturer, mobile device model, IMEI identifier, OS version, screen resolution, mobile network operator, name of the application containing the Trojan, developer’s ID, and SDK platform’s version.

Advertisement. Scroll to continue reading.

The malware was also created to display advertisements on the device, and serves them on top of running applications and the operating system interface. What’s even more annoying, the Trojan could prompt users to download third-party applications and could use scare tactics to trick them thinking that their devices are infected with malware programs.

“Despite the fact that Google Play is an official and reliable source of software for Android, various Trojans can still periodically be found in Google Play applications. Thus, Doctor Web’s specialists recommend that users pay attention to negative feedback posted by other users and download software created by reliable developers,” the security researchers say.

Related: Android Malware Gang Makes $10,000 a Day: Report

Related: Android App Stole User Photos for Over a Year

Related: Information-Collecting Android Keyboard Tops 50 Million Installs

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.