Connect with us

Hi, what are you looking for?


Mobile & Wireless

Android Trojan Downloaded Over 2.8 Million Times via Google Play

A newly spotted Android Trojan managed to infect over 150 applications in Google Play, for a total of more than 2.8 million downloads, Doctor Web security researchers warn.

A newly spotted Android Trojan managed to infect over 150 applications in Google Play, for a total of more than 2.8 million downloads, Doctor Web security researchers warn.

Detected as Android.Spy.305.origin, the Trojan is implemented as an advertising software development kit (SDK) that should enable developers generate income from application downloads. According to Doctor Web researchers, more than 7 developers have been using this SDK when building their applications and ended up embedding the Trojan into them.

The list of developers includes MaxMitek Inc, Fatty Studio, Gig Mobile, TrueApp Lab, Sigourney Studio, Doril Radio.FM, Finch Peach Mobile Apps, and Mothrr Mobile Apps, researchers reveal in a blog post. Their applications range from live wallpapers to image catalogs, utilities, photo editors, radio applications, and other types of software.

Overall, Doctor Web’s security researchers say, 155 dangerous applications were created using the aforementioned SDK, and they were downloaded over 2.8 million times. Moreover, many of these programs continued to be listed in Google Play even after Google was informed on the presence of Android.Spy.305.origin inside them.

Researchers observed that when one of the offending applications is launched, the Trojan attempts to connect to the command and control (C&C) server. Upon successful connection, the malware receives a command to download another module, detected as Android.Spy.306.origin.

Doctor Web says that this module contains the malicious payload that Android.Spy.305.origin uses. Moreover, the security researchers reveal that the Trojan was created to steal user information and send it to a remote server.

Among the personal details targeted by the malware, we can count: email address connected to the Google user account, list of installed applications, current system language, name of the device manufacturer, mobile device model, IMEI identifier, OS version, screen resolution, mobile network operator, name of the application containing the Trojan, developer’s ID, and SDK platform’s version.

The malware was also created to display advertisements on the device, and serves them on top of running applications and the operating system interface. What’s even more annoying, the Trojan could prompt users to download third-party applications and could use scare tactics to trick them thinking that their devices are infected with malware programs.

Advertisement. Scroll to continue reading.

“Despite the fact that Google Play is an official and reliable source of software for Android, various Trojans can still periodically be found in Google Play applications. Thus, Doctor Web’s specialists recommend that users pay attention to negative feedback posted by other users and download software created by reliable developers,” the security researchers say.

Related: Android Malware Gang Makes $10,000 a Day: Report

Related: Android App Stole User Photos for Over a Year

Related: Information-Collecting Android Keyboard Tops 50 Million Installs

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.