A newly spotted Android Trojan managed to infect over 150 applications in Google Play, for a total of more than 2.8 million downloads, Doctor Web security researchers warn.
Detected as Android.Spy.305.origin, the Trojan is implemented as an advertising software development kit (SDK) that should enable developers generate income from application downloads. According to Doctor Web researchers, more than 7 developers have been using this SDK when building their applications and ended up embedding the Trojan into them.
The list of developers includes MaxMitek Inc, Fatty Studio, Gig Mobile, TrueApp Lab, Sigourney Studio, Doril Radio.FM, Finch Peach Mobile Apps, and Mothrr Mobile Apps, researchers reveal in a blog post. Their applications range from live wallpapers to image catalogs, utilities, photo editors, radio applications, and other types of software.
Overall, Doctor Web’s security researchers say, 155 dangerous applications were created using the aforementioned SDK, and they were downloaded over 2.8 million times. Moreover, many of these programs continued to be listed in Google Play even after Google was informed on the presence of Android.Spy.305.origin inside them.
Researchers observed that when one of the offending applications is launched, the Trojan attempts to connect to the command and control (C&C) server. Upon successful connection, the malware receives a command to download another module, detected as Android.Spy.306.origin.
Doctor Web says that this module contains the malicious payload that Android.Spy.305.origin uses. Moreover, the security researchers reveal that the Trojan was created to steal user information and send it to a remote server.
Among the personal details targeted by the malware, we can count: email address connected to the Google user account, list of installed applications, current system language, name of the device manufacturer, mobile device model, IMEI identifier, OS version, screen resolution, mobile network operator, name of the application containing the Trojan, developer’s ID, and SDK platform’s version.
The malware was also created to display advertisements on the device, and serves them on top of running applications and the operating system interface. What’s even more annoying, the Trojan could prompt users to download third-party applications and could use scare tactics to trick them thinking that their devices are infected with malware programs.
“Despite the fact that Google Play is an official and reliable source of software for Android, various Trojans can still periodically be found in Google Play applications. Thus, Doctor Web’s specialists recommend that users pay attention to negative feedback posted by other users and download software created by reliable developers,” the security researchers say.