Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Hundreds of Thousands of Android Trojans Installed from Unknown Sources Daily

Unknown sources account for hundreds of thousands of Trojan installations on Android devices, but Google Play and pre-installation are also main sources of malware installation, a recent report from Cheetah Mobile Security Research Lab reveals.

Unknown sources account for hundreds of thousands of Trojan installations on Android devices, but Google Play and pre-installation are also main sources of malware installation, a recent report from Cheetah Mobile Security Research Lab reveals.

Tens of millions of applications are being installed on users’ smartphones daily, but nearly one third of them come from sources that cannot be tracked, and most of the mobile Trojans are installed via these unknown sources, researchers say. However, some malicious apps also slip into Google Play, while other malware might come pre-installed on mobile devices right out of the box, Cheetah Mobile says.

Regardless, unknown sources remain the largest threat when it comes to malware distribution, with hundreds of thousands of Trojan installations recorded daily, across a large variety of malware families. These unknown sources include pornographic webpages and third-party links, malware that promotes and installs malware, and SMS worms.

Among the malware installed via unknown sources, there are three families that are installed more than 10,000 times a day, namely org.message.up.update (16379), (12090), and com.power.core.setting (10229).

Some of the mobile malware, security researchers explain, install other malicious apps on the compromised devices, and researchers say that two such sources of malware installations are the com.sms.sys.manager and Trojans. Belonging to the same family, these two install over 30,000 malicious apps each day.

The two Trojans focus mainly on devices in India, with over 50% of installations happening in this country, but also hit Indonesia and the Philippines, along with other Asian countries. To achieve their nefarious purposes, researchers explain, the two Trojans root the compromised devices and then display ads to trick users into downloading other malicious apps.

“Since the two Trojans were discovered in January 2016, the amount of applications promoted by them has been increasing. Currently, these two Trojans are promoting about 30,000 to 40,000 applications, including legitimate but unwanted apps to users and malwares,” the security researchers say.

Advertisement. Scroll to continue reading.

Another source of malware distribution is represented by webpages, and the top malware spreading this way includes Wireless optimizer (16992 installations), WIFI Master pro (8206), and AndroidSystemTheme (7734). The first two were designed to gain root on the compromised devices and to display malicious ads, while the third only to display malicious ads.

Cheetah Mobile observed nine other malware variants distributed through webpages, though at lower rates, and says that all 12 of them belong to the GhostPush malware family. Although they feature different names, the malicious apps show various similarities – for example, they use the same root module as GhostPush. The Trojan can root almost all Android versions except Android 6.0, it seems.

“The core codes are encrypted and put in the assets directory or servers for dynamic loading. The core codes are put in the system directory to disguise the malware as the built-in apps of the phone. The Trojan also leverages the SU files of several different parameters which are able to prevent other third parties from gaining root privilege. These methods make it harder to scan and uninstall the Trojan,” the security researchers say.

Dubbed Wireless Optimizer, one of the malicious apps was designed to display ads or promote pornographic pages to users, to trick them into paying money or into downloading new malicious samples, and to push ads in the status bar. The other Trojans in the family, however, show a similar behavior, the security researchers say.

Although the number of infected users is small, these Trojans can root compromised devices and download and install more malware onto the phone. In addition, they are difficult to remove because of their root permissions and, because they are often updated, they have already established a stable “userbase,” which allows them to constantly make profits.

While looking at the domains used by these Trojans, the security researchers observed that the same domain is used for the rooting service and for the ads. Furthermore, the analysis revealed that short links and ad links are the main sources of distribution for these Trojans, with pornographic websites being the third largest source.

Related: Mobile Malware Shows Rapid Growth in Volume and Sophistication

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.