Bangalore : Dr.WEB, Russian developer of information security software, is warning users that twenty-eight applications incorporating a malicious adware module that can download Trojans to Android devices have been discovered on Google Play. The total number of installations of these programs has reached several million.
Despite the fact that ad networks like Google AdMob, Airpush, and Startapp meet criminals’ demands, intruders decided to go even further and created an ad network of their own. At first sight, it appears quite similar to others: Android software developers are offered very favorable advertising API usage terms, and are promised a high and steady income and easy account management. So it’s hardly surprising that some developers became very interested in the ad network.
The advertisement API provides push notification ads that deliver small alerts to an Android phone’s notification bar. However, there are also some undocumented features.
Push ads sent via the ad network can prompt a user to install an important update for a certain application. If an unsuspecting user agrees to install this update, the advertising module downloads an apk package and places it into the download directory /mnt/sdcard/download on the memory card. The module can also create a shortcut linked to the downloaded package, so if the user taps on it, it will start the installation of the downloaded program.
An investigation conducted by Doctor Web’s analysts revealed that such apk-files containAndroid.SmsSend Trojans. Analysts also found that these malicious programs were being downloaded from various fake application catalogues. The ad module in three
Below you can find a full list of the commands sent by a controlling server to the malignant module:
• news – display a push-notification
• showpage – open a web page in a browser
• install – download and install an apk package
• showinstall – show a push-notification about the installation of an apk package
• iconpage – create a shortcut to a web page
• iconinstall – create a shortcut to the downloaded apk package
• newdomen – change the control server address
• seconddomen – an alternate server address
• stop – stop sending queries to the server
• testpost – re-send a request
• ok – do nothing
In addition to executing these commands, the fraudulent module is also able to collect and send the device’s IMEI, operator code, and the phone number to the server.
The advertising API is particularly dangerous because applications that use it are found on Google Play, which de facto is the safest source of programs for Android. Many users have come to trust the security of Google Play, so the number of installations of the software that feature the advertising module is very large. Since statistics about downloads of applications from Google Play are hard
Considering the advertising API’s malignant features and the connection between the ad network and sites spreading malware for Android, Doctor Web has classified this module as belonging to adware designed to perform malicious tasks. The module has been added to the virus databases as Android.Androways.1.origin and poses no threat to devices running Dr.Web anti-virus for Android.