Doctor Web Experts discovered on Google Play, malicious applications that hid a clicker Trojan, which automatically subscribed users to paid services. Researchers have identified several modifications of this malvari, which received identifiers Android.Click.322.origin, Android.Click.323.origin and Android.Click.324.origin.
To hide the true purpose of the applications, as well as reduce the likelihood of detecting malvari, the attackers used several tricks. Firstly, the clicker was built into harmless applications – cameras and image collections – which really worked and performed the declared functions.
Secondly, all malicious applications were protected by the commercial Jiagu packer, which complicates the detection of problems by antiviruses and complicates code analysis. Thus, the Malvari increased the chances of avoiding detection by the built-in protection of the Google Play directory.
Thirdly, the authors of the malware tried to disguise the Trojan as well-known advertising and analytical libraries: after adding it to the host programs, it was embedded in the SDKs from Facebook and Adjust that were present in them, hiding among their components.
In addition, the clicker attacked users selectively: he did not perform any malicious actions if the potential victim was not a resident of one of the countries of interest to attackers.
After installation and launch, the clicker tried to access the notifications of the operating system, showing the following request:
If the user agreed to provide the necessary permissions, the trojan was able to hide all notifications about incoming SMS and intercept the text of messages. Next, the clicker transmitted to the control server the technical data about the infected device and checked the serial number of the victim’s SIM card. If it corresponds to one of the target countries, the malware sent information about the phone number attached to it to the server. At the same time, for users from certain countries, the clicker showed a phishing window where they were asked to enter a phone number or log in to their Google account.
If the victim’s SIM card didn’t belong to countries of interest to the attackers, the trojan took no action and stopped the malicious activity. The studied modifications of the Malvari attacked the inhabitants of the following countries:
Despite the fact that the clicker does not have the function of working with SMS and access to messages, he bypasses this limitation. So, the Trojan service monitors notifications from the application, which by default is assigned to work with SMS messages. When a message arrives, the service hides the corresponding system notification. Then he extracts from him information about the received SMS and transmits it to the Trojan broadcast receiver. As a result, the user does not see any notifications about incoming SMS and does not know what is happening. He learns about subscribing to the service only when money starts to disappear from his account, or when he goes to the message menu and sees SMS related to the premium service.
Doctor Web specialists have already notified Google engineers of what is happening, after which all detected malicious applications have been removed from Google Play.