Level 17

Security researchers from Dr.Web say they've identified a new malware family inside an Android app found on the Google Play Store under the name of "Multiple Accounts: 2 Accounts."

At the time of writing, the application is still available from Google's Play Store, where statistics reveal that there are between 1 and 5 million active installs at the moment.

Developed by a Chinese company, the app advertises itself as a dual-account app that allows users to log into two different social media accounts at the same time, supporting services such as WhatsApp, Facebook, Tumblr, and more.

Android.MulDrop shows ads, downloads other apps
The Russian security firm says this app includes a malware family codenamed Android.MulDrop (Android.MulDrop.924).

According to researchers, this malware can show unwanted ads and covertly download apps on the user's smartphone, asking the user to start the installation process.

While there are many apps that show ads on the Google Play Store, most of them are upfront about this behavior.

The Multiple Accounts: 2 Accounts disguises this. Dr.Web researchers say the malware is packed inside two JAR files that are encrypted and hidden inside a PNG image named icon.png using steganography.

When running the app, the modules are extracted from the image and launched into execution. Most of the time, the app downloads and shows ads on the user's phone, which create a revenue stream for its developer.

Android.MulDrop roots devices
Android.MulDrop carries out all its malicious operations through a series of plugins it downloads on the user's device. These plugins are other malware families incorporated inside Android.MulDrop.

The adware behavior is powered via the Android.DownLoader.451.origin malware, while the app downloading behavior is carried out using Android.Triada.99.

Android.Triada.99, or simply Triada, is one of the most dangerous Android trojans known today, mostly used as a banking trojan. Android.MulDrop uses Triada to root devices in order to download other apps.

There's a trend of using dual account apps to spread malware
Avast security researchers have seen a trend of Chinese malware authors packing malware inside apps that allow users to log into social media apps using different identities.

Until now, they've seen these apps distributed via third-party app stores. Android.MulDrop is the first case that has been seen distributed through the Google Play Store.


Level 61
Definitely advertisement is the bearing point whether your application will be in right reputation or not.

Since some developers could not control the kinds of advertisement, hence lately it can be compromised once the user fall on some content.

tim one

Level 21
Malware Hunter
Thanks for sharing ;)

I wonder to myself if other Android AVs may detect this threat or other ones dropped in some malicious apps.
We are quite limited about personal anti-virus testing on Android devices, and we can trust just to independent laboratories such as AV-tests & C. in which personally I have some reluctance.