- Sep 3, 2017
- 818
- Content source
- https://news.drweb.com/show/?i=12559&c=23&lng=en&p=0
Doctor Web specialists have detected the applications with the built-in Trojan Android.RemoteCode.152.origin in Google Play catalog, which has been downloaded more than 6 500 000 times in total. This malicious program silently downloads and launches additional modules, containing adware plug-ins. By using them, the Trojan downloads invisible ads and clicks on them, so criminals gain rewards.
Android.RemoteCode.152.origin - the new version of Android.RemoteCode.106.origin Trojan known since 2017, Doctor Web published the article about it in November. This malicious program was a software module that software developers were embedding into their applications and were distributing through the Google Play catalog. The main function of Android.RemoteCode.106.origin is the silent downloading and launching of the auxiliary plug-ins designed for downloading advertising web pages and clicking on banners located on them. The new version of the Trojan performs similar actions.
After the first launch of the application, which contains the built-in Trojan, Android.RemoteCode.152.origin automatically starts working at certain intervals and starts itself after each device reboot. Therefore, its operation does not require the device owner to continually use the infected application.
At the launch, the malicious program downloads one of the Trojan modules (added to Dr.Web virus database as Android.Click.249.origin) from the managing server and launches it. This component downloads and launches another module based on the MobFox SDK advertising platform. This platform is designed for monetizing applications. With its use, the Trojan silently creates various advertisements and banners, and then clicks on them, earning money for criminals. In addition, Android.RemoteCode.152.origin connects to the mobile marketing network AppLovin, through which it also downloads advertisements for additional income.
Doctor Web virus analysts have detected several applications in the Google Play catalog , which contained this Trojan as built-in. All of them were various games, which total amount of downloads has exceeded 6 500 000. Doctor Web specialists notified Google Corporation about the programs found, and at the time of the publication of this article some of the applications were successfully deleted from Google catalog. At the same time, some applications have been updated clear of this malicious module.
Android.RemoteCode.152.origin has been detected in the following programs:
To reduce the possibility of mobile devices being infected by malicious programs, Doctor Web specialists recommend installing applications only from known and trusted developers. Antivirus products like Dr.Web for Android detect and successfully remove all known modifications of the Trojans described in this article, so they do not represent danger for our users.
Android.RemoteCode.152.origin - the new version of Android.RemoteCode.106.origin Trojan known since 2017, Doctor Web published the article about it in November. This malicious program was a software module that software developers were embedding into their applications and were distributing through the Google Play catalog. The main function of Android.RemoteCode.106.origin is the silent downloading and launching of the auxiliary plug-ins designed for downloading advertising web pages and clicking on banners located on them. The new version of the Trojan performs similar actions.
After the first launch of the application, which contains the built-in Trojan, Android.RemoteCode.152.origin automatically starts working at certain intervals and starts itself after each device reboot. Therefore, its operation does not require the device owner to continually use the infected application.
At the launch, the malicious program downloads one of the Trojan modules (added to Dr.Web virus database as Android.Click.249.origin) from the managing server and launches it. This component downloads and launches another module based on the MobFox SDK advertising platform. This platform is designed for monetizing applications. With its use, the Trojan silently creates various advertisements and banners, and then clicks on them, earning money for criminals. In addition, Android.RemoteCode.152.origin connects to the mobile marketing network AppLovin, through which it also downloads advertisements for additional income.
Doctor Web virus analysts have detected several applications in the Google Play catalog , which contained this Trojan as built-in. All of them were various games, which total amount of downloads has exceeded 6 500 000. Doctor Web specialists notified Google Corporation about the programs found, and at the time of the publication of this article some of the applications were successfully deleted from Google catalog. At the same time, some applications have been updated clear of this malicious module.
Android.RemoteCode.152.origin has been detected in the following programs:
- Beauty Salon - Dress Up Game, version 5.0.8;
- Fashion Story - Dress Up Game, version 5.0.0;
- Princess Salon - Dress Up Sophie, version 5.0.1;
- Horror game - Scary movie quest, version 1.9;
- Escape from the terrible dead, version 1.9.15;
- Home Rat simulator, version 2.0.5;
- Street Fashion Girls - Dress Up Game, version 6.07;
- Unicorn Coloring Book, version 134.
- Subwater Subnautica, version 1.7;
- Quiet, Death!, version 1.1;
- Simulator Survival, version 0.7;
- Five Nigts Survive at Freddy Pizzeria Simulator, version 12;
- Hello Evil Neighbor 3D, version 2.24;
- The Spire for Slay, version 1.0;
- Jumping Beasts of Gang, version 1.9;
- Deep Survival, vesion 1.12;
- Lost in the Forest, version 1.7;
- Happy Neighbor Wheels, version 1.41;
- Subwater Survival Simulator, version 1.15;
- Animal Beasts, version 1.20.
To reduce the possibility of mobile devices being infected by malicious programs, Doctor Web specialists recommend installing applications only from known and trusted developers. Antivirus products like Dr.Web for Android detect and successfully remove all known modifications of the Trojans described in this article, so they do not represent danger for our users.
