The specialists of “Doctor Web” have found a Trojan Android.Spy.510, which is installed on Android-smartphone and tablets unwanted software module that displays ads on top of the most used applications. This CNews reported in the “Doctor Web”.
Android.Spy.510 distributed in a modified virus writers originally harmless media player, which is called the attackers AnonyPlayer. Trojan version of the player has all the features of the original and fully functional, so potential victims should have no suspicions about its possible dangers.
After installing and running Android.Spy.510 collects and transmits to the control server is a series of sensitive data, including user login account from Google Play, the model information of the infected smartphone or tablet, the SDK version of the operating system, as well as the presence in her root-access. Then, the Trojan attempts to install a hidden resource in its optional software package that contains the basic malicious functionality needed attackers. For this Android.Spy.510 demonstrates a special message, which refers to the need to install an application AnonyService, supposedly providing anonymity and prevent confidential information by third parties. In fact, the program does not provide similar functionality and an advertising module made to the Dr.Web virus database as the Adware.AnonyPlayer.1.origin, the Company said.
When you launch Adware.AnonyPlayer.1.origin asks the owner of the mobile device access to special features of the operating system (Accessibility Service), and then goes into standby mode and starts to unwanted activities only a few days after his installation. This is done in order to reduce the probability of detecting a user source of unwanted activity on the infected device.
After a predetermined time Adware.AnonyPlayer.1.origin, due at its disposal features Accessibility Service, begins to track all events occurring in the system and is waiting for the moment when the victim will launch an application. Once this occurs, the module will immediately begin to fulfill its main task – display advertising. First Adware.AnonyPlayer.1.origin checks whether the corresponding program in the “white list”, where the attackers placed a number of applications (which, in their opinion, do not contain the functionality to demonstrate the commercial offers).
If Adware.AnonyPlayer.1.origin is in compliance with this list, it does not take further action, as advertising sales after the launch of the “clean” programs, including many of the system and popular application software may alert user and lead to the discovery of its true source.
If you run applications not listed, Adware.AnonyPlayer.1.origin using WebView element forms a special notification is displayed on top of the window to begin work program and said control server includes advertising. As a result, the owner of the infected Android-smartphone or tablet may think that the source of compulsive notification – that the application which he has just started. At the same time, to divert suspicion from their “creations”, virus writers have taken care of that when you run both the Adware.AnonyPlayer.1.origin, and set it Trojan Android.Spy.510 no advertising is not displayed, it noted in the “Dr. Web. ”
The specialists of “Doctor Web” strongly recommend to owners of Android-devices to install applications obtained from trusted sources. In addition, users should be treated with extreme caution to programs to give them access to special features of the operating system (Accessibility Service). If a malicious application receives it, it will be able to interact with the graphical user interface (for example, to handle their own dialog boxes), and even capture the information entered by a potential victim, working as a keylogger. As a result, it will be able to steal confidential data, such as correspondence, searches, and even passwords, the company explained.
Entries for detecting Trojan Android.Spy.510 and sets them Adware.AnonyPlayer.1.origin advertising application made to the virus database Dr.Web.