the Virus analysts “Doctor Web” found a new member of the family dangerous Trojans Android.Loki. Like previous versions, identified the malware is embedded in the processes of different applications, including the system, but now it infects libraries of the Android OS, reported CNews in “Doctor Web”.
the Malware, dubbed Android.Loki.16.origin is a multi-component Trojan. It unnoticeably downloads and installs on mobile devices running the Android OS. Trojan infects smartphones and tablets in several stages.
In the first phase Android.Loki.16.origin loaded on the mobile device and runs other malware. He then connects with the managing server and downloads a malicious component Android.Loki.28, as well as a few exploits to obtain root access. All these files are saved in the working directory of a Trojan. Next, Android.Loki.16.origin alternately performs exploits beyond the successful raising of system privileges launches the Android module.Loki.28.
In turn, Android.Loki.28 after starting mounts the /system partition on the record, getting the opportunity to make changes to system files. It then extracts itself from additional Android malware components.Loki.26 and Android.Loki.27 and places them in the system directory /system/bin/ and /system/lib/, respectively. Further, the malware embeds in one of the system libraries dependency on Trojan component Android.Loki.27. After modifying the library and surfing the Android module.Loki.27 attached to it and starts every time when its uses operating system. In the images below is an example of the changes performed by malware:
After the Android.Loki.27 starts, it executes a piece of malware in the Android module.Loki.26. His start is only system processes running as root. Thus, Android.Loki.26 receives root privileges and can stealthily download, install, and uninstall apps. With the help of this module cybercriminals download on Android devices are not only other malware, but adware or harmless FOR, receiving income from displaying annoying ads or cheat counter installations certain applications, explained in the “Doctor Web”.
Since malicious Android module.Loki.27 modifies system components, removing it can damage the infected mobile device. The next time the Android OS will not boot normal, because you won’t find in the modified library dependency corresponding to the Trojan. To restore the system, the device will have to reflash. Since all personal files will be deleted before flashing you should back up important data and possibly to see a specialist.
According to the company, Dr. Web for Android to recognize all known modifications of Trojans of the family Android.Loki.