Various bloatware can carry both potential and very real threat to users.But as long as unscrupulous subcontractors involved in the creation of OS images, will have the opportunity to earn money by cheat app installations, artificially raising their ratings, and the distribution of adware, in software and firmware across multiple devices will continue to find all sorts of malware.
Specialists of “Doctor Web” detected several Trojans in the firmware of dozens of models of mobile devices running the Android OS. Mostly found malware is located in the system directory and transparently downloads and installs to your device additional programs.
One of the detected Trojans received the Android ID.DownLoader.473.origin. He was found in the firmware of many popular Android devices running on a hardware platform MTK. At the time of publication Trojan was spotted on 26 models of smartphones, including:
- MegaFon Login 4 LTE
- HP TZ85
- Irbis TX97
- HP TZ43
- Bravis NB85
- Bravis NB105
- SUPRA M72KG
- SUPRA M729G
- SUPRA V2N10
- Pixus Touch 7.85 3G
- Itell K3300
- General Satellite GS700
- Digma Plane 9.7 3G
- Nomi C07000
- Prestigio MultiPad Wize 3021 3G
- Prestigio MultiPad 3G PMT5001
- Optima 10.1 3G TT1040MG
- Marshal ME-711
- MID 7
- Explay Imperium 8
- Perfeo 9032_3G
- Ritmix RMD-1121
- Oysters T72HM 3G
- HP tz70
- HP tz56
- Jeka JK103
the Researchers warn that, most likely, the infected models are much more.
Android.DownLoader.473.origin – this is a common Trojan Downloader that runs at each startup of the device. It tracks active Wi-Fi module and find the network connection that connects with the managing server and retrieves a configuration file from a job. The file contains information about the application that malware should download. After loading the specified program the Trojan quietly installs it.
Specialists of “Doctor Web” write that the malware is able to download on your device any. It can be as harmless and unwanted or even malicious applications. For example, in this way actively spreading adware application H5GameCenter, which takes place in the virus database Dr. Web are called Adware.AdBox.1.origin. After installation, this application displays on top of all running programs a small image of the box that cannot be removed from the screen. It is a shortcut, clicking on which opens the built in app catalog. In addition, this unwanted program displays advertising banners.
According to user complaints in various forums, attempts to remove H5GameCenter lead to nothing, soon the app is installed again, and the annoying box back into place. The fact that Android.DownLoader.473.origin monitors H5GameCenter, and if the application is removed, the Trojan installs it again.
Another Trojan found by researchers, have received the Android ID.Sprovider.7, and was discovered on smartphones, the Lenovo A319 and the Lenovo A6000. Malware built into the app Rambla, which provides access to the same directory. The main functionality of the Trojan is concentrated in a separate software module Android.Sprovider.12.origin, which is in encrypted form is stored in the resources of the main application. Every time a user moves the device from screen lock mode, the malware checks whether the auxiliary component. If it is inactive, the Trojan removes it from its resources and restarts.
the Android Module.Sprovider.12.origin has a wide range of functions. For example, it could:
- download the apk file and try to install it the standard way with a request for permission from user;
- run the installed application;
- open in the browser specified by attackers.
- to call a number using standard system applications;
- launch the system default phone app that already is dialled a certain number.
- to show ads on top of all applications;
- to display ads in notification bar;
- create a shortcut on your home screen;
- update the main malicious module.
Specialists of “Doctor Web” has already informed producers of infected devices on the problem. The owners of these devices are advised to contact the support to obtain an updated version of the system software as soon as a fix is ready.