Trojan found in more than 100 Android apps on Google Play Store

Poisoned apps steal confidential information and serve up ads.

Google play\

Researchers have uncovered a new strain of advertising spyware in more than 100 Android apps downloadable from the official Google Play Store.

The research team at Russian security firm Doctor Web first added the trojan, which they called Android.Spy.277.origin, to its virus database on April 1st, 2016.

"A Trojan for Android that steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store."

Specifically, the malware experts found the trojan in 104 Android applications available for download on the Google Play Store. Those apps claim to offer photo editing services, animated wallpaper themes, and other programs... but in most cases, they don't work as they claim.

In total, the apps affected by Android.Spy.277.origin are believed to have been downloaded by a staggering 3.2 million users.

The infection process works as follows.

Once a user has installed one of the malicious apps, the trojan collects nearly 30 different pieces of information about the user's device and transmits them to a remote server operated by a attacker.

As Doctor Web explains in a blog post, the stolen data includes the device's IMEI number - which phone call management app Truecaller has found out should NEVER be used as the sole means for authenticating user - as well as the device model, OS version, and availability of root access.

"At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application."

Android.Spy.277.origin also requests certain parameters for advertising on a user's device.

For example, the trojan can try to intimidate the user into installing unwanted applications onto their devices.

Android 1

Alternatively, it can display advertising notifications in an infected device's status bar as well as create shortcuts on the Android home screen leading to sections of the Google Play store.

Android 2

Doctor Web has notified Google, whose teams have begun to remove some of the malicious apps from the Play Store.

While Google sorts out that problem, Android users are urged to install an anti-virus solution on their devices and to install apps only from trusted app developers.

After all, this is far from the first time that malicious code has made its way into the Google Play store.

Tags: ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

,

36 Responses

  1. coyote

    April 6, 2016 at 12:05 am #

    'Trojan found in more than 100 …'
    Never good but nothing new.

    '… Android apps…'
    If anyone felt surprised they shouldn't now that Android is named.

    '… on Google Play Store'
    We've found the root cause. But we should just trust Google; their employees who would be in the know says there is no need for an antivirus on an Android. But Google is anything but trustworthy.

    The only thing that is somewhat surprising is the small number (small for Google) of trojans.

    • es5150 in reply to coyote.

      April 6, 2016 at 12:21 am #

      Just last week, one was found in the Apple repository as well… what is your point?!? I smell iSheep dung…

    • Nathan in reply to coyote.

      April 6, 2016 at 5:00 am #

      Go back to a pager. EVERY piece of technology is prone to hacking, ads, spam. Yay!

  2. David G.

    April 6, 2016 at 12:30 am #

    Was it too much trouble for the reporter to list what apps are infected with this?

    • Graham Cluley in reply to David G..

      April 6, 2016 at 12:31 am #

      Doctor Web's blog post (linked to from the above article) includes a list of known affected APKs.

      Check it out here:
      https://news.drweb.com/show/?i=9902&c=5&lng=en

    • ROBERT urban in reply to David G..

      April 6, 2016 at 6:07 am #

      that would be too much work for the reporter

    • Ray in reply to David G..

      April 6, 2016 at 8:01 am #

      Thank you!!!

  3. tony

    April 6, 2016 at 1:02 am #

    Do what I do, don't install any of that google play application garbage

    tony

  4. Randal with one L

    April 6, 2016 at 1:21 am #

    That's what happens when you have a droid phone. I have one and won't for long, same as the flash light app which was done by scammers. Android doesn't monitor software that is out there, Apple does, my brother enlightened me why he switched due to malware in tons of software out there.

    Love my droid but I have enough problems with scammers out there!

    • Babyfacemagee in reply to Randal with one L.

      April 6, 2016 at 8:28 am #

      Except Apple's iPhone had a trojan just last week. Nobody's immune.

    • Guy in reply to Randal with one L.

      April 6, 2016 at 2:23 pm #

      Lol well if you think switching to Apple is going to make you immune to threats like this you're fairly naive.

  5. Las Tetas

    April 6, 2016 at 1:51 am #

    This sucks

  6. Dan

    April 6, 2016 at 1:56 am #

    And how do we determine who is a trusted app developer, pray tell? We can't even trust Google Play to allow trusted app developers on their site.

  7. Moe Smith

    April 6, 2016 at 2:02 am #

    for every single found on iOS, 100s are found on android.

    I may hate Apple, but the iPhone DECIMATES the Android platform in every way.

    don't bother responding with your butthurt, ego-riddled vomited nonsense. i won't be back to see your drivel anyway.

    Bite it dwoidboiz.

  8. Jimmy J.

    April 6, 2016 at 2:44 am #

    Quote "Doctor Web has notified Google, whose teams have begun to remove some of the malicious apps from the Play Store"
    What ever happened to the days when we believed apps had been scanned for malicious threats before they would be approved for the play store?
    I was always told only to download from the play store, that other sites apps could be deemed unsafe.

  9. bitterJane2016

    April 6, 2016 at 3:19 am #

    iDung seriously lmao. They might as well just "casually" suggest to buy and only choose "iProducts" at the end of the article since they are the best and only safe choice…Right. Give me a break!
    One would really have to be brainless to get a virus or brink your Android device since it all installations or processes are allowed to take place only if user allows them to and device security is set lower for that to take place.
    iDung indeed.

  10. Richard P

    April 6, 2016 at 3:38 am #

    just yesterday I had a friend with a broken android phone ask me if I could extract her information with my computer so she could transfer it to her new phone. so I did. I was also streaming netflix at the same time. I run a Dell 470 vostro with an I5 3450 3 .10Ghz 4 core and 16 Gigs of ddr3 2800 with win 7 64 pro. I always have my resource monitor open on one of my monitors. I have my OS on an ocz r7 ssd and a wd spinner back up storage drive non raid. about a half hour after storing her android info on my back up drive my ram usage shot from just over three gigs to over twelve gigs! upon investigation I found a google play android app had latched on to a media server app that suddenly appeared on my netgear router. the netgear genie app has been nothing but trouble. I quickly uninstalled it after buying the router 2 years ago. didn't even have the vostro at the time but that router finds a way to get that app back every now and then. I erased both drives and am currently re installing win 7 64 pro. the genie server app was on the android phone this time.

  11. Linda A.

    April 6, 2016 at 4:17 am #

    Can someone recommend an antivirus to install on Android phones? One that is trustworthy ?

    • argo in reply to Linda A..

      April 6, 2016 at 12:12 pm #

      macafeee

    • Ronald jamison in reply to Linda A..

      April 6, 2016 at 2:39 pm #

      Lookout

  12. walt disney

    April 6, 2016 at 4:25 am #

    Now I'm worried to go dl/install antivirus in case it comes loaded. Why not provide 1-2 names for a few that are safe and effective to use – wrt the virus in this article.

  13. Bozo

    April 6, 2016 at 4:35 am #

    I have no respect for google and their BS antics, stealing data by crawling the top search engines at the time, like Lycos, Yahoo, MSN and so forth and later suing people for doing the same.. Their Trojan horse toolbar that infected IE trying to get people to switch to chrome and exposing all the flaws to the general public of the vulnerabilities with other OS's.. I say a little taste of their own medicine.. LMFAO!!!

  14. John

    April 6, 2016 at 4:38 am #

    I have detected aggressive port scans on my firewall over and over from their development sites?
    No problem to drop but still very annoying to see coming in over and over.

  15. Bash0001

    April 6, 2016 at 5:59 am #

    IS this any surprise? Expect it people. Even carriers put malware in their smart phone that make you have an update many times a day in order to cause you to go over your data plan limit so they can charge you for it.

    • Jennifer in reply to Bash0001.

      November 28, 2016 at 11:39 am #

      Or the company will crash your phone so you have no choice but to buy a another one that should be illegal.

  16. Simon

    April 6, 2016 at 12:41 pm #

    Mostly an iOS user here, but Andriod has it's advantages and every platform has known/unknown vulnerabilities/exploits. Nothing is perfect.

    The mayor issue with carrier-supplied Android/Windows Phone handsets is that their held ransom by their 'custom' firmware.

    I'd wish carriers would butt out with their customizations. They're the bottleneck, injecting bloatware that hardly anyone wants/needs.

    Let the handset manufactures deliver/notify users direct when the latest ROM(s) are available.

    This'll speed up deployment of critical patches.

    • Jon in reply to Simon.

      April 6, 2016 at 3:20 pm #

      Agreed. Last time I got a phone, I went with the Moto G using it on T-mobile. Bought it directly from Motorola with very little preloaded. Updates are through Motorola directly and Tmobile has nothing to do with the phone.

  17. Sunny Chang

    April 6, 2016 at 3:59 pm #

    You've got to have BlackBerry Priv for Android it has DTEK app watch out for you of any apps you installed and monitor them for you like an iSpy 007. The device is get an upgrade of security software every month. I'm not try to promote the device; just want to let people know.

  18. Will Cogle

    April 6, 2016 at 7:33 pm #

    Friday my Android tablet started acting up and restarting each time id be on it for more than 5 mins. Finally it worked Sunday night and as im watching YouTube, my cm security cept scanning files that would not stop downloading and i couldn't open them at all. Then gray boxs appears on my google photos and i cant open them on any device even computer so i deleted them. So Monday after school i get a message saying i cant sign in to google and that i have violated terms. I reviewed the terms and found nothing i did wrong. Does anyone have an idea of why this happened

    • Thank you St. Therese! in reply to Will Cogle.

      August 13, 2016 at 5:24 pm #

      My Galaxy phone has also began corrupting photos. If I hurry after I take them, I can text them. Then quickly, they are replaced by a black box with a stupid word like OK or FASHION. Then they are turned into gray boxes–or a fake video file that won't play. The camera was the main reason I bought this 3 several years ago. I'm a graphic artist & photography nut and the 8 mb was awesome. In reading the article, I did download a few photo editors from Google Play a long time ago. But their features are cheezy compared to the pro stuff so had begun uninstalling them. Perhaps that is why this is happening? The bad programs do this upon uninstalling?

  19. Anssi Jalonen

    April 7, 2016 at 10:02 am #

    Bloody Microsoft! I mean who else to blame for all this too?

  20. Southern Belle

    April 7, 2016 at 10:46 am #

    I was all over google as well as firefox Google, Firefox they claim to check their 'SAFE" apps for distribution but I found out the hard …THEY LIED! i had a Redirect Virus that kept coming back for weeks, was very hard to get rid of. if i'm not mistaken i believe it came from a translator app …don't remember why i would have that either.

    Another problem you'll have to read bout this cookie called Mookie known as the Mookie virus mookie1.com 1mookie.com mookieb.com there are several names but all Mookie which started out as an advertising for something or there supposedly legit ..no longer and it's a cookie which most users allow for sessions which is how it gets in and does other things system slowing to crawl there is action a lot of ppl that have had the problem so that's another to watch out for.

    hope i have been helpful!

  21. SouthernBelle

    April 7, 2016 at 11:44 am #

    dayuuuum this is second time i'm typing this post it was lost when it took me to registration or login now i have to all again …won't be the same 1st one was rather long.

    Short Version:

    Google Chrome and FireFox Claim all their apps are tested to make sure they are NOT viruses ect ..THEY LIED i caught a redirecting virus from google firefox just 1 of them called Mookie ..you'll have to do your own searching but it get into ur system by way of …a cookie known as the Mookie Virus, where like most users we add security by way NOT allowing third party cookies etc. BUT as many or most set Allow Session and the cookie is to expire on exit … well we gave it it's way in, now you'll recieve ads maybe a program you didn't install but mostly you'll notice your system suddenly crawling, pages taking forever to load! The Mookie Virus as i've learned it to be called comes in a few names mookie1, 1mookie, mookieb and a couple of other characters or numbers infront or at end of name then .com, Mookie is was in the beginning a legitimate business in advertising i don't know the whole story but i did deal with it as many other.

    Google, Mozilla should be held accountable for the breech of security for their trusting users, for lying and NOT doing their job!

    Like Twitter your account gets hacked you give proof the hacker keeps your handle twitter name all the same, they are Not in the business to do anything more but make money by give access to social networking, …OK sorry that's a whole other story!

    OMG guess the post was more detail than I had stated.

    Hopefully it was helpful and informative Cyal later!

  22. Stendahl Normendi

    April 18, 2016 at 8:43 am #

    I have reported at least 20 apps to Google in the last year because I either 1} saw merely by reading the "permissions" they were staggering invasive trojans or viruses and these people even outright admit it or 2} actually downloaded an app that gave me some form of malware, blocked me from turning off my phone, caused me to call AT & T because of not being able to connect to my WiFi, etc. I can't even tell you the BS you have to jump through to merely find and fill out the form to notify them that an app is suspicious – and this is right ON the page with the app. One app (a map app that supposedly told you how late or on time the buses or trains were in your area) was such a violation, people were doing nothing but writing reviews ranting about the virus included in the app and all the horrors they'd endured. The rub: you have to first DOWNLOAD an app in order to REPORT or REVIEW the app in the Google Play store. Anyway, this one app? I literally wrote and even called Google 8 times to warn, beg, ask, plead and tell them this app was a VIRUS and to go read the 100+ reviews of people ranting and POd they'd caught it. All Google did was send me more email in reply to mine asking for the same info I'd just spent hours carefully typing up for them, or asking for the URL of the app when this is what is on the form you send in when you report it from Google Play; or telling me to email them with the information which I'd say I'd already done 6 or 8 times. It got me nowhere and they just don't care. I can't believe the utter garbage that's in the Play store and even though I uninstall all PlayStore updates to my phone and tablet, within a week they're put right back on, even BLOCKING my ability to play a game that has nothing to do with Google by telling me I can't play until I update Google Play. I couldn't even get on YouTube today, on my tablet, without signing up for an account (I don't have one and don't need one) so I got on my desktop and looked to my heart's content. Once I was forced to sign up for a gmail address, after buying my Android phone, they seem to think they own my life.

    • Thank you St. Therese! in reply to Stendahl Normendi.

      August 13, 2016 at 5:32 pm #

      Most times I medium rant on a company's facebook site as well. That way it's also public and more people will see your post. Generally you will get a reply from the company via messenger fairly quickly.

  23. anoop

    September 7, 2016 at 7:41 pm #

    Shame on u Google play

Leave a Reply