Doctor Web has detected a clicker Trojan in the official catalog of Android applications that can automatically subscribe users to paid services. Virus analysts have identified several modifications of this malware, named
At first, they built clickers into harmless applications - cameras and image collections - that performed the claimed functions. As a result, there was no clear reason for users and information security professionals to view them as a threat.
Secondly, all malicious programs were protected by the Jiagu commercial packer, which makes detection by antiviruses more difficult and code analysis more difficult. Thus, the Trojan had more chances to avoid detection by the built-in protection of the Google Play catalog.
Thirdly, virus writers tried to disguise the Trojan as well-known advertising and analytical libraries. Once added to the carrier programs, it was embedded in the SDKs from Facebook and Adjust that were present in them, hiding among their components.
In addition, the clicker attacked users selectively: it did not perform any malicious actions if the potential victim was not a resident of one of the countries of interest to the attackers.
The following are examples of applications with a Trojan embedded in them:
After installing and launching the clicker (hereinafter, its modification will be used as an example
If the user agrees to grant him the necessary permissions, the Trojan will be able to hide all incoming SMS notifications and intercept text messages.
Next, the clicker sends technical data about the infected device to the control server and checks the serial number of the victim's SIM card. If it corresponds to one of the target countries,
If the victim's SIM card does not belong to the country of interest to the attackers, the Trojan takes no action and stops its malicious activity. Researched clicker modifications attack residents of the following states:
- Austria
- Italy
- France
- Thailand
- Malaysia
- Germany
- Qatar
- Poland
- Greece
- Ireland
After transferring information about the number
Having received the site address,
Despite the fact that the clicker does not have the function of working with SMS and accessing messages, it bypasses this limitation. It happens in the following way. The Trojan service monitors notifications from an application that is assigned to work with SMS by default. When a message arrives, the service hides the corresponding system notification. It then extracts information about the received SMS from it and transmits it to the Trojan broadcast receiver. As a result, the user does not see any notifications about incoming SMS and does not know about what is happening. He will learn about the subscription to the service only when money starts to disappear from his account, or when he enters the message menu and sees SMS related to the premium service.
After Doctor Web specialists contacted Google, the detected malicious applications were removed from Google Play. All known modifications of this clicker are successfully detected and removed by Dr.Web anti-virus products for Android and therefore do not pose a threat to our users.