Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Toorch.1.origin

Added to the Dr.Web virus database: 2015-04-11

Virus description added:

A Trojan for Android that is disguised as a torch application. It can be distributed with the help of aggressive advertisement modules incorporated into different programs. Cybercriminals can also put it on popular websites with downloadable software.

screenshot

Once the Trojan is activated, it sends the following data to the command and control server:

  • Current time
  • Current location
  • IMEI
  • Device’s unique ID generated by the Trojan
  • Trojan’s version
  • Root access availability
  • Availability of an active Wi-Fi connection
  • OS version
  • Current system language
  • Device model and manufacturer
  • Trojan’s package name
  • Network connection type

At the same time, Android.Toorch.1.origin tries to get root privileges by using the com.apkol.root package modified by cybercriminals and incorporated into the malware.

If the Trojan succeeds, it extracts the libandroid.jar file from its program package and embeds it as an application with the name NetworkProvider.apk into the system directory /system/app. Then the Trojan launches the system service that corresponds to the application. This application (can also be detected as Android.Toorch.1.origin) extracts the libimpl.jar file (detected as Android.Toorch.2.origin) from the program package and loads it into the RAM with the help of the DexClassLoader class. This module contains main malicious functionality of the Trojan and can, in particular, stealthily download, install, or remove applications upon cybercriminals’ command.

Some modifications of NetworkProvider.apk can contain an additional program component as an ELF file in the program package. This file is copied into the system directory /system/app as a file with the name GDataAdapter and then launched. This application makes sure that the Android.Toorch.1.origin Trojan’s work is not interrupted by the user. If the process executed by the Trojan is terminated, GDataAdapter launches it once again.

A number of Trojan’s modifications can embed the GoogleSettings.apk component into the system directory. This component has the same functionality as NetworkProvider.apk. This program contains an advertising module Adware.Avazu.1.origin, which subsequently gets embedded into the system. The module serves to demonstrate advertisements. Moreover, original Trojan torch application also contains this module.

Since malicious components are embedded into the system directory /system/app, they can’t be detected by Dr.Web anti-virus solutions for Android during an express scan. Therefore, right after any Trojan of the Android.Toorch family is discovered for the first time, it is very important to run a full scan on the infected mobile device, remove the Trojan’s main file, and finish the curing process using a special utility created by Doctor Web security experts.

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android