A Trojan for Android that is disguised as a torch application. It can be distributed with the help of aggressive advertisement modules incorporated into different programs. Cybercriminals can also put it on popular websites with downloadable software.
Once the Trojan is activated, it sends the following data to the command and control server:
- Current time
- Current location
- IMEI
- Device’s unique ID generated by the Trojan
- Trojan’s version
- Root access availability
- Availability of an active Wi-Fi connection
- OS version
- Current system language
- Device model and manufacturer
- Trojan’s package name
- Network connection type
At the same time, Android.Toorch.1.origin tries to get root privileges by using the com.apkol.root package modified by cybercriminals and incorporated into the malware.
If the Trojan succeeds, it extracts the libandroid.jar file from its program package and embeds it as an application with the name NetworkProvider.apk into the system directory /system/app. Then the Trojan launches the system service that corresponds to the application. This application (can also be detected as Android.Toorch.1.origin) extracts the libimpl.jar file (detected as Android.Toorch.2.origin) from the program package and loads it into the RAM with the help of the DexClassLoader class. This module contains main malicious functionality of the Trojan and can, in particular, stealthily download, install, or remove applications upon cybercriminals’ command.
Some modifications of NetworkProvider.apk can contain an additional program component as an ELF file in the program package. This file is copied into the system directory /system/app as a file with the name GDataAdapter and then launched. This application makes sure that the Android.Toorch.1.origin Trojan’s work is not interrupted by the user. If the process executed by the Trojan is terminated, GDataAdapter launches it once again.
A number of Trojan’s modifications can embed the GoogleSettings.apk component into the system directory. This component has the same functionality as NetworkProvider.apk. This program contains an advertising module Adware.Avazu.1.origin, which subsequently gets embedded into the system. The module serves to demonstrate advertisements. Moreover, original Trojan torch application also contains this module.
Since malicious components are embedded into the system directory /system/app, they can’t be detected by Dr.Web anti-virus solutions for Android during an express scan. Therefore, right after any Trojan of the Android.Toorch family is discovered for the first time, it is very important to run a full scan on the infected mobile device, remove the Trojan’s main file, and finish the curing process using a special utility created by Doctor Web security experts.
