Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Spy.277.origin

Added to the Dr.Web virus database: 2016-04-01

Virus description added:

SHA1: 89dee7086968dda688703304fd4b5163476b7f44

A Trojan for Android that steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store.

Once launched, it sends the following information to the command and control server:

  • “email”—email address connected to a Google user account. It is obtained from AccountManager; at that, only getAccountsByType("com.google”) is used;
  • “app_id”—meta-data from the manifest.xml file of the infected application;
  • “gcm_id”—GCM identifier (Google Cloud Messaging id);
  • “sender_id”—the application identifier specified by the server;
  • “app_version_code”—android:versionCode from the manifest.xml file;
  • “package_name”—name of the package containing the Trojan;
  • “sdk_version_name”—SDK version;
  • “sdk_version_code”—the Trojan’s SDK build number;
  • “android_id”—unique identifier;
  • “imei”—IMEI identifier;
  • “android_version”—operating system version;
  • “model”—mobile device model;
  • “screen”—screen resolution;
  • “phone”—cell phone number;
  • “api_version”—SDK version of the application;
  • “country”—the user’s geolocation;
  • “cpu”—CPU type;
  • “mac”—MAC address of the power adapter;
  • “user_agent”—generates User Agent line for a certain device, considering such parameters as Build.VERSION.RELEASE, Build.VERSION.CODENAME, and Build.MODEL, Build.ID;
  • “carrier”—mobile network operator;
  • “is_plugin”—informs the server whether the Trojan is launched from the original aaplication (the false value) or from its plug-in located in its software resources (the false value);
  • “time_from_begin”—specifies a time period after which the Trojan starts transmitting data to the server;
  • “install_referrer”—by default, sends the "Others” value;
  • “connection_type”—network connection type;
  • “connection_sub_type”—network subtype;
  • “is_rooted”—availability of root access (the true or false value);
  • “active_device_admin”—indicates whether an infected application has administrator privileges (the true or false value);
  • “has_gp”—indicates whether a Google Play application is on the device (the true or false value);
  • "Install from = " - "Google Play”/”Others”—indicates whether the infected application is installed from Google Play or from a third-party app store.

Once any of installed applications is launched, the Trojan sends a POST request that contains the above-mentioned information, adding the name of the running application’s package and requesting advertising parameters:

  • "index" – requestads;
  • “package_name_running”—name of the running application.

Depending on a received command, Android.Spy.277.origin can execute the following actions:

  • “show_log”—enable or disable logging;
  • “install_plugin”—install a plug-in hidden inside the malicious application;
  • “banner”, “interstitial”, “video_ads”—display different types of advertisements (including, on top of the OS interface and other applications);
  • “notification”—display a notification with the received parameters;
  • “list_shortcut”—create shortcuts on the home screen (tapping these shortcuts leads to opening of specified sections in Google Play);
  • “redirect_gp”—open a webpage with a specified address in Google Play;
  • “redirect_browse”—open a specified webpage in a preinstalled browser;
  • “redirect_chrome”—open a specified webpage in Chrome;
  • “redirect_fb”—open a Facebook webpage specified by the command.

Examples of advertising images:

#drweb   #drweb

Examples of advertisements in the status bar:

#drweb   #drweb

Examples of shortcuts created by the Trojan:

#drweb

At present, more than 100 applications are known to contain Android.Spy.277.origin:

  • com.true.icaller
  • com.appstorenew.topappvn
  • com.easyandroid.free.ios6
  • com.entertainmentphotoedior.photoeffect
  • lockscreenios8.loveslockios.com.myapplication
  • com.livewallpaper.christmaswallpaper
  • com.entertainment.drumsetpro
  • com.entertainment.nocrop.nocropvideo
  • com.entertainment.fastandslowmotionvideotool
  • com.sticker.wangcats
  • com.chuthuphap.xinchu2016
  • smartapps.cameraselfie.camerachristmas
  • com.ultils.scanwifi
  • com.entertainmenttrinhduyet.coccocnhanhnhat
  • com.entertainment.malmath.apps.mm
  • com.newyear2016.framestickertet
  • com.entertainment.audio.crossdjfree
  • com.igallery.styleiphone
  • com.crazystudio.mms7.imessager
  • smartapps.music.nhactet
  • com.styleios.phonebookios9
  • com.battery.repairbattery
  • com.golauncher.ip
  • com.photo.entertainment.blurphotoeffect.photoeffect
  • com.irec.recoder
  • com.Jewel.pro2016
  • com.tones.ip.ring
  • com.entertainment.phone.speedbooster
  • com.noelphoto.stickerchristmas2016
  • smartapps.smstet.tinnhantet2016
  • com.styleios9.lockscreenchristmas2016
  • com.stickerphoto.catwangs
  • com.ultils.frontcamera
  • com.phaotet.phaono2
  • com.video.videoplayer
  • com.entertainment.mypianophone.pianomagic
  • com.entertainment.vhscamcorder
  • com.o2yc.xmas
  • smartapps.musictet.nhacxuan
  • com.inote.iphones6
  • christmas.dhbkhn.smartapps.christmas
  • com.bobby.carrothd
  • om.entertainment.camera.fisheyepro
  • com.entertainment.simplemind
  • com.icall.phonebook.io
  • com.entertainment.photo.photoeditoreffect
  • com.editphoto.makecdcover
  • com.tv.ontivivideo
  • smartapps.giaixam.gieoquedaunam
  • com.ultils.frontcamera
  • com.applock.lockscreenos9v4
  • com.beauty.camera.os
  • com.igallery.iphotos
  • com.calculator.dailycalories
  • com.os7.launcher.theme
  • com.trong.duoihinhbatchu.chucmungnammoi
  • com.apppro.phonebookios9
  • com.icamera.phone6s.os
  • com.entertainment.video.reversevideo
  • com.entertainment.photoeditor.photoeffect
  • com.appvv.meme
  • com.newyear.haitetnew
  • com.classic.redballhd
  • com.entertainmentmusic.musicplayer.styleiphoneios
  • com.camera.ios8.style
  • com.countdown.countdownnewyear2016
  • com.photographic.iphonecamera
  • com.contactstyle.phonebookstyleofios9
  • com.entertainment.blurphotobackground.photoeffect.cameraeditor.photoeffect
  • com.color.christmas.xmas
  • com.bottle.picinpiccamera
  • com.entertainment.videocollagemaker
  • com.wallpaper.wallpaperxmasandnewyear2016
  • com.ultils.lockapp.smslock
  • com.apppro.phonebookios9
  • com.entertainment.myguitar.guitarpro
  • com.sticker.stickerframetet2016
  • com.bd.android.kmlauncher
  • com.entertainment.batterysaver.batterydoctor
  • com.trong.jumpy.gamehaynhatquadat
  • com.entertainmentphotocollageeditor
  • smartapps.smsgiangsinh.christmas2016
  • smartapps.musicchristmas.christmasmusichot
  • com.golauncher.ip
  • com.applock.lockscreenos9v4
  • com.imessenger.ios
  • com.livewall.paper.xmas
  • com.main.windows.wlauncher.os.wp
  • com.entertainmentlaunchpad.launchpadultimate
  • com.fsoft.matchespuzzle
  • com.entertainment.photodat.image.imageblur
  • com.videoeditor.instashot
  • com.entertainment.hi.controls
  • com.icontrol.style.os
  • smartapps.zing.video.hot
  • com.photo.entertainment.photoblur.forinstasquare
  • com.entertainment.livewallpaperchristmas
  • com.entertainment.tivionline
  • com.iphoto.os
  • com.tool.batterychecker
  • com.photo.multiphotoblur
  • smartapps.nhactet.nhacdjtet
  • com.runliketroll.troll
  • com.jinx.metalslug.contra

News about the Trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android