Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Android.Skyfin.1.origin

Added to the Dr.Web virus database: 2017-01-19

Virus description added:

SHA1:

  • f10ff63c0a8b7a102d6ff8b4e4638edb8512f772
  • a5b9ca61c2c5a3b283ad56c61497df155d47f276

A Trojan for Android mobile devices. It implements an additional malicious component in the Play Store running process, steals confidential information, and covertly downloads applications from Google Play for artificial increase of their popularity. Most likely, Android.Skyfin.1.origin is spread by the several downloader Trojans belonging to the Android.DownLoader family, trying to gain root access and install this malicious program in the system directory.

Once Android.Skyfin.1.origin is launched, it implements the additional Trojan module (Android.Skyfin.2.origin) in the Play Store running process com.android.vending. The module collects confidential information required for work with Google Play and sends the stolen information to the main component Android.Skyfin.1.origin.

Once the required data is collected, Android.Skyfin.1.origin sends it to the (command and control) C&C server https://api.sg****api. com/v1/phone/allInfo with the following information:

  • IMEI
  • IMSI
  • mobile device model;
  • user geolocation;
  • system language.

Using collected information, Android.Skyfin.1.origin generates POST requests and connects to the Google Play server, https://android.clients.google.com/fdfe/imitating the Play Store operation. Then the Trojan can execute the following commands:

  • /search - search in the catalog for the simulation of user action sequence;
  • /purchase - request for the program purchase;
  • /commitPurchase - purchase confirmation;
  • /acceptTos - confirmation of consent to the license term conditions;
  • /delivery - link request for download of an APK file from the catalog;
  • /addReview /deleteReview /rateReview - adding, deleting and rating of reviews;
  • /log - confirmation of the program download used for the twist of the total installs.

The Trojan saves downloaded applications on an SD card but does not install them, reducing possibility of its detection.

One of the Android.Skyfin.1.origin modifications is configured to download only one program - com.op.blinkingcamera. For this purpose, the Trojan simulates a tap on the Google AdMob banner with an app advertisement, downloads it, and sends Google notification on supposedly successful installation. Another Android.Skyfin.1.origin modification receives from the C&C server https://api.sg****api.com/v1/phone/syncAds a list of programs that Trojan must download.

News about the Trojan

Recommandations pour le traitement


Android

  1. Si votre appareil mobile fonctionne correctement, veuillez télécharger et installer sur votre appareil mobile le produit antivirus gratuit Dr.Web для Android Light. Lancez un scan complet et suivez les recommandations sur la neutralisation des menaces détectées.
  2. Si l'appareil mobile est bloqué par le Trojan de la famille Android.Locker (un message sur une violation grave de la loi ou une demande de rançon s’affichent sur l'écran de l'appareil mobile), procédez comme suit :
    • démarrez votre Smartphone ou votre tablette en mode sans échec (si vous ne savez pas comment faire, consultez la documentation de l'appareil mobile ou contactez le fabricant) ;
    • puis téléchargez et installez sur votre appareil contaminé le produit antivirus gratuit Dr.Web для Android Light et lancez un scan complet puis suivez les recommandations sur la neutralisation des menaces détectées ;
    • Débranchez votre appareil et rebranchez-le.

En savoir plus sur Dr.Web pour Android