January 18, 2017
Among the huge variety of Android Trojans, malicious programs that can covertly download mobile software have become widespread. They allow cybercriminals to get rewarded every time one of these programs is successfully downloaded and installed. One such Trojan detected by Doctor Web’s security researchers infiltrates the running process of Play Store and stealthily increases the total number of installs of Google Play applications.
Android.Skyfin.1.origin is most likely spread via certain Trojans of the Android.DownLoader family (for example, Android.DownLoader.252.origin and Android.DownLoader.255.origin) that get root access after infecting smartphones and tablets and covertly install malicious programs in the system directory. Their code consists of strings characteristic of Android.Skyfin.1.origin; therefore, Android.Skyfin.1.origin is most likely distributed specifically by one of the aforementioned malicious applications.
Once Android.Skyfin.1.origin is launched, it injects the additional module Android.Skyfin.2.origin in the process of Play Store. It steals a mobile device’s unique ID and the account of the device’s owner which are used to interact with Google services; it also steals various internal authorization codes for connecting to the Google Play catalog as well as other confidential data. Then the module sends this data to the main component of Android.Skyfin.1.origin, after which the Trojan sends the data to the command and control server along with the device’s technical information.
Using the collected data, Android.Skyfin.1.origin connects to the Google Play catalog and simulates the operation of the Play Store application. The Trojan can execute the following commands:
- /search - search in the catalog for the simulation of a user action sequence;
- /purchase - request that a program be purchased;
- /commitPurchase – confirm a purchase;
- /acceptTos - confirm consent to a license agreement’s terms;
- /delivery - request link to download an APK file from the catalog;
- /addReview /deleteReview /rateReview - add, delete, and rate reviews;
- /log – confirm a program download in order to artificially inflate the total number of installs.
Once the application specified by the cybercriminals is downloaded, Android.Skyfin.1.origin does not install it but saves it on an SD Card, which is why the user cannot see new programs that have arisen out of nowhere. As a result, the Trojan increases its odds of staying unnoticed and can continue inflating the total number of installs to artificially increase the popularity of Google Play applications.
Doctor Web security researchers have detected several modifications of Android.Skyfin.1.origin. One of them can download from Google Play only one application - com.op.blinkingcamera. The Trojan simulates a tap on a Google AdMob banner containing an advertisement of this program, downloads its APK file, and automatically increases the number of total installs by confirming the bogus installation on the Google server. Another Android.Skyfin.1.origin modification is more general. It can download any application from the catalog. For this purpose, the cybercriminals provide the Trojan with a list of programs for download.
All known Android.Skyfin.1.origin modifications are successfully detected by the Dr.Web anti-virus for Android; therefore, owners of smartphones and tablets can check their devices for this Trojan. However, as Android.Skyfin.1.origin is installed in the system directory, it can only be removed using Dr.Web Security Space for Android which has root access and is thus capable of dealing with this type of malicious application.