Skip to main content

Android adware places ads over other apps

A recently detected Trojan can install an unwanted program module on Android-powered mobile devices, which displays advertisement on top of the majority of launched programs.

The Trojan is called Android.Spy.510 and it was detected by Doctor Web specialists. According to the security firm’s press release, the Trojan is distributed by cybercriminals as a modified and initially non-threat AnonyPlayer media application.

Its Trojan version has all the legitimate functions and is absolutely operational—thus, the victim will not be suspicious about the threat.

Once installed and launched, Android.Spy.510 gathers and sends confidential data to the command and control server (C&C server) including login and password to the Google Play user account, mobile device model, SDK version of the operation system, and availability of root access on the device. Then the Trojan tries to install an additional hidden program package with necessary malicious features. To do that, Android.Spy.510 displays a special text message which offers the victim to install the AnonyService application that is supposed to assure users` anonymity and to protect confidential information from third parties.

However, this application is, in fact, an advertising module added to Dr.Web virus database under the name of Adware.AnonyPlayer.1.origin.

After the installation, Adware.AnonyPlayer.1.origin prompts the victim to allow the use of the Accessibility Service. Then it goes to a standby mode and starts its malicious activity only in several days. Once the specific period of time is over, Adware.AnonyPlayer.1.origin starts to monitor all system events and waits for the victim to run a program. If they do so, the module immediately displays an advertisement.

Doctor Web security researchers strongly recommend Android devices owners to download applications only from reliable sources. Besides, users should pay careful attention to the programs that request to allow them the use of the Accessibility Service.

Once the malicious application gets such privileges, it can interact with graphic interface (for example, simulate user actions in dialogs) and even intercept the information entered by the victim, operating as a keylogger. As a result, the program will be able to steal such confidential data as text messages, search queries and even passwords.