Bad news for Android users – Doctor Web has uncovered two types of downloader Trojans implemented in the firmware of Android devices. The Trojans communicate with a command & control server to receive instructions about the apps to silently download and run. These apps would start each time the device is turned on or rebooted.
Android.Sprovider.7 Trojan and Android.DownLoader.473.origin Plague Multiple Android Devices
One of the Trojans, Android.Sprovider.7 Trojan, has been found on Lenovo A319 and Lenovo A6000 smartphones. It can also open specific links in a browser, make phone calls to specified numbers via the system application, and display ads on top of apps and in the status bar, researchers say.
Android.DownLoader.473.origin, on the other hand, is found on the following tablets and smartphones:
Researchers point out that the list may not be complete meaning that other devices may be affected as well.
Both of the Trojans are also downloaders, activated every time the device is turned on. Android.DownLoader.473.origin particularly is set to monitor the Wi-Fi module and connect to the command & control server to get the configuration file with further instructions, researchers explain.
The file also has information about the specific app the Trojan serves to download and install.
The Trojan can download not only benign applications but also malware and unwanted ones. For example, Android.DownLoader.473.origin actively distributes the advertising program H5GameCenter that is detected by Dr.Web as Adware.AdBox.1.origin. Once installed, it displays a small box image on top of running applications.
This image can’t be removed from the device’s screen. If it’s clicked, a catalog will open which is implemented in Adware.AdBox.1.origin, an adware program that will bring along unwanted and intrusive ads.
As to why these Trojans were found in Android firmware, researcher give the following explanation:
It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users.
The worst thing is that these pieces can easily bring more malware onto users. Luckily, the manufacturers have been notified. Users who own any of the devices mentioned in the article are urged to contact available tech support to get updated and to clean the system software.