Android.Sprovider.7 Trojan Found in Lenovo A319 and Lenovo A6000

Android.Sprovider.7 Trojan Found in Lenovo A319 and Lenovo A6000

Bad news for Android users – Doctor Web has uncovered two types of downloader Trojans implemented in the firmware of Android devices. The Trojans communicate with a command & control server to receive instructions about the apps to silently download and run. These apps would start each time the device is turned on or rebooted.

Related: CVE-2016-5195, Plenty of Flaws Fixed in Android’s December Bulletin


Android.Sprovider.7 Trojan and Android.DownLoader.473.origin Plague Multiple Android Devices

One of the Trojans, Android.Sprovider.7 Trojan, has been found on Lenovo A319 and Lenovo A6000 smartphones. It can also open specific links in a browser, make phone calls to specified numbers via the system application, and display ads on top of apps and in the status bar, researchers say.

Android.DownLoader.473.origin, on the other hand, is found on the following tablets and smartphones:

MegaFon Login 4 LTE, Irbis TZ85, Irbis TX97, Irbis TZ43, Irbis tz70, Irbis tz56, Bravis NB85, Bravis NB105, SUPRA M72KG, SUPRA M729G, SUPRA V2N10, Pixus Touch 7.85 3G, Itell K3300, General Satellite GS700, Digma Plane 9.7 3G, Nomi C07000, Prestigio, MultiPad Wize 3021 3G, Prestigio MultiPad PMT5001 3G, Optima 10.1 3G, TT1040MG, Marshal ME-711, 7 MID, Explay Imperium 8m, Perfeo 9032_3G, Ritmix RMD-1121, Oysters T72HM 3G, and Jeka JK103.

Researchers point out that the list may not be complete meaning that other devices may be affected as well.


Both of the Trojans are also downloaders, activated every time the device is turned on. Android.DownLoader.473.origin particularly is set to monitor the Wi-Fi module and connect to the command & control server to get the configuration file with further instructions, researchers explain.

The file also has information about the specific app the Trojan serves to download and install.

The Trojan can download not only benign applications but also malware and unwanted ones. For example, Android.DownLoader.473.origin actively distributes the advertising program H5GameCenter that is detected by Dr.Web as Adware.AdBox.1.origin. Once installed, it displays a small box image on top of running applications.

This image can’t be removed from the device’s screen. If it’s clicked, a catalog will open which is implemented in Adware.AdBox.1.origin, an adware program that will bring along unwanted and intrusive ads.


As to why these Trojans were found in Android firmware, researcher give the following explanation:

It is known that cybercriminals generate their income by increasing application download statistics and by distributing advertising software. Therefore, Android.DownLoader.473.origin and Android.Sprovider.7 were incorporated into Android firmware because dishonest outsourcers who took part in creation of Android system images decided to make money on users.

The worst thing is that these pieces can easily bring more malware onto users. Luckily, the manufacturers have been notified. Users who own any of the devices mentioned in the article are urged to contact available tech support to get updated and to clean the system software.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.