Friday, March 26, 2021

A Dangerous Android Backdoor Is Spreading Through Google Play | Antivirus

Security specialist discovered a new backdoor on Google Play executes commands from cybercriminals and enables them to remotely control infected Android devices and spy on users.

Under the name Android.Backdoor.736.origin, the malware spreads as an OpenGL plug-in, which supposedly checks the version of the OpenGL ES graphical user interface and downloads updates.


Dangerous Android Backdoor Is Spreading | Antivirus


When running Android.Backdoor.736.origin, it will request access to several important system permissions that allow it to collect sensitive data and work with the file system. Also, it tries to gain access to the display of screen forms through the interface of other apps.

The malicious app has a button to check for updates to the OpenGL ES GUI. After the button is clicked, the Trojan mimics the process of looking for new versions of OpenGL ES, but in fact, it does not search.

Once the victim closes the app window, Android.Backdoor.736.origin removes the icon from the list of apps in the main menu and creates a shortcut. The malware wants to make it more difficult for the user to remove the Trojan later because it is not affected by removing the link.

Android.Backdoor.736.origin is constantly active in the background and can not only be started via the icon or the shortcut but also automatically when the system is started and at the command of cybercriminals via Firebase Cloud Messaging. The main functions of the Trojan are an encrypted auxiliary file that is stored in a directory with other program resources. This auxiliary file is decrypted and loaded into the main memory each time Android.Backdoor.736.origin is started.

The malware maintains a connection to several servers from which it receives commands from cybercriminals and to which it also forwards collected data. Cyber ​​criminals can also control the Trojan through the Firebase cloud messaging service.

Android.Backdoor.736.origin is able to perform the following actions:

·         Transferring contact information from the phone book to the server;
·         Transferring information to the server via SMS (the version of the Trojan being examined does not have the necessary permissions to do this);
·         Transmission of information about telephone calls to the server;
·         Transmitting data about the device location to the server;
·         Download and run apk or dex files using the DexClassLoader class;
·         Transferring information about installed apps to the server;
·         Download and run executable files;
·         Download files from the server;
·         Transferring a defined file to the server;
·         Transferring information about files in the specified directory or about files on the memory card to the server;
·         Running a shell command;
·         Start of defined activities;
·         Download and install an Android app;
·         View certain notifications;
·         Request the authorization specified in the command;
·         Submitting to the server a list of permissions granted to the trojan;
·         Lock the device to sleep.

The Trojan encrypts all data sent to the server using the AES algorithm. Each request is protected by a key that is generated based on the current time. The server response is also encoded with the same key.

Android.Backdoor.736.origin is capable of installing apps in several ways:

·         automatically if the system has root access (using the shell command);
·         via the system package manager (only for system software);
·         via a standard dialog where the user should agree to the installation.

So the pest is dangerous. It is not only used for cyber espionage but can also be used for phishing campaigns, as it can display windows and notifications with any content. It can also download and install other malicious apps and run random code. For example, Android.Backdoor.736.origin can download an exploit and execute it to gain root privileges. Afterward, he has his hands free and can carry out any actions in the Android system without the consent of the user.

Specialists have notified Google of the trojan it found. At the time this news was published, the Trojan had been removed from the Google Play store.

Android.Backdoor.736.origin and components of the malware are successfully located by Protegent Antivirus for Android. Therefore, the malware does not pose a threat to Protegent users.

No comments:

Post a Comment

What Is a ListentoYouTube Virus and How to Remove This?

On the off chance that you were searching for an approach to convert YouTube videos to MP3, you may have discovered the ListentoYouTube viru...