Trojan in 155 Google Play Android Apps Affects 2.8 Million Users
There are currently 155 Android apps on the official Google Play Store infected with the Android.Spy trojan that collects details about the user’s device and then shows ads on top of the phone’s home screen or of other applications, and inside the OS notification area.
Security firm Dr.Web says they informed Google about this new threat, but the search giant has not yet removed all infringing apps, and as such, they are releasing a list of names of all the apps they’ve found showing traces of the trojan so that users can stay away from them. (Full list at the end of the article.)
Trojan was seen before on Google Play in April
The trojan, named Android.Spy.305, is a newer variation of the Android.Spy family, which was last sighted in April 2016.
Back then, the same Dr.Web researchers found Android.Spy.277 in 104 Android apps on the Google Play Store, which were downloaded more than 3.2 million times.
Adding up the total number of downloads for Android.Spy.305, Dr.Web security researchers say that over 2.8 million users might be affected by this new version of the trojan.
Trojan collects user details and then shows ads
As with the original, Android.Spy.305 will begin its malicious behavior after the user installs the tainted app. The first thing it will do is collect data on the user’s device, such as the email address connected to their Google user account, OS language, OS version, device name and model, and IMEI.
Additionally, the trojan also collects details such as the screen resolution, mobile network operator, a list of installed applications, the name of the app through which the trojan was delivered, the developer ID and the SDK version.
The last two details are important because Dr.Web researchers claim that the trojan is actually distributed inside an advertising SDK, used to build other applications.
Trojan is hidden inside an advertising SDK
Researchers didn’t reveal the SDK’s name, but crooks have used SDKs in the past to fool developers into embedding malware inside legitimate apps without their knowledge.
Luckily, at this point, the trojan is only focused on delivering ads and not stealing any sensitive data from the device’s owner.
Dr.Web says it detected the trojan in the apps offered by developers such as MaxMitek Inc, Fatty Studio, Gig Mobile, TrueApp Lab, Sigourney Studio, Doril Radio.FM, Finch Peach Mobile Apps, and Mothrr Mobile Apps.