Share

tweet







Russian anti-malware company Doctor Web has discovered a new Android Trojan that can buy apps from Google Play Store. Named Android.Slicer, this trojan is embedded in a phone optimization app that offers to clean the device’s memory, shutting down unused applications.

Of all the malicious Android applications in existence today, Trojans that display annoying advertisements are the most popular with criminals.

Some of these Trojans have additional capabilities such as downloading and installing programs and stealing private user information. One such Trojan detected by Doctor Web specialists can, in specific circumstances, buy and install Google Play apps.

This Trojan, named Android.Slicer.1.origin, is usually installed by other malware programs on a device and executes functions specific to popular service utilities and SEO software. In particular, Android.Slicer.1.origin can show RAM consumption information and terminate running processes. In addition, it allows Bluetooth and Wi-Fi modules to be enabled or disabled. This Trojan does not create a shortcut on the screen, so the user cannot independently launch the application.

Although the Trojan may appear to be a benign application, it performs typical adware functions. Therefore, once Android.Slicer.1.origin is launched, or once the home screen is turned on/off, or the Wi-Fi module is disabled, the Trojan transmits (to the command and control (C&C) server) information about the IMEI identifier of the infected device, the MAC address of the Wi-Fi adapter, the name of the device’s manufacturer, and the operating system version. In turn, the C&C server replies with the following instructions:

Add a shortcut to the home screen;

Display an advertisement;

Open advertising webpages in the browser or in a Google Play application.

However, Android.Slicer.1.origin can also install specific applications including paid ones. For this purpose, it uses another Trojan—Android.Rootkit.40, which is similar to the SU utility used for working with root privileges. If Android.Rootkit.40 is in the /system/bin catalog, Android.Slicer.1.origin can automatically buy and install Google Play apps.

To do this, Android.Slicer.1.origin opens a section in one of the specified applications and, using the root privileges of Android.Rootkit.40, runs a standard uiautomator utility. Thus, the Trojan gets information about all the windows and interface elements displayed on the screen at that moment. Then Android.Slicer.1.origin searches for information about the buttons having the identifiers com.android.vending:id/buy_button (“Buy” and “Install” buttons) and com.android.vending:id/continue_button (“Continue”), determines their middle coordinates, and starts tapping them until they disappear from the screen. Therefore, Android.Slicer.1.origin can obey hacker commands to automatically purchase almost any paid software program and download free versions of applications, without the user’s knowledge.

Nevertheless, the Trojan’s abilities to covertly buy and install apps are limited. First, Android.Slicer.1.origin uses only those button identifiers that are represented in Android 4.3 and later. Second, Android.Rootkit.40 cannot operate on devices that have SELinux enabled, i.e., on Android 4.4 and later. Thus, Android.Slicer.1.origin can buy and download other programs only if the infected device runs Android 4.3.



Dr.Web for Android products successfully detect and remove Android.Slicer.1.origin, and, therefore, this malicious program poses no threat to Dr.Web users.

More about Android.Slicer Trojan

Name: Android.Slicer.1.origin

Added to Dr.Web virus database: 2016-08-05

Virus description was added: 2016-08-04

SHA1: 4d465e4f36f82fa2489d2f582ee3a20cb2c17e32

A Trojan for Android that is implemented as a service utility performing a set of simple functions. For example, it monitors the RAM consumption and terminates running processes if necessary. It also allows to control wireless connections, configure the screen brightness, and so on. Nevertheless, it is mainly designed to display advertisements.

Android.Slicer.1.origin is installed on the system by other software programs. This Trojan does not create a shortcut on the screen so that the user cannot launch the application by themselves.

Once Android.Slicer.1.origin is launched, or once the home screen is turned on or off, or the Wi-Fi module is disabled, the Trojan sends information regarding:

MEI identifier of the infected device

MAC address of the Wi-Fi adapter

Name of the device manufacturer

OS version.

The command and control (C&C) server, in its turn, replies with the following instructions:

Add a shortcut to the home screen;

Display an advertisement;

Open advertising webpages in the browser or in a Google Play application.

In addition, Android.Slicer.1.origin automatically installs free Google Play applications and buys paid-for ones. This function can be executed if the /system/bin catalog contains a file named .run-us, which is a Trojan—Android.Rootkit.40—similar to the SU utility.)

For that, Android.Slicer.1.origin opens a section in one of the specified applications and runs a standard uiautomator utility, designed to test GUI, with root privileges using Android.Rootkit.40. Then, with the help of this utility and the “uiautomator dump file_name” command, the Trojan creates an XML file that contains information about all the windows and interface elements displayed on the screen at the moment.

Then the Trojan searches for the following indentifiers:

com.android.vending:id/buy_button (“Buy” and “Install” buttons);

com.android.vending:id/continue_button (“Continue”).

After that, the Trojan uses the “input tap X Y” command (where X and Y are the coordinates of the middle of the button) and starts tapping the button until it disappears from the screen. Thus, the malware program can install any software program on Google Play. However, it can work only on mobile devices running Android 4.3, because Android 4.3 and later have the identifiers of the necessary buttons, and Android.Rootkit.40 cannot operate on devices with SELinux (Android 4.4 and later.)

Curing recommendations

Android

If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.

If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following: