January 16, 2018

Doctor Web virus analysts have found several games on Google Play that contain Android.RemoteCode.127.origin. It covertly downloads and launches additional modules that perform various malicious actions. For example, they simulate user actions by covertly opening websites and clicking on their items.

Android.RemoteCode.127.origin is a part of a framework (SDK, Software Development Kit) called 呀呀云 (Ya Ya Yun). Developers use it to extend the functionality of their applications. Particularly, it allows gamers to maintain communication with each other. However, besides the indicated possibilities, the platform performs the Trojan’s functions. It covertly downloads malicious modules from a remote server.

Once the programs with the embedded SDK are launched, Android.RemoteCode.127.origin makes a request to the command and control (C&C) server. As a response, it can receive a command to download and launch malicious modules capable of many actions. Doctor Web specialists intercepted and inspected one such module, and dubbed it Android.RemoteCode.126.origin. Once launched, it connects to its C&C server and receives a link to download an allegedly benign image.

In fact, this graphic file conceals another Trojan module, which is an updated version of Android.RemoteCode.126.origin. Virus analysts have already encountered this method of masking malicious objects in images (steganography). For example, it was applied by the Trojan detected in 2016 and dubbed Android.Xiny.19.origin.

Once decrypted and launched, a new version of the Trojan module (detected by Dr.Web as Android.RemoteCode.125.origin) begins operating simultaneously with an old one, duplicating its functions. This module then downloads another image with a hidden malicious component. It was named Android.Click.221.origin.

Its main purpose is to covertly open websites and click on their items, such as links and banners. To do that, Android.Click.221.origin downloads a script from the address indicated by the C&C server. The Trojan provides the script with the possibility to perform various actions on a webpage, including simulating clicks on indicated items. Thus, if the Trojan’s task includes following links and advertisements, cybercriminals profit from inflating website traffic stats and clicking on banners. However, it is not the only functionality of Android.RemoteCode.127.origin, because virus writers are capable of creating additional Trojan modules that will perform other malicious actions. For example, display phishing windows to steal login credentials, show advertising, and also covertly download and install applications.

Doctor Web specialists found 27 games on Google Play that used Trojan SDK. More than 4,500,000 mobile device owners downloaded them. The applications with embedded Android.RemoteCode.127.origin are listed in the table below:

Program name Application package name Version Hero Mission com.dodjoy.yxsm.global 1.8 Era of Arcania com.games37.eoa 2.2.5 Clash of Civilizations com.tapenjoy.warx 0.11.1 Sword and Magic com.UE.JYMF&hl 1.0.0 خاتم التنين - Dragon Ring (For Egypt) com.reedgame.ljeg 1.0.0 perang pahlawan com.baiduyn.indonesiamyth 1.1400.2.0 樂舞 - 超人氣3D戀愛跳舞手遊 com.baplay.love 1.0.2 Fleet Glory com.entertainment.mfgen.android 1.5.1 Kıyamet Kombat Arena com.esportshooting.fps.thekillbox.tr 1.1.4 Love Dance com.fitfun.cubizone.love 1.1.2 Never Find Me - 8v8 real-time casual game com.gemstone.neverfindme 1.0.12 惡靈退散-JK女生の穿越冒險 com.ghosttuisan.android 0.1.7 King of Warship: National Hero com.herogames.gplay.kowglo 1.5.0 King of Warship:Sail and Shoot com.herogames.gplay.kowsea 1.5.0 狂暴之翼-2017年度最具人氣及最佳對戰手遊 com.icantw.wings 0.2.8 武動九天 com.indie.wdjt.ft1 1.0.5 武動九天 com.indie.wdjt.ft2 1.0.7 Royal flush com.jiahe.jian.hjths 2.0.0.2 Sword and Magic com.linecorp.LGSAMTH Depends on a device model Gumballs & Dungeons：Roguelike RPG Dungeon crawler com.qc.mgden.android 0.41.171020.09-1.8.6 Soul Awakening com.sa.xueqing.en 1.1.0 Warship Rising - 10 vs 10 Real-Time Esport Battle com.sixwaves.warshiprising 1.0.8 Thủy Chiến - 12 Vs 12 com.vtcmobile.thuychien 1.2.0 Dance Together music.party.together 1.1.0 頂上三国 - 本格RPGバトル com.yileweb.mgcsgja.android 1.0.5 靈魂撕裂 com.moloong.wjhj.tw 1.1.0 Star Legends com.dr.xjlh1 1.0.6

Virus analysts informed Google about the detection of the Trojan component in the indicated applications. However, at the moment this news article was posted, they were still available for download. It is recommended that owners of Android smartphones and tablets delete installed games that were installed with Android.RemoteCode.127.origin. Dr.Web for Android successfully detects programs containing Android.RemoteCode.127.origin and this Trojan poses no threat to our users.

More about the Trojan