Providing a glimpse into a Russian-built malware campaign, a team of security researchers has analysed an Android-based adware family, discovering it's more dangerous than previously known. It could potentially give hackers "full remote access" on an infected device.

The cybercriminals behind "multiple" new strains of an advertising malware (adware) codenamed "Ewind" take a simple but effective approach to infecting unwitting users: downloading legitimate applications, tearing them apart and repackaging them with malicious code.

They then distribute the Trojanised apps using well-established third-party stores that are used to gain access to free software.

According to Palo Alto Networks, popular Ewind targets include GTA Vice City, AVG, Minecraft and Avast! Ransomware Removal, however there are many more.



Multiple new strains have emerged since mid-2016 yet the full scope of the attacks remain unclear. IBTimes UK contacted the company for more data on this however had not received a response at the time of publication.

"Although Ewind is fundamentally adware [...] it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker", said Palo Alto experts in a blog post.

They added: "Although we've only observed these Trojans being used to deliver ads to victims, with device-admin access and the functionality to download and execute any file on the device, the actor behind this activity can easily take full control of the victim device."

The researchers said based on the firm's analysis the attacker is from Russia. However, they pointed out that unlike many culprits from that country the attack appears to have no problem targeting other Russian users. Palo Alto Networks highlighted this as "somewhat unusual."

Once embedded in a device, Ewind can be "instructed" by the cybercriminals to carry out a range of commands. These include accessing full SMS text messages alongside the sender's phone number - a tactic likely intended to circumvent two-factor authentication by SMS, the researchers said.

"Ewind is more than simply adware," the team concluded, adding: "Ewind is, at very least, an actual Trojan – subverting genuine Android apps. The functionality to forward SMS messages to a [hackers' server] hints at possible intentions beyond just delivering adware.

"We have here an actor not only developing malware for monetisation, but responsible for a network of Android app store infrastructure that has over the years been used to serve tens of thousands of Android downloads in support of his advertising-supported schemes."

Adware has long plagued web users. According to Kaspersky Lab, who investigated the subject in September last year, the malicious software which hackers use to profit off embedded advertising is highly prevalent in the Russian Federation, the Middle East and Europe.

In 2015, Lookout Security warned about adware it found in more than 20,000 apps masquerading as services including Facebook, Twitter and Snapchat. It claimed the virus was "nearly impossible to remove" and said it may leave users with no other option than to replace their devices.