Android Users – PSafe Blog https://www.psafe.com/en/blog Articles and news about Mobile Security, Android, Apps, Social Media and Technology in general. Thu, 19 Jan 2023 14:49:21 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.3 https://www.psafe.com/en/blog/wp-content/uploads/2018/05/cropped-psafe_blog_purple-shield-32x32.png Android Users – PSafe Blog https://www.psafe.com/en/blog 32 32 <![CDATA[TrojanFlyer Malware Infects 120,000 Android Users]]> https://www.psafe.com/en/blog/trojanflyer-infect-120000-android-users/ Mon, 24 Jul 2017 17:36:16 +0000 https://www.psafe.com/en/blog/?p=12725 PSafe’s Threat Analysts have discovered a malicious malware that infected at least 8 apps in Google Play. The malware, named TrojanFlyer, affected at least 120,000 Android users, possibly more.

The mistake that app users make is assuming that only one or two apps are infected, concluding that suspicious apps fall into the same category on Google Play, or are produced by the same developer.

Not so with TrojanFlyer. In this latest attack, cyber criminals used clever methods by corrupting several apps in different categories carrying the same malware.

These developer names popped up across the 8 apps: Chet Grode, DenSavin, Lakov Kay. The apps were a QR code reader, wallpaper, battery optimizer, and photo galleries of beautiful women.

TrojanFlyer2

TrojanFlyer1

Trojan-14

These 8 app packages were the culprits:

  • com.appmasteringsoft.qrcodefree
  • com.boxedstudiolow.wallhdplus
  • com.lightboostcleaner.app
  • com.ivoice.voicecallsrecorderapp
  • com.microtikappstudio.wallalbumsfree
  • vn.smartringtonesapp
  • com.exfrontvisuals.hdimagesfree
  • com.esterightsapps.wallcollectionfree

After users initially downloaded these apps, they behaved normally, while in the background the malware was already running, using a service to start the APP which takes over a user’s entire operating system.

The malware used a developer’s tool called AlarmManager to monitor if a smartphone is turned on and has a WiFi connection. Once an Internet connection is established, hackers download the second part of the malware:

TrojanFlyer-3

Next, the malware gained further control by asking users for unusual permission requests:

android.permission.READ_CALL_LOG
android.permission.READ_CONTACTS
android.permission.READ_EXTERNAL_STORAGE

TrojanFlyer-4

In order to take over an entire device, the model, brand and Android version are fed to a server and a jar file is downloaded to the application folder:

TrojanFlyer-5

TrojanFlyer-6

And then a full take-over can begin. The malware starts to receive commands from a server hosted in downloadh.pw:

TrojanFlyer-7

TrojanFlyer-8

New native codes are initiated:

TrojanFlyer-9

Finally, those compromised permissions are accessed, such as the contact list:

Trojan-10

Call history:

Trojan-11

SMS history:

TrojanFlyer-12

Number of photos and photo storage:

TrojanFlyer-13

The scary result is criminals had full control of a smartphone with TrojanFly, being able to access personal information, private photos, make calls, send text messages, or infiltrate banking apps.

With the latest Android 6.0/7.0 updates, permissions for your apps has certainly changed, but always be cautious which permissions you allow. Ensure the permissions fit the purpose of the app.

reviews google play

If you’re being asked for access to your contacts list, for example, and you’re unsure, always delete the app immediately and activate a trusted antivirus app.

PSafe’s DFNDR security app deters 65,000 instances of malware and 700,000 suspicious links a day. We strive to offer the most robust protection for your Android device. Find our full suite of products on the Google Play store now.

]]>