A new Android malware has emerged and now it can purchase apps from Google Play Store. The detections of new Trojans which target mobile devices have increased recently. Trojans are often used to spread malware on Android devices.
The Trojan is called Android.Slicer.1 and is distributed via bundling to other malware programs. The Trojan is concealed in a set of simple utility functions. The following activities can be observed: monitoring the RAM consumption and ending unnecessary running processes, control of Bluetooth and Wi-Fi functionality, changing the screen brightness if necessary, and so on. The user can’t launch the app by himself because there is no created shortcut on the home screen or in the menu of the device. Even though the application looks as it is useful and is optimizing the performance of the device, it covertly behaves as a typical adware.
What Does Android.Slicer.1 Really Do?
Once the Trojan is running on the device it collects the following information:
- IMEI identifier of the device;
- MAC address of the Wi-Fi adapter;
- The name of the device’s manufacturer;
- The version of the operating system.
At the next stage of infection, it is waiting for particular operations to happen in order to establish a connection with its Command and Control server and transmits the collected information. A turn “on/off” of the home screen or disabling the Wi-Fi connection can establish a successful connection with the C&C server. Then follows the transfer of the data. The commands that C&C returns cause the appearing of a shortcut on the home screen, displaying an advertisement and opening ad pages in the browser or in an application.
How Can Android.Slicer.1 Purchase Apps?
Android.Slicer.1 can install and buy almost all paid applications without users’ knowledge when there is a way to get root privileges. Its “partnership” with Android.Rootkit.40 is what supports Android.Slicer.1 and makes the automatic downloads and purchases of apps from Google Play Store possible. Android.Rootkit.40 is a Trojan that can help other Trojans to perform malicious activities providing them the required root privileges. According to the security researchers from Dr.Web Android.Rootkit.40 can be installed under the name of “.run-us” in the bin catalog.
“To automatically buy and install Google Play apps, Android.Slicer.1.origin opens a section in one of the specified applications and, using the root privileges of Android.Rootkit.40, runs a standard uiautomator utility. Thus, the Trojan gets information about all the windows and interface elements displayed on the screen at that moment.”, Dr.Web security experts explain.
Next Android.Slicer.1 searches for buttons that have the following identifiers:
- For “Buy” and “Install” buttons – com.android.vending:id/buy_button;
- For “Continue” button – com.android.vending:id/continue_button.
It should find out the middle coordinates of the identifiers in order to start tapping the buttons until they disappear from the screen.
Android.Slicer.1 can infect only devices which are running Android 4.3. On one hand, it is due to the restricted possibilities of Android.Slicer.1 to use only those button identifiers that serve for Android 4.3. On the other hand, Android.Rootkit.40 cannot function on devices that are running Android 4.4 and later because they have SELinux enabled.
Ways to Prevent from Android.Slicer.1 Attack
Utilizing a reliable anti-malware is sorely needed in times of continuously growing risk of cyber-attacks. Another way to protect your device is to update all installed programs regularly. Most of the updates are security related and may be critical for the regular and secure performance of the systems. Sometimes a look at the comments section under the app can reveal sensitive information about other users’ experience. Have a look before the next download.