Security

TrojanFlyer Malware Infects 120,000 Android Users

PSafe’s Threat Analysts have discovered a malicious malware that infected at least 8 apps in Google Play. The malware, named TrojanFlyer, affected at least 120,000 Android users, possibly more.

The mistake that app users make is assuming that only one or two apps are infected, concluding that suspicious apps fall into the same category on Google Play, or are produced by the same developer.

Not so with TrojanFlyer. In this latest attack, cyber criminals used clever methods by corrupting several apps in different categories carrying the same malware.

These developer names popped up across the 8 apps: Chet Grode, DenSavin, Lakov Kay. The apps were a QR code reader, wallpaper, battery optimizer, and photo galleries of beautiful women.

These 8 app packages were the culprits:

com.appmasteringsoft.qrcodefree
com.boxedstudiolow.wallhdplus
com.lightboostcleaner.app
com.ivoice.voicecallsrecorderapp
com.microtikappstudio.wallalbumsfree
vn.smartringtonesapp
com.exfrontvisuals.hdimagesfree
com.esterightsapps.wallcollectionfree

After users initially downloaded these apps, they behaved normally, while in the background the malware was already running, using a service to start the APP which takes over a user’s entire operating system.

The malware used a developer’s tool called AlarmManager to monitor if a smartphone is turned on and has a WiFi connection. Once an Internet connection is established, hackers download the second part of the malware:

Next, the malware gained further control by asking users for unusual permission requests:

android.permission.READ_CALL_LOG
android.permission.READ_CONTACTS
android.permission.READ_EXTERNAL_STORAGE

In order to take over an entire device, the model, brand and Android version are fed to a server and a jar file is downloaded to the application folder:

And then a full take-over can begin. The malware starts to receive commands from a server hosted in downloadh.pw:

New native codes are initiated:

Finally, those compromised permissions are accessed, such as the contact list:

Call history:

SMS history:

Number of photos and photo storage:

The scary result is criminals had full control of a smartphone with TrojanFly, being able to access personal information, private photos, make calls, send text messages, or infiltrate banking apps.

With the latest Android 6.0/7.0 updates, permissions for your apps has certainly changed, but always be cautious which permissions you allow. Ensure the permissions fit the purpose of the app.

If you’re being asked for access to your contacts list, for example, and you’re unsure, always delete the app immediately and activate a trusted antivirus app.

PSafe’s DFNDR security app deters 65,000 instances of malware and 700,000 suspicious links a day. We strive to offer the most robust protection for your Android device. Find our full suite of products on the Google Play store now.

PSafe Newsroom

The dfndr blog is an informative channel that presents exclusive content on security and privacy in the mobile and business world, with tips to keep users protected. Populated by a select group of expert reporters, the channel has a partnership with dfndr lab's security team. Together they bring you, first-notice news about attacks, scams, internet vulnerabilities, malware and everything affecting cybersecurity.