PSafe logo
Your IP address () and location () are vulnerable to tracking. Conceal your identity now. Install dfndr vpn.

TrojanFlyer Malware Detected: Affects 120,000 Android Phones

The DFNDR Research Lab has discovered an insidious malware. Learn which apps to avoid on on Google Play and how to protect your device.

PSafe’s Threat Analysts have discovered a malicious malware that infected at least 8 apps in Google Play. The malware, named TrojanFlyer, has the potential to affect at least 120,000 Android users, possibly more. If you don’t have Full Virus scan activated, do so now, to safeguard your Android device from these kinds of vicious attacks.

run-security-scan
The mistake that app users make is assuming that only one or two apps are infected, concluding that suspicious apps fall into the same category on Google Play, or are produced by the same developer.

Not so with TrojanFlyer. In this latest attack, cyber criminals used clever methods by corrupting several apps in different categories carrying the same malware.

These developer names popped up across the 8 apps: Chet Grode, DenSavin, Lakov Kay. The apps were a QR code reader, wallpaper, battery optimizer, and photo galleries of beautiful women.

TrojanFlyer-Apps1

TrojanFlyer-Apps2

TrojanFlyer-Apps3 (1)

These 8 app packages were the culprits:

  • com.appmasteringsoft.qrcodefree
  • com.boxedstudiolow.wallhdplus
  • com.lightboostcleaner.app
  • com.ivoice.voicecallsrecorderapp
  • com.microtikappstudio.wallalbumsfree
  • vn.smartringtonesapp
  • com.exfrontvisuals.hdimagesfree
  • Com.esterightsapps.wallcollectionfree

After users initially downloaded these apps, they behaved normally, while in the background the malware was already running, using a service to start the APP which takes over a user’s entire operating system.

The malware used a developer’s tool called AlarmManager to monitor if a smartphone is turned on and has a WiFi connection. Once an Internet connection is established, hackers downloaded the second part of the malware.

Next, the malware gained further control through permissions. These apps asked users permission to make calls, access SMS information and call history, as well as, access a user’s filing storage system, including personal photos.

Once the malware gained control, it could gain access to the entire device’s contents. Including, call history:

TrojanFlyer-CallHistory

Contact list:

TrojanFlyer-ContactList

SMS history:

TrojanFlyer-SMS (1)

Number of photos and photo storage:

TrojanFlyer-Photo

The scary result is criminals had full control of a smartphone with TrojanFly, being able to access personal information, private photos, make calls, send text messages, or infiltrate banking apps.

With the latest Android 6.0/7.0 updates, permissions for your apps has certainly changed, but always be cautious which permissions you allow. Ensure the permissions fit the purpose of the app.

TrojanFlyer-Comments

If you’re being asked for access to your contacts list, for example, and you’re unsure, always delete the app immediately and activate a trusted antivirus app.

PSafe’s DFNDR security app deters 65,000 instances of malware and 700,000 suspicious links a day. We strive to offer the most robust protection for your Android device. Find our full suite of products on the Google Play store now.