{"id":12725,"date":"2017-07-24T12:36:16","date_gmt":"2017-07-24T17:36:16","guid":{"rendered":"https:\/\/www.psafe.com\/en\/blog\/?p=12725"},"modified":"2017-08-01T23:23:37","modified_gmt":"2017-08-02T04:23:37","slug":"trojanflyer-infect-120000-android-users","status":"publish","type":"post","link":"https:\/\/www.psafe.com\/en\/blog\/trojanflyer-infect-120000-android-users\/","title":{"rendered":"TrojanFlyer Malware Infects 120,000 Android Users"},"content":{"rendered":"<p><b>PSafe\u2019s Threat Analysts<\/b><span style=\"font-weight: 400;\"> have discovered a malicious malware that infected at least 8 apps in <em>Google Play<\/em>. The malware, named <strong>TrojanFlyer<\/strong>, affected at least 120,000 Android users, possibly more.<br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\nThe mistake that app users make is assuming that only one or two apps are infected, concluding that suspicious apps fall into the same category on <em>Google Play<\/em>, or are produced by the same developer.<\/span><\/p>\n<p>Not so with <strong>TrojanFlyer<\/strong>. In this latest attack, cyber criminals used clever methods by corrupting several\u00a0apps in different categories carrying the same malware.<\/p>\n<p>These developer names popped up across the 8 apps: Chet Grode, DenSavin, Lakov Kay. The apps were a QR code reader, wallpaper, battery optimizer, and photo galleries of beautiful women.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12924\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer2.png\" alt=\"TrojanFlyer2\" width=\"601\" height=\"430\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12921\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer1.png\" alt=\"TrojanFlyer1\" width=\"600\" height=\"311\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12974\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/Trojan-14.png\" alt=\"Trojan-14\" width=\"599\" height=\"688\" \/><\/p>\n<p>These 8 app packages were the culprits:<\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.appmasteringsoft.qrcodefree<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.boxedstudiolow.wallhdplus<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.lightboostcleaner.app<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.ivoice.voicecallsrecorderapp<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.microtikappstudio.wallalbumsfree<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">vn.smartringtonesapp<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.exfrontvisuals.hdimagesfree<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">com.esterightsapps.wallcollectionfree<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">After users initially downloaded these apps, they behaved normally, while in the background the malware was already running, using a service to start the APP which takes over a user\u2019s entire operating system. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The malware used a developer&#8217;s tool called AlarmManager to monitor if a smartphone is turned on and has a WiFi connection. Once an Internet connection is established, hackers download the second part of the malware:<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-12934\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-3.jpg\" alt=\"TrojanFlyer-3\" width=\"600\" height=\"174\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Next, the malware gained further control by asking users for unusual permission requests:<\/span><\/p>\n<blockquote><p>android.permission.READ_CALL_LOG<br \/>\nandroid.permission.READ_CONTACTS<br \/>\nandroid.permission.READ_EXTERNAL_STORAGE<\/p><\/blockquote>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12940\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-4.jpg\" alt=\"TrojanFlyer-4\" width=\"600\" height=\"96\" \/><\/p>\n<p>In order to take over an\u00a0entire device, the model, brand and Android version are fed to a server and a jar file is downloaded to the application folder:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12945\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-5.png\" alt=\"TrojanFlyer-5\" width=\"600\" height=\"210\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12946\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-6.png\" alt=\"TrojanFlyer-6\" width=\"600\" height=\"427\" \/><\/p>\n<p>And then a full take-over can begin.\u00a0The malware\u00a0starts\u00a0to receive commands from a\u00a0server hosted in downloadh.pw:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12949\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-7.png\" alt=\"TrojanFlyer-7\" width=\"600\" height=\"106\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12950\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-8.png\" alt=\"TrojanFlyer-8\" width=\"600\" height=\"165\" \/><\/p>\n<p>New native codes are initiated:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12956\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-9.png\" alt=\"TrojanFlyer-9\" width=\"600\" height=\"116\" \/><\/p>\n<p>Finally, those compromised permissions are accessed, such as the contact list:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12959\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/Trojan-10.png\" alt=\"Trojan-10\" width=\"600\" height=\"108\" \/><\/p>\n<p>Call history:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12962\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/Trojan-11.png\" alt=\"Trojan-11\" width=\"600\" height=\"248\" \/><\/p>\n<p>SMS history:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12965\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-12.png\" alt=\"TrojanFlyer-12\" width=\"600\" height=\"229\" \/><\/p>\n<p>Number of photos and photo storage:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-12971\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/TrojanFlyer-13.png\" alt=\"TrojanFlyer-13\" width=\"600\" height=\"238\" \/><\/p>\n<p><span style=\"font-weight: 400;\">The scary result is criminals had full control of a smartphone with <strong>TrojanFly<\/strong>, being able to access personal information, private photos, make calls, send text messages, or infiltrate banking apps.<\/span><\/p>\n<p>With the latest Android 6.0\/7.0 updates, permissions for your apps has certainly changed, but always be cautious which permissions you allow. Ensure the permissions fit the purpose of the app.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-12734\" src=\"https:\/\/www.psafe.com\/en\/blog\/wp-content\/uploads\/2017\/07\/reviews-google-play.png\" alt=\"reviews google play\" width=\"615\" height=\"161\" \/><\/p>\n<p>If you\u2019re being asked for access to your contacts list, for example, and you\u2019re unsure, always delete the app immediately and activate a trusted antivirus app.<\/p>\n<p><span style=\"font-weight: 400;\"><strong>PSafe\u2019s DFNDR security app<\/strong> deters 65,000 instances of malware and 700,000 suspicious links a day. We strive to offer the most robust protection for your Android device. Find our full suite of products on the <\/span><a href=\"https:\/\/play.google.com\/store\/apps\/dev?id=6983664378165836486&amp;hl=en\"><span style=\"font-weight: 400;\">Google Play store<\/span><\/a><span style=\"font-weight: 400;\"> now.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The DFNDR Research Lab has discovered an insidious malware. Learn which apps to avoid on Google Play and how to protect your device.<\/p>\n","protected":false},"author":83,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"_crdt_document":"","footnotes":""},"categories":[5],"tags":[4473,1053,4476],"class_list":["post-12725","post","type-post","status-publish","format-image","hentry","category-security","tag-android-users","tag-google-play-store","tag-trojanflyer","post_format-post-format-image"],"_links":{"self":[{"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/posts\/12725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/users\/83"}],"replies":[{"embeddable":true,"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/comments?post=12725"}],"version-history":[{"count":0,"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/posts\/12725\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/media?parent=12725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/categories?post=12725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.psafe.com\/en\/blog\/wp-json\/wp\/v2\/tags?post=12725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}