SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
13 Apr 2017

Ewind Android adware is actually a full-fledged Trojan

Palo Alto Networks researchers have analyzed a string of legitimate-looking Android apps and have discovered that the adware included in them has the potential to do much more than just show ads.

Variants of the Ewind adware/malware are usually packaged in popular game and social media apps such as GTA Vice City, Minecraft – Pocket Edition, VKontakte, but also in many mobile security apps such as AVG cleaner and Avast! Ransomware Removal.

And these apps are offered for download on well-established online Android app stores catering Russian-speaking users. “Although Ewind [as they’ve dubbed the threat] is fundamentally adware, monetization through displaying advertising on the victim device, it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker. The adware Trojan in fact potentially allows full remote access to the infected device,” they noted.

The adware/malware is also capable (among other things) of downloading an APK and creating a shortcut to it, open URLs (in the foreground and in the background), execute supplied JavaScript in a webview for a specific web page, and enable/disable connectivity. For the moment, the actor behind the adware does not seem to use it for any other purpose except to serve ads when finance-related apps are started, but that could easily change in the future.

More curious things about Ewind

The researchers believe that the adware author is the same person (group?) that runs these stores, and that he (or them) is of Russian origin. The Trojanized, repackaged Android application packages (APKs) are all signed with the same suspicious certificates, they found, and the C&C servers the adware contacts are hosted on the same /16 netblock as the adware was downloaded from. Additional investigation into the domains from which the adware is downloaded showed even stronger links between the various domains used.

An additional curiosity is that Russian malware authors usually avoid targeting Russian users, but this one apparently has no compunction about doing just that. “We have here an actor not only developing malware for monetization, but responsible for a network of Android App Store infrastructure which has over the years been used to serve tens of thousands of Android downloads in support of his advertising-supported monetization schemes,” they noted.

“We link tens of thousands of non-Ewind samples dating back several years to this actor based upon the infrastructure, APK signing key hashes, and/or use of the unique APK service name strings (in addition, ‘com.max.mobcoin’). These all appear to, in some fashion or another, monetize Android apps though advertising.”


Download SafeUM — communicate privately, without advertising and spam.

Tags:
Android information leaks trojan
Source:
Help Net Security
2107
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015