In February 2016 the specialists of “Doctor Web” have identified a set of malicious applications for Android, having the widest range of functionality. This CNews reported in the “Doctor Web”.
This set consists of three working together Trojans, received here Android.Loki.1.origin, Android.Loki.2.origin and Android.Loki.3 respectively. The first of them is loaded with the help of liblokih.so library detectable “Antivirus Dr.Web for Android» under the name Android.Loki.6. This library is implemented in one of the system processes trojan Android.Loki.3 – Android.Loki.1.origin as a result is able to operate the system with the privileges of the user system. Android.Loki.1.origin is a service that has a broad range of functions: for example, a Trojan can be downloaded from the official Google Play catalog any application via a special link that contains a reference to an account of a particular affiliate program, so that attackers are able to extract income.
Among other features Android.Loki.1.origin in “Doctor Web,” noted the following: installation and removal of applications; Enable or disable applications and their components; Stop processes; demonstration of the notification; registration applications as an Accessibility Service (Service to track clicks on the screen of the device); update of its components, as well as the loading of plug-ins by command from the management server.
The second of the malware detected by ‘Doctor Web’ set – Android.Loki.2.origin – designed to be installed on the infected device a variety of applications on command from the management server, and to display advertisements. However, it has this trojan and anti-spyware functions – when run, it collects and sends criminals following information: IMEI infected device; IMSI infected device; mac-infected device address; MCC identifier (Mobile Country Code) – a mobile country code; ID MNC (Mobile Network Code) – mobile network code; OS version on the infected device; the value of screen resolution; data memory (total and free volume); version of the operating system kernel; data on the model; data concerning the device manufacturer; firmware version; device serial number.
Once you submit this information to the control server receives the Trojans in response to a configuration file, containing the necessary data for its work. At certain intervals Android.Loki.2.origin refers to the management server to receive assignments and during each session further transmits attackers following information: The version of the configuration file; version of the service implemented trojan Android.Loki.1.origin; operating system language; country specified in the operating system settings; information about the user account on Google.
In response Android.Loki.2.origin gets the job or for the installation of an application (they can be downloaded, including on Google Play), or to display advertising. Pressing demonstrated trojan notification may lead either to go to a certain site or to install the application. Also by cybercriminals Android.Loki.2.origin team sends to the control server the following information: a list of installed applications; browser history; a list of the user’s contacts; call history; the current location of the device.
Finally, Android.Loki.3 implements on the infected device has two functions: introducing liblokih.so library in the system service process and allows system_server execute commands as the superuser (root), which come from other Android Trojan family. Loki. In fact, Android.Loki.3 plays the role of a server to run shell scripts: Troyan cybercriminals transmit path to the script that you want to perform, and Android.Loki.3 runs this script.
As a family of trojans Android.Loki placed some of its components in the system folders of the operating system Android, which have anti-virus program does not have access to the device when it detects any such malicious programs the best way to eliminate the infection consequences – flashing device using the original OS image. Before performing this procedure, it is recommended to make a backup copy of all the information on the infected smartphone or tablet important information and should be entrusted to inexperienced users this manipulation specialist, advised in the “Doctor Web»