Trojan carries out covert purchase and installation programs using other malware.
IB researchers of “Doctor Web” found
new malware for Android-based devices that can, under certain conditions, to buy and install their own apps on Google Play.
Troyan Android.Slicer.1.origin (on the classification of “Doctor Web”) is installed on the mobile devices other malicious applications. Trojan can display data on the use of RAM and “purify” it, exits the active processes. The malware also allows you to enable or disable the wireless modules Wi-Fi and Bluetooth.
The main purpose is to show Android.Slicer.1.origin advertisements. However, under certain conditions, the Trojan is able to set their own program from Google Play, including pay. This action is made possible with the help of other malware Android.Rootkit.40 (on the classification of “Doctor Web”), representing an analogue su utility for working with root privileges. In the presence of this malware on the system partition / system / bin, Android.Slicer.1.origin can automatically buy and install applications from Google Play.
Android.Slicer.1.origin opens the application directory partition and using Android.Rootkit.40 superuser launches a standard system utility uiautomator. Thus Trojan obtains information about all visible on the screen at this time windows and controls. After that you should search for information on the buttons with the identifier com.android.vending: id / buy_button (button “Buy” and “Set”) and com.android.vending: id / continue_button ( “Continue” button). The malware finds the coordinates of the middle of the corresponding buttons and clicks on them, while the controls with the necessary IDs are present on the screen.
Opportunities for hidden buying and installing applications from the Trojan program are rather limited. Malware identifiers used buttons are shown in the Android OS version 4.3 and above. Auxiliary Android.Rootkit.40 malicious program can not run on devices with active SELinux, t. E. In the Android OS version 4.4 and above. According to the researchers, Android.Slicer.1.origin can independently acquire and install programs from the Google Play only on devices running Android 4.3.