An information-stealing Android Trojan targeting U.S., Russian and European users is not allowing users to move forward unless it gets administrator access, researchers said.
Thinking they are getting a legitimate, helpful app, users most likely download the malware-enriched app and then all bets are off, said researchers at Avast.
Once installed, the Trojan puts an icon in the launcher, and the name of the fake app may be AVITO-MMS, MMS Центр (MMS Center), or KupiVip (KupiVIP is a Russian online fashion retailer).
Once that app launches, the malware hides the icon.
The Trojan checks whether it runs in an emulator, and if it does not, the attack starts: The malware will show, again and again, a dialog box asking the user to grant it admin rights.
Clicking on the “Cancel” button doesn’t work, and it’s easy to imagine that, exasperated, some users will ultimately relent. Then, they are repeatedly hit with another pop-up – the Trojan wants to become the default SMS app.
The Trojan’s mission is to collect device information and send it to a C&C server operated by the attackers. From there, they can send out commands to it, and can make it download additional apps, collect call logs, SMSes, bookmarks, contacts, GPS coordinates, a list of installed apps, as well as redirect calls to a specific number and lock the screen.
Finally, the Trojan can also pop-up fake login and account update screens over legitimate apps (e.g. Google Play) in the hopes the victim will enter their login, personal and payment card info.
The number of infections has dropped over the past few months, but that doesn’t mean other malware creators won’t use the same trick.
Apart from preventing the malware getting on the device in the first place (either by being careful or by using mobile security solutions), potential victims can stop the Trojan’s repeated pestering and remove it from the device, but they will have to power down the phone and restore it to its factory settings.
Another option that works on Android Marshmallow allows users to try to uninstall the app even with the annoying screens popping up all the time, by going to settings with the top-down swipe. KitKat users aren’t so lucky – they have to do the reset to factory settings.
“Lastly, if you do have USB debugging enabled and have access to your phone via a trusted PC, you can try to kill the application via ADB (Android Debugging Bridge) and then uninstall it,” said Avast researcher Jan Piskacek in a blog post.
He does add, however, “this option is only for advanced users and generally, leaving your phone with permanent USB debugging enabled could mean that anyone who gets ahold of your phone, even if only for a short time, can get access to all the data located on your phone.”