If you suddenly start seeing random advertisements popping up on your Android device, you have likely been infected with adware. But if you’re terribly unlucky, you might have also been hit with information-stealing malware.
Dr. Web researchers have recently uncovered and analyzed a Trojanized version of the legitimate AnonyPlayer media application (they dubbed it Android.Spy.510).
It works as expected, but in the background it collects the following information: the model of the mobile device, the SDK version of the OS, availability of root access, and login credentials for the user’s Google Play account.
All this was obviously not enough for the criminals behind this piece of malware, as they also make it ask the user to install an app called AnonyService, which supposedly secures the user’s privacy from third parties.
But users who choose to do so will actually install an advertising module, which will then ask the user to allow the use of the Accessibility Service:
Those who don’t find the warning in above screenshot problematic will be saddled with the advertising module.
The interesting thing about this module is that shows several behaviors aimed at making the compromise of the device less obvious.
For one thing, it waits a few days before springing into action. Secondly, it shows ads only when apps that are not on a hard-coded whitelist are run. For example, it will not show ads if you open the device’s Settings, clock app, camera, contacts, and so on.
Every launch of an app that’s not on the list will trigger the showing of an ad. “As a result, the owner of a compromised device may think that it is the launched application that is responsible for annoying notifications,” the researchers noted.
Naturally, to divert suspicion from the Trojanized version of AnonyPlayer, no ads will be shown when that particular app is launched.
The legitimate AnonyPlayerand the Trojanized version can’t be found on Google Play, but can be downloaded from third-party apps stores. While it’s unreasonable to expect that all users restrict their app downloading to Google Play, they should be careful when faced with requests from apps to allow the use of the Accessibility Service.
“Once the malicious application gets such privileges, it can interact with graphic interface (for example, simulate user actions in dialogs) and even intercept the information entered by the victim, operating as a keylogger. As a result, the program will be able to steal such confidential data as text messages, search queries and even passwords,” the researchers explained.