Ewind Android adware is actually a full-fledged Trojan

Palo Alto Networks researchers have analyzed a string of legitimate-looking Android apps and have discovered that the adware included in them has the potential to do much more than just show ads.

Russian Android adware

Ewind capabilities

Variants of the Ewind adware/malware are usually packaged in popular game and social media apps such as GTA Vice City, Minecraft – Pocket Edition, VKontakte, but also in many mobile security apps such as AVG cleaner and Avast! Ransomware Removal. And these apps are offered for download on well-established online Android app stores catering Russian-speaking users.

“Although Ewind [as they’ve dubbed the threat] is fundamentally adware, monetization through displaying advertising on the victim device, it also includes other functionality such as collecting device data, and forwarding SMS messages to the attacker. The adware Trojan in fact potentially allows full remote access to the infected device,” they noted.

The adware/malware is also capable (among other things) of downloading an APK and creating a shortcut to it, open URLs (in the foreground and in the background), execute supplied JavaScript in a webview for a specific web page, and enable/disable connectivity.

For the moment, the actor behind the adware does not seem to use it for any other purpose except to serve ads when finance-related apps are started, but that could easily change in the future.

More curious things about Ewind

The researchers believe that the adware author is the same person (group?) that runs these stores, and that he (or them) is of Russian origin.

The Trojanized, repackaged Android application packages (APKs) are all signed with the same suspicious certificates, they found, and the C&C servers the adware contacts are hosted on the same /16 netblock as the adware was downloaded from. Additional investigation into the domains from which the adware is downloaded showed even stronger links between the various domains used.

An additional curiosity is that Russian malware authors usually avoid targeting Russian users, but this one apparently has no compunction about doing just that.

“We have here an actor not only developing malware for monetization, but responsible for a network of Android App Store infrastructure which has over the years been used to serve tens of thousands of Android downloads in support of his advertising-supported monetization schemes,” they noted.

“We link tens of thousands of non-Ewind samples dating back several years to this actor based upon the infrastructure, APK signing key hashes, and/or use of the unique APK service name strings (in addition, ‘com.max.mobcoin’). These all appear to, in some fashion or another, monetize Android apps though advertising.”