Android Trojan pesters victims, won’t take no for an answer

If an app won’t stop badgering you to give it administrator rights to your Android device, chances are you have picked up malware somewhere.

Malware peddlers are constantly trying out new tricks to get users to infect their devices. In the latest example, an information-stealing Android Trojan targeting Russian, US and European users is playing this “I won’t let you proceed if you don’t give me admin access” game.

Avast researchers don’t say how the malware gets to the users, but it’s likely that they download it themselves, thinking they are getting a legitimate, helpful app.

Once installed, the Trojan puts an icon in the launcher, and the name of the fake app may be AVITO-MMS, MMS Центр (MMS Center), or KupiVip (KupiVIP is a Russian online fashion retailer).

Once that app is launched, the malware hides the icon.

The Trojan checks whether it runs in an emulator, and if it does not, the onslaught begins: the malware will show, again and again, a dialog box asking the user to grant it admin rights.

Clicking on the “Cancel” button doesn’t work, and it’s easy to immagine that, exasperated, some users will ultimately relent. Then, they are repeatedly hit with another pop-up – the Trojan wants to become the default SMS app:

The Trojan is able to collect device information and send it to a C&C server operated by the crooks. From there, they can send out commands to it, and can make it download additional apps, collect call logs, SMSes, bookmarks, contacts, GPS coordinates, a list of installed apps, as well as redirect calls to a specific number and lock the screen.

Finally, the Trojan can also pop-up fake login and account update screens over legitimate apps (e.g. Google Play) in the hopes that the victim will enter their login, personal and payment card info.

The number of infections has dropped considerably in the last months, but that doesn’t mean that other malware creators won’t use the same trick.

Apart from preventing the malware getting on the device in the first place (either by being careful or by using mobile security solutions), potential victims can stop the Trojan’s repeated pestering and remove it from the device, but they will have to power down the phone and restore it to its factory settings.

Another option that works on Android Marshmallow allows users to try to uninstall the app even with the annoying screens popping up all the time, by going to settings with the top-down swipe. KitKat users aren’t so lucky – they have to do the reset to factory settings.

“Lastly, if you do have USB debugging enabled and have access to your phone via a trusted PC, you can try to kill the application via ADB (Android Debugging Bridge) and then uninstall it,” says Avast researcher Jan Piskacek, but warns that “this option is only for advanced users and generally, leaving your phone with permanent USB debugging enabled could mean that anyone who gets ahold of your phone, even if only for a short time, can get access to all the data located on your phone.”