Thursday, July 21, 2016

Feedly:Virus alerts. New Trojan found in Google Play: Doctor Web uncovers social media account stealing scheme



from Virus alerts

June 15, 2016

Android.PWS.Vk.3 is distributed via the “Music from VK” («Музыка из ВК») application published on Google Play. The developer’s name is MixHard. Doctor Web analysts have informed Google about this Trojan. So far, Android.PWS.Vk.3 was still available for downloading.

screen Android.PWS.Vk.3 #drweb

The Trojan is implemented as a fully-featured VK audio player. If the user wants to listen to music, they should enter their user profile by typing the login and the password. Yet, in fact, all this private information is immediately sent to the C&C server, which means that attackers get full control over the user’s VK profile.

screen Android.PWS.Vk.3 #drweb screen Android.PWS.Vk.3 #drweb screen Android.PWS.Vk.3 #drweb

Doctor Web specialists registered the attempts of virus makers to sell user profiles hacked with Android.PWS.Vk.3 on underground hacking forums. Besides, cybercriminals can use these VK profiles to generate traffic for various VK communities.

Attackers have already tried to distribute Android.PWS.Vk.3 via Google Play—for example, as the Music for VK and Music VK applications by Dobrandrav. However, both of these apps are not available for download any more. In total, about 12,000 users have installed the Trojan on their devices.

screen Android.PWS.Vk.3 #drweb screen Android.PWS.Vk.3 #drweb

The Trojan’s authors have created their own VK community, which has more than 44,600 subscribers. All the members are offered to download Android.PWS.Vk.3 on their mobile devices.

screen Android.PWS.Vk.3 #drweb

In addition, attackers published one more application named “Music and video for VK” («Музыка и видео для ВК») and developed by Gomunkul. At present, this player does not contain the payload.

screen Android.PWS.Vk.3 #drweb

Despite its apparent harmlessness, this player may become a full-blown Trojan once attackers decide to modify one of its parameters (or add any functions including malicious ones) and update the malicious program. If this happens, the Trojan will continuously prompt the user to install a plug-in necessary for its operation. It should be noted that the plug-in and Android.PWS.Vk.3 have the same security certificate.

screen Android.PWS.Vk.3 #drweb

More than 1,000,000 users have currently downloaded the player and can fall victim to the Trojan at any time. Because of the danger that this player represents for Android devices, it was added to our virus database under the name of Android.Click.123.

Doctor Web strongly advises users to install only official applications and protect their devices with anti-virus software. Android.PWS.Vk.3 and the Android.Click.123 riskware are successfully detected and removed by Dr.Web for Android—thus, they do not pose any threat for our users.

More about this Trojan

Protect your Android device with Dr.Web now

Buy online Buy on Google Play Free download

Web Analytics