Trojan found in more than 100 Android apps on Google Play Store

Poisoned apps steal confidential information and serve up ads.

David Bisson

Google play

Researchers have uncovered a new strain of advertising spyware in more than 100 Android apps downloadable from the official Google Play Store.

The research team at Russian security firm Doctor Web first added the trojan, which they called Android.Spy.277.origin, to its virus database on April 1st, 2016.

“A Trojan for Android that steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store.”

Sign up to our newsletter
Security news, advice, and tips.

Specifically, the malware experts found the trojan in 104 Android applications available for download on the Google Play Store. Those apps claim to offer photo editing services, animated wallpaper themes, and other programs… but in most cases, they don’t work as they claim.

In total, the apps affected by Android.Spy.277.origin are believed to have been downloaded by a staggering 3.2 million users.

The infection process works as follows.

Once a user has installed one of the malicious apps, the trojan collects nearly 30 different pieces of information about the user’s device and transmits them to a remote server operated by a attacker.

As Doctor Web explains in a blog post, the stolen data includes the device’s IMEI number – which phone call management app Truecaller has found out should NEVER be used as the sole means for authenticating user – as well as the device model, OS version, and availability of root access.

“At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application.”

Android.Spy.277.origin also requests certain parameters for advertising on a user’s device.

For example, the trojan can try to intimidate the user into installing unwanted applications onto their devices.

Alternatively, it can display advertising notifications in an infected device’s status bar as well as create shortcuts on the Android home screen leading to sections of the Google Play store.

Doctor Web has notified Google, whose teams have begun to remove some of the malicious apps from the Play Store.

While Google sorts out that problem, Android users are urged to install an anti-virus solution on their devices and to install apps only from trusted app developers.

After all, this is far from the first time that malicious code has made its way into the Google Play store.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

36 comments on “Trojan found in more than 100 Android apps on Google Play Store”

  1. 'Trojan found in more than 100 …'
    Never good but nothing new.

    '… Android apps…'
    If anyone felt surprised they shouldn't now that Android is named.

    '… on Google Play Store'
    We've found the root cause. But we should just trust Google; their employees who would be in the know says there is no need for an antivirus on an Android. But Google is anything but trustworthy.

    The only thing that is somewhat surprising is the small number (small for Google) of trojans.

    1. Just last week, one was found in the Apple repository as well… what is your point?!? I smell iSheep dung…

    1. Doctor Web's blog post (linked to from the above article) includes a list of known affected APKs.

      Check it out here:

  2. That's what happens when you have a droid phone. I have one and won't for long, same as the flash light app which was done by scammers. Android doesn't monitor software that is out there, Apple does, my brother enlightened me why he switched due to malware in tons of software out there.

    Love my droid but I have enough problems with scammers out there!

    1. Lol well if you think switching to Apple is going to make you immune to threats like this you're fairly naive.

  3. And how do we determine who is a trusted app developer, pray tell? We can't even trust Google Play to allow trusted app developers on their site.

  4. for every single found on iOS, 100s are found on android.

    I may hate Apple, but the iPhone DECIMATES the Android platform in every way.

    don't bother responding with your butthurt, ego-riddled vomited nonsense. i won't be back to see your drivel anyway.

    Bite it dwoidboiz.

  5. Quote "Doctor Web has notified Google, whose teams have begun to remove some of the malicious apps from the Play Store"
    What ever happened to the days when we believed apps had been scanned for malicious threats before they would be approved for the play store?
    I was always told only to download from the play store, that other sites apps could be deemed unsafe.

  6. iDung seriously lmao. They might as well just "casually" suggest to buy and only choose "iProducts" at the end of the article since they are the best and only safe choice…Right. Give me a break!
    One would really have to be brainless to get a virus or brink your Android device since it all installations or processes are allowed to take place only if user allows them to and device security is set lower for that to take place.
    iDung indeed.

  7. just yesterday I had a friend with a broken android phone ask me if I could extract her information with my computer so she could transfer it to her new phone. so I did. I was also streaming netflix at the same time. I run a Dell 470 vostro with an I5 3450 3 .10Ghz 4 core and 16 Gigs of ddr3 2800 with win 7 64 pro. I always have my resource monitor open on one of my monitors. I have my OS on an ocz r7 ssd and a wd spinner back up storage drive non raid. about a half hour after storing her android info on my back up drive my ram usage shot from just over three gigs to over twelve gigs! upon investigation I found a google play android app had latched on to a media server app that suddenly appeared on my netgear router. the netgear genie app has been nothing but trouble. I quickly uninstalled it after buying the router 2 years ago. didn't even have the vostro at the time but that router finds a way to get that app back every now and then. I erased both drives and am currently re installing win 7 64 pro. the genie server app was on the android phone this time.

  8. Now I'm worried to go dl/install antivirus in case it comes loaded. Why not provide 1-2 names for a few that are safe and effective to use – wrt the virus in this article.

  9. I have no respect for google and their BS antics, stealing data by crawling the top search engines at the time, like Lycos, Yahoo, MSN and so forth and later suing people for doing the same.. Their Trojan horse toolbar that infected IE trying to get people to switch to chrome and exposing all the flaws to the general public of the vulnerabilities with other OS's.. I say a little taste of their own medicine.. LMFAO!!!

  10. I have detected aggressive port scans on my firewall over and over from their development sites?
    No problem to drop but still very annoying to see coming in over and over.

  11. IS this any surprise? Expect it people. Even carriers put malware in their smart phone that make you have an update many times a day in order to cause you to go over your data plan limit so they can charge you for it.

  12. Mostly an iOS user here, but Andriod has it's advantages and every platform has known/unknown vulnerabilities/exploits. Nothing is perfect.

    The mayor issue with carrier-supplied Android/Windows Phone handsets is that their held ransom by their 'custom' firmware.

    I'd wish carriers would butt out with their customizations. They're the bottleneck, injecting bloatware that hardly anyone wants/needs.

    Let the handset manufactures deliver/notify users direct when the latest ROM(s) are available.

    This'll speed up deployment of critical patches.

    1. Agreed. Last time I got a phone, I went with the Moto G using it on T-mobile. Bought it directly from Motorola with very little preloaded. Updates are through Motorola directly and Tmobile has nothing to do with the phone.

  13. You've got to have BlackBerry Priv for Android it has DTEK app watch out for you of any apps you installed and monitor them for you like an iSpy 007. The device is get an upgrade of security software every month. I'm not try to promote the device; just want to let people know.

  14. Friday my Android tablet started acting up and restarting each time id be on it for more than 5 mins. Finally it worked Sunday night and as im watching YouTube, my cm security cept scanning files that would not stop downloading and i couldn't open them at all. Then gray boxs appears on my google photos and i cant open them on any device even computer so i deleted them. So Monday after school i get a message saying i cant sign in to google and that i have violated terms. I reviewed the terms and found nothing i did wrong. Does anyone have an idea of why this happened

    1. My Galaxy phone has also began corrupting photos. If I hurry after I take them, I can text them. Then quickly, they are replaced by a black box with a stupid word like OK or FASHION. Then they are turned into gray boxes–or a fake video file that won't play. The camera was the main reason I bought this 3 several years ago. I'm a graphic artist & photography nut and the 8 mb was awesome. In reading the article, I did download a few photo editors from Google Play a long time ago. But their features are cheezy compared to the pro stuff so had begun uninstalling them. Perhaps that is why this is happening? The bad programs do this upon uninstalling?

  15. I was all over google as well as firefox Google, Firefox they claim to check their 'SAFE" apps for distribution but I found out the hard …THEY LIED! i had a Redirect Virus that kept coming back for weeks, was very hard to get rid of. if i'm not mistaken i believe it came from a translator app …don't remember why i would have that either.

    Another problem you'll have to read bout this cookie called Mookie known as the Mookie virus there are several names but all Mookie which started out as an advertising for something or there supposedly legit longer and it's a cookie which most users allow for sessions which is how it gets in and does other things system slowing to crawl there is action a lot of ppl that have had the problem so that's another to watch out for.

    hope i have been helpful!

  16. dayuuuum this is second time i'm typing this post it was lost when it took me to registration or login now i have to all again …won't be the same 1st one was rather long.

    Short Version:

    Google Chrome and FireFox Claim all their apps are tested to make sure they are NOT viruses ect ..THEY LIED i caught a redirecting virus from google firefox just 1 of them called Mookie'll have to do your own searching but it get into ur system by way of …a cookie known as the Mookie Virus, where like most users we add security by way NOT allowing third party cookies etc. BUT as many or most set Allow Session and the cookie is to expire on exit … well we gave it it's way in, now you'll recieve ads maybe a program you didn't install but mostly you'll notice your system suddenly crawling, pages taking forever to load! The Mookie Virus as i've learned it to be called comes in a few names mookie1, 1mookie, mookieb and a couple of other characters or numbers infront or at end of name then .com, Mookie is was in the beginning a legitimate business in advertising i don't know the whole story but i did deal with it as many other.

    Google, Mozilla should be held accountable for the breech of security for their trusting users, for lying and NOT doing their job!

    Like Twitter your account gets hacked you give proof the hacker keeps your handle twitter name all the same, they are Not in the business to do anything more but make money by give access to social networking, …OK sorry that's a whole other story!

    OMG guess the post was more detail than I had stated.

    Hopefully it was helpful and informative Cyal later!

  17. I have reported at least 20 apps to Google in the last year because I either 1} saw merely by reading the "permissions" they were staggering invasive trojans or viruses and these people even outright admit it or 2} actually downloaded an app that gave me some form of malware, blocked me from turning off my phone, caused me to call AT & T because of not being able to connect to my WiFi, etc. I can't even tell you the BS you have to jump through to merely find and fill out the form to notify them that an app is suspicious – and this is right ON the page with the app. One app (a map app that supposedly told you how late or on time the buses or trains were in your area) was such a violation, people were doing nothing but writing reviews ranting about the virus included in the app and all the horrors they'd endured. The rub: you have to first DOWNLOAD an app in order to REPORT or REVIEW the app in the Google Play store. Anyway, this one app? I literally wrote and even called Google 8 times to warn, beg, ask, plead and tell them this app was a VIRUS and to go read the 100+ reviews of people ranting and POd they'd caught it. All Google did was send me more email in reply to mine asking for the same info I'd just spent hours carefully typing up for them, or asking for the URL of the app when this is what is on the form you send in when you report it from Google Play; or telling me to email them with the information which I'd say I'd already done 6 or 8 times. It got me nowhere and they just don't care. I can't believe the utter garbage that's in the Play store and even though I uninstall all PlayStore updates to my phone and tablet, within a week they're put right back on, even BLOCKING my ability to play a game that has nothing to do with Google by telling me I can't play until I update Google Play. I couldn't even get on YouTube today, on my tablet, without signing up for an account (I don't have one and don't need one) so I got on my desktop and looked to my heart's content. Once I was forced to sign up for a gmail address, after buying my Android phone, they seem to think they own my life.

    1. Most times I medium rant on a company's facebook site as well. That way it's also public and more people will see your post. Generally you will get a reply from the company via messenger fairly quickly.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.