Doctor Web analysts have detected a new Trojan on Google Play - Android.MulDrop.924. This malware downloads in the android devices without the user's knowledge and proposes the user to install it. In addition, it displays unwanted advertisements.
Android.MulDrop.924 spreads via Google Play under the cover of an application with the name "Multiple Accounts: 2 Accounts", which has already been downloaded by more than 1 million Internet users. The program allows the user to use multiple accounts at once in games and other software installed on the mobile device. However, this seemingly harmless and even useful application hides malicious features for potential victims. Doctor Web has given Google Inc. information about this Trojan, but Android.MulDrop.924 is still available for download.
This Trojan has a particular modular architecture. Some of its features are present in two add-ons encrypted and hidden inside PNG images located in the folder containing the operating files of Android.MulDrop.924. During the launch, the Trojan extracts and copies these modules to its local folder in the data directory and then loads them into memory.
One of these components, in addition to its harmless functions, contains several advertising plugins used by the authors of Android.MulDrop. 924, including the Android Trojan.DownLoader.451.origin module that downloads games and apps without user permission and then proposes to install them. Additionally, it displays ads in the notification bar of the mobile device.
In addition to Google Play, Android.MulDrop.924 is spreading to other sites offering software and apps for Android. One of the Trojan modifications is implemented in the older version of the Multiple Accounts: 2 Accounts application. It is signed with a different certificate and, as the malicious module Android.DownLoader.451.origin contains the malicious additional plugin, Android.Triada.99, which is downloaded to receive root rights on the contaminated device.