The Russian-based cybersecurity company, Dr.Web, has uncovered a new Android Trojan which buys applications from Google Play Store and then installs them onto the victims` devices without their permission. When it installs an app, the Trojan also creates a shortcut to it on the user`s home screen.
The Trojan, called Android.Slicer, is attached to a phone optimization app which cleans the device`s memory by closing down unused apps. It can turn on and off the phone`s Bluetooth and Wi-Fi whenever it want and, while doing it, a quick floating pop-up appears on the display.
The users get this app either by installing it themselves of via malware. No matter how it got there, once onto the device it stats collecting phone information, such as the phone’s IMEI identifier, the MAC address, the device manufacturer and the OS version, and then sends it to its Command and Control server.
After that, the C&C sends back a reply giving the Android.Slicer different kinds of commands. This includes opening webpages on the user`s browser, ad displaying, opening Google Store on a particular page, etc.
Even though the Android.Slicer’s main purpose is installation of different application, it also shows intrusive behavior.
Later on, one more feature of the Trojan was discovered by security experts. As it turns out, the Android.Slicer can download a special rootkit onto any device running Android 4.3 version. The Android.Rootkit.40 has the capability to root the device and give the crooks behind the Trojan much more control over the OS.
In such case, the Android.Slicer will be able to tap on “Install”, “Continue”, but most concernedly, on “Buy” buttons on the Google Play Store. The “Buy” button, in particular, can cause a lot of financial damage for the infected users.
Luckily, Google found a solution to the problem by embedding the SELinux component in every Android version from 4.4 and newer. The Android.Rootkit.40 won`t work on a device with the SELinux component installed.