A new trojan potentially threatens as many as 2.8 million Android users with unwanted mobile advertisements.

On 29 July, researchers at the Russian computer security firm Doctor Web published an alert about the trojan, which goes by the name "Android.Spy.305.origin"

The malware is an updated version of sorts of "Android.Spy.277.origin," which appeared back in April 2016. Security researchers detected the trojan in 104 applications available for download on the Google Play Store.

In total, Doctor Web's research team believed as many as 3.2 million users had installed applications affected by Android.Spy.277.origin at the time of the trojan's discovery.

Android.Spy.305.origin affects fewer users, but it was found in 105 Android applications.

When a user first downloads and runs an affected application, the trojan connects the server http://client.api-*******.com server and sends the following request:

http://client.api-*******.com/v3/upd?app_id=com.mobilescreen.recorder&device_id=86804202*******&access_token=MSDK-10-ok8FmzAh CJKf4Bo5VVHkqmWWPGShOWIUb1RPNo9t0cgrFDQx77sTGXgjhffEo&publisher=101324582&version=0&android_id=266af8c9e01d0ce

"The server replies with URL needed to download an additional component (Android.Spy.306.origin) which is responsible for the trojan’s main malicious activity that Android.Spy.305.origin performs using the DexClassLoader class," explains Doctor Web's researchers in a blog post.

At this time, the Trojan is known for two malicious purposes: collecting several different pieces of information and sending them to the malware's command and control server, as well as displaying unwanted advertisements. These advertisements may appear as popups that display over an app or the OS screens or as fake alerts or ads in the device's notification bar. For example, some of those alerts may read "Your phone have a virus!!!" or "How to get a GIRLFRIEND?".

Clicking on the fake virus alerts, for example, brings users to the landing pages for Android optimization applications such as Turbo Cleaner, SuperB Cleaner (Boost & Clean), and others. Some of the apps promoted by these fake notifications may clog up a user's Android device. In some cases, they come with their own fake virus or security warnings, thereby locking a user into a vicious cycle of installing unwanted applications.

Users can help protect themselves against this Trojan by installing a security solution onto their Android devices and by downloading applications from only trusted sources/developers on the Google Play Store.

Related Articles:

Rafel RAT targets outdated Android phones in ransomware attacks

Snowblind malware abuses Android security feature to bypass security

New Medusa malware variants target Android users in seven countries

Chrome for Android tests feature that securely verifies your ID with sites

Arm warns of actively exploited flaw in Mali GPU kernel drivers