A Trojan for Android discovered in firmwares of several smartphones. It is designed to covertly download and install applications and can also perform other malicious actions.
Android.Sprovider.7 monitors the system event android.intent.action.USER_PRESENT and starts operating once a user unlock the home screen. Then the Trojan checks whether the module Android.Sprovider.12.origin is active. The module is encrypted and stored in resources of the main malware program. If the module does not work, Android.Sprovider.7 retrieves it from its body and runs the module. This component contains the main payload of the Trojan.