My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2017-01-19

Virus description added:


  • f10ff63c0a8b7a102d6ff8b4e4638edb8512f772
  • a5b9ca61c2c5a3b283ad56c61497df155d47f276

A Trojan for Android mobile devices. It implements an additional malicious component in the Play Store running process, steals confidential information, and covertly downloads applications from Google Play for artificial increase of their popularity. Most likely, Android.Skyfin.1.origin is spread by the several downloader Trojans belonging to the Android.DownLoader family, trying to gain root access and install this malicious program in the system directory.

Once Android.Skyfin.1.origin is launched, it implements the additional Trojan module (Android.Skyfin.2.origin) in the Play Store running process The module collects confidential information required for work with Google Play and sends the stolen information to the main component Android.Skyfin.1.origin.

Once the required data is collected, Android.Skyfin.1.origin sends it to the (command and control) C&C server****api. com/v1/phone/allInfo with the following information:

  • IMEI
  • IMSI
  • mobile device model;
  • user geolocation;
  • system language.

Using collected information, Android.Skyfin.1.origin generates POST requests and connects to the Google Play server, the Play Store operation. Then the Trojan can execute the following commands:

  • /search - search in the catalog for the simulation of user action sequence;
  • /purchase - request for the program purchase;
  • /commitPurchase - purchase confirmation;
  • /acceptTos - confirmation of consent to the license term conditions;
  • /delivery - link request for download of an APK file from the catalog;
  • /addReview /deleteReview /rateReview - adding, deleting and rating of reviews;
  • /log - confirmation of the program download used for the twist of the total installs.

The Trojan saves downloaded applications on an SD card but does not install them, reducing possibility of its detection.

One of the Android.Skyfin.1.origin modifications is configured to download only one program - com.op.blinkingcamera. For this purpose, the Trojan simulates a tap on the Google AdMob banner with an app advertisement, downloads it, and sends Google notification on supposedly successful installation. Another Android.Skyfin.1.origin modification receives from the C&C server**** a list of programs that Trojan must download.

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android