A Trojan for Android mobile devices. It implements an additional malicious component in the Play Store running process, steals confidential information, and covertly downloads applications from Google Play for artificial increase of their popularity. Most likely, Android.Skyfin.1.origin is spread by the several downloader Trojans belonging to the Android.DownLoader family, trying to gain root access and install this malicious program in the system directory.
Once Android.Skyfin.1.origin is launched, it implements the additional Trojan module (Android.Skyfin.2.origin) in the Play Store running process com.android.vending. The module collects confidential information required for work with Google Play and sends the stolen information to the main component Android.Skyfin.1.origin.
Once the required data is collected, Android.Skyfin.1.origin sends it to the (command and control) C&C server https://api.sg****api. com/v1/phone/allInfo with the following information:
- mobile device model;
- user geolocation;
- system language.
Using collected information, Android.Skyfin.1.origin generates POST requests and connects to the Google Play server, https://android.clients.google.com/fdfe/imitating the Play Store operation. Then the Trojan can execute the following commands:
- /search - search in the catalog for the simulation of user action sequence;
- /purchase - request for the program purchase;
- /commitPurchase - purchase confirmation;
- /acceptTos - confirmation of consent to the license term conditions;
- /delivery - link request for download of an APK file from the catalog;
- /addReview /deleteReview /rateReview - adding, deleting and rating of reviews;
- /log - confirmation of the program download used for the twist of the total installs.
The Trojan saves downloaded applications on an SD card but does not install them, reducing possibility of its detection.
One of the Android.Skyfin.1.origin modifications is configured to download only one program - com.op.blinkingcamera. For this purpose, the Trojan simulates a tap on the Google AdMob banner with an app advertisement, downloads it, and sends Google notification on supposedly successful installation. Another Android.Skyfin.1.origin modification receives from the C&C server https://api.sg****api.com/v1/phone/syncAds a list of programs that Trojan must download.