SHA1:
- 15962a1dd8f9b52891f9b62461e42541d7c182fe
A Downloader Trojan for Android devices. It was first detected on Google Play, where it was distributed as the Turbo VPN application - Unlimited Free VPN & Proxy, designed for VPN. Android.DownLoader.818.origin is based on the open-source OpenVPN for Android project.
When launched, the Trojan prompts the user to grant it access to the SD card of the device with the following message:
When the access is granted, Android.DownLoader.818.origin requests administrative privileges.
After the Trojan is assigned the device administrator, it hides its icon from the app list on the main screen. For that, it restricts the access to the activity that launches it.
Then Android.DownLoader.818.origin uses its own com.turbo.free.vpn.util.VPNService to download the Addon.apk file from the server https://cdn.*****vpn and writes it to the external repository (an SD card or the available memory on the mobile device). The file is the adware Trojan Android.HiddenAds.710, but other files can be downloaded too, depending on server configuration.
After the download, Android.DownLoader.818.origin prompts the user to install it every 20 seconds with a standard system dialog:
The dialog keeps showing until the owner of the affected device agrees to install the application.
Android.DownLoader.818.origin also registers the broadcast receiver com.turbo.free.vpn.util.VPNConnection that launches the Trojan service com.turbo.free.vpn.util.VPNService upon the following system events:
- android.net.conn.CONNECTIVITY_CHANGE—Internet connection or disconnection.
- android.net.wifi.WIFI_STATE_CHANGED—WiFi module power on or off.
- android.intent.action.BOOT_COMPLETED—operating system loading.
