My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2020-11-13

Virus description added:

SHA1 hashes:

  • 2b93a1d6e570b483959eaa801c6467bf0d5e2f59
  • bd9ce9d57098c5ac5d4b83feb93fdaf0d598fe15
  • fffa47e23f237118eaf0b6257955a759caf66d79


A malicious program which main purpose is to open web links as well as to load and display websites on-top of other apps windows. It was originally found in the app called Eye Care - Your close Eye Care Assistant (its another name is Eye Care Mini —— 急速护眼) spread through the Google Play. The trojan functionality is present in it since 2019 and was found in the versions 1.2.11, 1.2.12, and 1.2.14 of the app.


Operating routine

The trojan initializes upon the host application launch. For that, the initialization method located in the Application class is called. The malware authors have disabled the Android.Mixi.44.origin launching routine in the latest available version of the analyzed app, which is 1.2.14, but its code still remains in it.

Once launched, the trojan operates in accordance with user expectations. An example of the application UI after its start is shown below:

#drweb #drweb #drweb

Trojan’s program logic

Android.Mixi.44.origin uses the following services, activities and broadcast receivers:

<activity android:name=""/>
<service android:name=""/>
<service android:name=""/>
<receiver android:name="">
    <action android:name="android.intent.action.BOOT_COMPLETED"/>
    <action android:name=""/>
    <action android:name="android.intent.action.USER_PRESENT"/>
    <action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
    <action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
<receiver android:name="">
    <action android:name="android.intent.action.PACKAGE_REPLACED"/>
    <action android:name="android.intent.action.PACKAGE_ADDED"/>
    <action android:name="android.intent.action.PACKAGE_REMOVED"/>
    <action android:name="android.intent.action.USER_PRESENT"/>
    <action android:name="android.intent.action.DOWNLOAD_COMPLETE"/>
    <action android:name="android.intent.action.ACTION_POWER_CONNECTED"/>
    <action android:name="android.intent.action.ACTION_POWER_DISCONNECTED"/>
    <action android:name="android.intent.action.SCREEN_ON"/>
</receiver> broadcast receiver

Launches the service, as well as tracks the android.intent.action.PACKAGE_ADDED and the android.intent.action.PACKAGE_REMOVED system events through which it controls which apps the user install and uninstall. The information about each event is saved to the database. Moreover, during its work the Android.Mixi.44.origin stores mrefferMap and mpaddMap hash tables in RAM.

If the information about the application installed is not present in the mrefferMap, the app’s packet name with the installation date are added to the mpaddMap database. However, if mrefferMap has this information about the app, the trojan sends an intent as shown below:

Intent i = new Intent("");
i.putExtra("referrer", "utm_source%vigo");

If special flag is set, the broadcast receiver initializes a WebView which is placed on-top of other UI elements. In order to do so, the trojan exploits a Toast Overlay vulnerability that affects Android devices running Android OS up to version 7.1. Android.Mixi.44.origin creates AlertDialog, sets it a Toast type and places a WebView inside this pop-up dialogue. In this WebView, a website, which URL is received upon the C&C server command, is loaded. broadcast receiver

Launches a service; upon each triggering, it uploads to the C&C server 5 records from the database that stores the information about the apps installed and uninstalled by the user, as well as all the tasks successfully completed by the trojan. service

Connects to http://***.* and requests tasks to execute, as well as the configuration, including the URL where the trojan will upload the reports about completed tasks.

Uploads 5 reports to the C&C server from the database. Upon the service work is complete, it is set to run again within specified time intervals through the AlarmManager. To run the tasks, the service is launched, and the task type is set in the extras attribute. With that, the service launch function can operate with more types of the tasks than the service itself in the analyzed sample. service

Executes main commands.

The ACTION_TYPE_USER_REG command ― to register the infected device in the attackers’ network. The following information is sent to the http://***.* C&C server:

  • SID, UID ― current user ID assigned by the trojan;
  • androidId ― a unique device ID (the android.provider.Settings.Secure.getString(ctx.getContentResolver(), "android_id") value is sent);
  • gid ― Google advertising ID;
  • OSVersion ― an OS version (the android.os.Build.VERSION.RELEASE value is sent);
  • version ― a version of the trojan app;
  • gpver ― a version of the Play Store app installed on the device;
  • wbver ― a version of the WebView.

In response, the Android.Mixi.44.origin receives the SID and the UID user IDs set by the server, saves them and launches the service. By default, the values of the IDs received from the C&C server are empty.

The ACTION_TYPE_PUSH_MSG command ― to load and display web pages on-top of other app’s windows, using the Toast Overlay vulnerability mechanism described earlier.

The ACTION_TYPE_OFFER_GET command ― to covertly open the URLs received from the C&C server (a clicker functionality). The task received from the C&C server contains a URL that trojan visits to receive the list of additional links to open. For each such link, the activity is launched within specified time intervals. The activity receives the specific window parameters that make it invisible to the user. In this activity, a WebView is created. In this WebView, the trojan opens a targeted URL.

If this URL redirects to the software page in the Play Market app, the trojan adds this software’s packet name to the mrefferMap table. Herewith, if the broadcast receiver will receive the information that this particular application later on, the following intent will be sent:

Intent i = new Intent("");
i.putExtra("referrer", "utm_source%vigo");

However, if this application has been installed recently and the information about it is available in the mpaddMap table list, the following intent will be immediately sent:

Intent intent = new Intent("");
intent.putExtra("referrer", referrer);

With that, the packageName and the referrer parameters are obtained from the URL led to the app’s page in the Play Store application.

This way, the Android.Mixi.44.origin tries to trick the analytics service, giving the credit for the app installation performed by the user to cybercriminals.

The news about the Android.Mixi.44.origin

Read more about the Toast Overlay vulnerability

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies