My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2021-03-26

Virus description added:

  • SHA1 hash: cfc35d28dad612e515a5f90a91fc7b33bcf7d7d6


Android.Cynos.7.origin is the detection name for one of the versions of the Cynos software modules. They can be embedded into Android apps to monetize them. This modification’s main functionality is to collect information about users and their mobile devices and display ads.

Operating routine

Upon launching the application containing the Android.Cynos.7.origin module, it asks the user for permission to make and manage phone calls. This permission allows the trojan to gain access to the information about the user’s mobile phone number:


Android.Cynos.7.origin randomly selects one of the C&C servers listed below and connects to it:

  • hxxp://dns1[.]sdkbalance[.]com
  • hxxp://dns2[.]sdkbalance[.]com
  • hxxp://dns3[.]sdkbalance[.]com

In response, the module receives a server address to send the collected data to, and from which it can download the parameters required to display ads. If, for some reason, it is unable to receive the required address, the Android.Cynos.7.origin uses the following addresses hardcoded in the app’s code:

  • hxxp://47[.]92.196.227—a server to transfer the collected data and log events to
  • hxxp://39[.]100.129.237—a server to receive configuration required to display ads

The trojan collects and sends the following information to the server:

  • Mobile operator’s MCC and MNC codes
  • Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access location)
  • Mobile operator’s MCC and MNC codes
  • GSM cell ID and GSM location area code (when the application has permission to access location)
  • Device ID generated by the trojanized app (some trojan modifications use the device’s IMEI as its ID; some modifications also send the IMSI code, like SHA1: 8cce3b7c41a185919c4e7735176087b2e503741e)
  • Device model
  • The manufacturer
  • An Android SDK version
  • Screen resolution
  • Internet connection type
  • A CPU name
  • App’s apk file md5 hash
  • App’s version
  • companyID—a parameter from the app’s metadata
  • appID—a parameter from the app’s metadata

Before it sends the data, the trojan receives a public RSA key from the server. It uses a randomly generated key to encrypt the data with the AES algorithm. In turn, this key is encrypted with the public RSA key obtained earlier. Then, the encrypted key is sent to the server in the SecurityKey header of the request with the data.

Along with collecting data, this module’s other function is displaying ads inside the app that contains it. It uses different SDKs to display ads, depending on which app catalog is used to spread apps with Android.Cynos.7.origin. For example, if it's the AppGallery catalog, it uses It uses com.Vivo.mobilead with the VIVO catalog, and with the Mi store catalog. With the GameCenter catalog, it uses com.heytap.mobad.

Indicators of compromise

News about the trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android