My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-04-11

Virus description added:

A Trojan for Android that is disguised as a torch application. It can be distributed with the help of aggressive advertisement modules incorporated into different programs. Cybercriminals can also put it on popular websites with downloadable software.


Once the Trojan is activated, it sends the following data to the command and control server:

  • Current time
  • Current location
  • IMEI
  • Device’s unique ID generated by the Trojan
  • Trojan’s version
  • Root access availability
  • Availability of an active Wi-Fi connection
  • OS version
  • Current system language
  • Device model and manufacturer
  • Trojan’s package name
  • Network connection type

At the same time, Android.Toorch.1.origin tries to get root privileges by using the com.apkol.root package modified by cybercriminals and incorporated into the malware.

If the Trojan succeeds, it extracts the libandroid.jar file from its program package and embeds it as an application with the name NetworkProvider.apk into the system directory /system/app. Then the Trojan launches the system service that corresponds to the application. This application (can also be detected as Android.Toorch.1.origin) extracts the libimpl.jar file (detected as Android.Toorch.2.origin) from the program package and loads it into the RAM with the help of the DexClassLoader class. This module contains main malicious functionality of the Trojan and can, in particular, stealthily download, install, or remove applications upon cybercriminals’ command.

Some modifications of NetworkProvider.apk can contain an additional program component as an ELF file in the program package. This file is copied into the system directory /system/app as a file with the name GDataAdapter and then launched. This application makes sure that the Android.Toorch.1.origin Trojan’s work is not interrupted by the user. If the process executed by the Trojan is terminated, GDataAdapter launches it once again.

A number of Trojan’s modifications can embed the GoogleSettings.apk component into the system directory. This component has the same functionality as NetworkProvider.apk. This program contains an advertising module Adware.Avazu.1.origin, which subsequently gets embedded into the system. The module serves to demonstrate advertisements. Moreover, original Trojan torch application also contains this module.

Since malicious components are embedded into the system directory /system/app, they can’t be detected by Dr.Web anti-virus solutions for Android during an express scan. Therefore, right after any Trojan of the Android.Toorch family is discovered for the first time, it is very important to run a full scan on the infected mobile device, remove the Trojan’s main file, and finish the curing process using a special utility created by Doctor Web security experts.

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Dr.Web © Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies