My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2015-07-25

Virus description added:

SHA1: 738d8b637d6d6e25f5db7cfe7487dd23a4ebcb37

A downloader Trojan that has adware features and targets Android devices. It is distributed under the name of KKBrowser. The main malicious code is incorporated into com.kk.sdk.

Android.DownLoader.171.origin encompasses features of adware and downloader Trojans. Once installed, the malicious program connects to remote command and control servers (http://120.**.73.213:80 http://s.1329***.cc:88) and downloads applications specified by cybercriminals; at that, if Android.DownLoader.171.origin has root privileges, applications are installed automatically (otherwise, a relevant prompt is displayed).


Moreover, the Trojan can stealthily remove programs. Again, if Android.DownLoader.171.origin has elevated privileges, programs are removed automatically (otherwise, the user is asked to give their consent). In addition to that, the Trojan can display fake email message notifications in the status bar. If the user taps such a notification, a website specified by cybercriminals will be loaded in the browser window.

The malicious program scans the system for the presence of Chinese anti-virus software and sends the server the following device-related information:

  • Presence of anti-virus programs
  • Presence of web browsers (uc, qq, 360, etc.)
  • System language
  • Internet connection type
  • Home page version (internal value of the application)
  • Availability of root access
  • Information on whether the Trojan is installed in the system folder
  • ID
  • IMEI
  • UUID
  • Task_id
  • mProduct (product version)
  • Package version
  • Device model
  • Android version
  • Advertising module version
  • Screen resolution
  • Free memory card space
  • Free internal memory space

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

© Doctor Web
2003 — 2022

Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies