Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen


Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86



Added to the Dr.Web virus database: 2016-04-01

Virus description added:

SHA1: 89dee7086968dda688703304fd4b5163476b7f44

A Trojan for Android that steals confidential information and delivers advertisements. It is distributed via bogus versions of popular Android applications on the Google Play store.

Once launched, it sends the following information to the command and control server:

  • “email”—email address connected to a Google user account. It is obtained from AccountManager; at that, only getAccountsByType("”) is used;
  • “app_id”—meta-data from the manifest.xml file of the infected application;
  • “gcm_id”—GCM identifier (Google Cloud Messaging id);
  • “sender_id”—the application identifier specified by the server;
  • “app_version_code”—android:versionCode from the manifest.xml file;
  • “package_name”—name of the package containing the Trojan;
  • “sdk_version_name”—SDK version;
  • “sdk_version_code”—the Trojan’s SDK build number;
  • “android_id”—unique identifier;
  • “imei”—IMEI identifier;
  • “android_version”—operating system version;
  • “model”—mobile device model;
  • “screen”—screen resolution;
  • “phone”—cell phone number;
  • “api_version”—SDK version of the application;
  • “country”—the user’s geolocation;
  • “cpu”—CPU type;
  • “mac”—MAC address of the power adapter;
  • “user_agent”—generates User Agent line for a certain device, considering such parameters as Build.VERSION.RELEASE, Build.VERSION.CODENAME, and Build.MODEL, Build.ID;
  • “carrier”—mobile network operator;
  • “is_plugin”—informs the server whether the Trojan is launched from the original aaplication (the false value) or from its plug-in located in its software resources (the false value);
  • “time_from_begin”—specifies a time period after which the Trojan starts transmitting data to the server;
  • “install_referrer”—by default, sends the "Others” value;
  • “connection_type”—network connection type;
  • “connection_sub_type”—network subtype;
  • “is_rooted”—availability of root access (the true or false value);
  • “active_device_admin”—indicates whether an infected application has administrator privileges (the true or false value);
  • “has_gp”—indicates whether a Google Play application is on the device (the true or false value);
  • "Install from = " - "Google Play”/”Others”—indicates whether the infected application is installed from Google Play or from a third-party app store.

Once any of installed applications is launched, the Trojan sends a POST request that contains the above-mentioned information, adding the name of the running application’s package and requesting advertising parameters:

  • "index" – requestads;
  • “package_name_running”—name of the running application.

Depending on a received command, Android.Spy.277.origin can execute the following actions:

  • “show_log”—enable or disable logging;
  • “install_plugin”—install a plug-in hidden inside the malicious application;
  • “banner”, “interstitial”, “video_ads”—display different types of advertisements (including, on top of the OS interface and other applications);
  • “notification”—display a notification with the received parameters;
  • “list_shortcut”—create shortcuts on the home screen (tapping these shortcuts leads to opening of specified sections in Google Play);
  • “redirect_gp”—open a webpage with a specified address in Google Play;
  • “redirect_browse”—open a specified webpage in a preinstalled browser;
  • “redirect_chrome”—open a specified webpage in Chrome;
  • “redirect_fb”—open a Facebook webpage specified by the command.

Examples of advertising images:

#drweb   #drweb

Examples of advertisements in the status bar:

#drweb   #drweb

Examples of shortcuts created by the Trojan:


At present, more than 100 applications are known to contain Android.Spy.277.origin:

  • com.true.icaller
  • com.appstorenew.topappvn
  • com.entertainmentphotoedior.photoeffect
  • com.livewallpaper.christmaswallpaper
  • com.entertainment.drumsetpro
  • com.entertainment.nocrop.nocropvideo
  • com.entertainment.fastandslowmotionvideotool
  • com.sticker.wangcats
  • com.chuthuphap.xinchu2016
  • smartapps.cameraselfie.camerachristmas
  • com.ultils.scanwifi
  • com.entertainmenttrinhduyet.coccocnhanhnhat
  • com.newyear2016.framestickertet
  • com.igallery.styleiphone
  • com.crazystudio.mms7.imessager
  • com.styleios.phonebookios9
  • com.battery.repairbattery
  • com.golauncher.ip
  • com.irec.recoder
  • com.Jewel.pro2016
  • com.tones.ip.ring
  • com.noelphoto.stickerchristmas2016
  • smartapps.smstet.tinnhantet2016
  • com.styleios9.lockscreenchristmas2016
  • com.stickerphoto.catwangs
  • com.ultils.frontcamera
  • com.phaotet.phaono2
  • com.entertainment.mypianophone.pianomagic
  • com.entertainment.vhscamcorder
  • com.o2yc.xmas
  • smartapps.musictet.nhacxuan
  • com.inote.iphones6
  • com.bobby.carrothd
  • com.entertainment.simplemind
  • com.editphoto.makecdcover
  • smartapps.giaixam.gieoquedaunam
  • com.ultils.frontcamera
  • com.applock.lockscreenos9v4
  • com.igallery.iphotos
  • com.calculator.dailycalories
  • com.os7.launcher.theme
  • com.trong.duoihinhbatchu.chucmungnammoi
  • com.apppro.phonebookios9
  • com.icamera.phone6s.os
  • com.entertainment.photoeditor.photoeffect
  • com.newyear.haitetnew
  • com.classic.redballhd
  • com.entertainmentmusic.musicplayer.styleiphoneios
  • com.countdown.countdownnewyear2016
  • com.photographic.iphonecamera
  • com.contactstyle.phonebookstyleofios9
  • com.entertainment.blurphotobackground.photoeffect.cameraeditor.photoeffect
  • com.bottle.picinpiccamera
  • com.entertainment.videocollagemaker
  • com.wallpaper.wallpaperxmasandnewyear2016
  • com.ultils.lockapp.smslock
  • com.apppro.phonebookios9
  • com.entertainment.myguitar.guitarpro
  • com.sticker.stickerframetet2016
  • com.entertainment.batterysaver.batterydoctor
  • com.trong.jumpy.gamehaynhatquadat
  • com.entertainmentphotocollageeditor
  • smartapps.smsgiangsinh.christmas2016
  • smartapps.musicchristmas.christmasmusichot
  • com.golauncher.ip
  • com.applock.lockscreenos9v4
  • com.imessenger.ios
  • com.livewall.paper.xmas
  • com.entertainmentlaunchpad.launchpadultimate
  • com.fsoft.matchespuzzle
  • com.entertainment.photodat.image.imageblur
  • com.videoeditor.instashot
  • com.entertainment.hi.controls
  • com.entertainment.livewallpaperchristmas
  • com.entertainment.tivionline
  • com.iphoto.os
  • com.tool.batterychecker
  • smartapps.nhactet.nhacdjtet
  • com.runliketroll.troll
  • com.jinx.metalslug.contra

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android