01-27-2018 , 03:06 PM
Quote:Doctor Web virus analysts have found several games on Google Play that contain [b]Android.RemoteCode.127.origin. It covertly downloads and launches additional modules that perform various malicious actions. For example, they simulate user actions by covertly opening websites and clicking on their items.[/b]
Android.RemoteCode.127.origin is a part of a framework (SDK, Software Development Kit) called 呀呀云 (Ya Ya Yun). Developers use it to extend the functionality of their applications. Particularly, it allows gamers to maintain communication with each other. However, besides the indicated possibilities, the platform performs the Trojan’s functions. It covertly downloads malicious modules from a remote server.
Once the programs with the embedded SDK are launched, Android.RemoteCode.127.origin makes a request to the command and control (C&C) server. As a response, it can receive a command to download and launch malicious modules capable of many actions. Doctor Web specialists intercepted and inspected one such module, and dubbed it Android.RemoteCode.126.origin. Once launched, it connects to its C&C server and receives a link to download an allegedly benign image.
source: https://news.drweb.com/show/?i=11685&lng=en&c=14