Virus analysts found in the Google Play catalog 27 games with a built-in Android Trojan.RemoteCode.127.origin.
It quietly downloads and launches additional modules that perform various malicious functions. For example, they simulate the actions of users, secretly opening websites and clicking on the elements located on them.
Android.RemoteCode.127.origin is part of the software platform that developers use to extend the functionality of their applications. In particular, it allows players to communicate with each other. However, in addition to the stated capabilities, this platform performs trojan functions, secretly downloading malicious modules from a remote server.
The main task of the program is the unobtrusive opening of websites and clicking on the elements located on them – for example, links and banners. For this purpose, Android.Click.221.origin loads from the specified address server a script, which provides the ability to perform various actions on the page, including simulating clicks on the elements specified by the script.
Thus, if the Trojan’s task was to go through links or advertisements, the attackers earn a profit for wrapping the counter of visits to web pages and clicking on banners.
However, this functional Android.RemoteCode.127.origin is not limited, the authors of the virus are able to create other Trojan modules that will perform other malicious actions. For example, to show phishing windows for the theft of logins and passwords, to demonstrate advertising, and also to hide and install applications secretly.
Specialists of the company “Doctor Web” found in the Google Play catalog 27 infected games, which downloaded more than 4,500,000 mobile device owners.