SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Unit 42 researchers suspect Ewind adware Trojan is 100% Russian
Tue, 18th Apr 2017
FYI, this story is more than a year old

The Android Ewind family has just become a little bigger, after Unit 42 researchers discovered multiple new samples of the family.

According to the Unit 42 blog, threat actors are using a simple approach to distribute the adware - they're downloading legitimate Android apps, recomposing them with malicious routines and then redistributing the apps on their own Russian language-targeted Android Application websites.

So far apps that have been hit include Avast! Ransomware Removal, Opera Mobile, AVG cleaner, VKontakte and consumer games such as GTA Vice City and Minecraft - Pocket Edition.

Researchers believe that although Ewind is predominantly focused on delivering advertising on the victim's device, it can also collect device data and forward SMS messages on to the attacker.

“The functionality to forward SMS messages to a C2 hints at possible intentions beyond just delivering adware. Of real concern is that although we've only observed these Trojans being used to deliver advertising to victims, as our analysis shows, with device-admin access and the functionality to download and execute any file on the device, the actor behind this activity can easily take full control of the victim device,” the blog says.

They also warn that the Trojan could also potentially allow full remote access to the infected device.

Of particular significance is the fact that the threat actor is not only developing malware for monetisation, but also maintaining an Android App Store infrastructure that is being used to serve downloads that support monetisation.

Initially, researchers did not see any connection between the threat actor and the sites the infected apps were hosted on. They say that actors often upload Trojanised apps to website that enable sharing of ‘cracked' apps, but for the Ewind family, there is a stronger connection.

Unit 42 researchers said that the applications, injected advertising and the attackers are all Russian.

“While identifying a Malware author as Russian is not at all surprising, usually Russian actors avoid targeting Russian subjects. Deliberate targeting of Russians, in this case – by an apparently Russian actor – is therefore somewhat unusual,” the blog says.