Apps for Android imitating the flashlight can contain very dangerous Trojan

Security analysts Doctor Web have detected dangerous Trojan for Android devices. He tries to gain root privileges to be able to cover charge, install or remove applications on command of cyber criminals. What's more, this malicious program collects detailed information about the infected mobile device and sends it to the creators of the virus. In addition, capable of displaying annoying ads.

New malicious program, dubbed Android. Toorch. 1. origin, was built in flashlight application and can be distributed by criminals via popular Web pages with the software. In addition, this trojan can be loaded to your mobile device with the help of various aggressive advertising modules built-in in various applications. Android. Toorch. 1. origin can infect the device only if you install it. However, due to that the trojan is distributed under the guise of legitimate applications, it is very likely that the potential victim will install it on your devices. Android. Toorch. 1. origin works just like any other ordinary flashlight app, and users are unable to detect that something is not right.

Once the trojan starts, collate test server connection and the load on the server the following data on the compromised device:

  • the current time
  • the current location
  • IMEI
  • the unique device ID generated by a Trojan
  • the Trojan version
  • the availability of root account
  • the availability of the Wi-Fi connection
  • the version of the operating system
  • the current system language
  • the model and the name of the manufacturer of the device
  • the name of a Trojan
  • the type of network connection

At the same time. Toorch. 1. origin attempts to obtain root privileges using the com package. apkol. root, modified by cyber criminals. If he succeed, unpacks the application .APK NetworkProvider (it can be also detected as Android. Toorch. 1. origin) from your package and install it to the system directory/system/app. Then the trojan launches a system service that corresponds to the This application. Some modifications of the NetworkProvider. apk may contain an additional module called GDataAdapter. When it is installed in the SystemRoot directory using the same method, will provide continuous operation application .APK NetworkProvider, by running it if necessary.

In turn, the program also includes the .APK NetworkProvider another component. Toorch. 1. origin. It was added to the Dr.Web virus database as Android. Toorch. 2. origin, is loaded into RAM and once successfully launched, receives the configuration file from the server control. Then this module performs its malicious activity in accordance with the instructions specified in this file. In particular, the trojan can send criminals a signal about your successful start, initiate its own update, upload to a remote server (C) & (C) detailed information about the infected machine (including its coordinates GPS and installed applications). However, the main function of this module is the unseen loading, installing and removing applications on command of cyber criminals. Because the trojan has root privileges, all of these actions are performed without the knowledge and consent of the user.

It is worth noting that Android. Toorch. 1. origin includes the advertising platform Adware. Avazu. 1. origin, that displays ads on the screen of an infected device each time you install a new application. Other modification of this Trojan may install in the same module as a separate application built into the component GoogleSettings .APK (that has the same functionality as the module NetworkProvider. apk).

Android. Toorch. 1. origin installs malicious modules to the system directory, which is not scanned by the antivirus Dr.Web for Android during the scan. It does this Trojan highly dangerous. Even when the original, a malicious application flashlight is removed, the components installed by it remain in the system and continue its malicious activity. Therefore, when the only Android. Toorch. 1. origin is detected for the first time, you should perform a full scan as soon as possible the infected mobile device.

Security analysts Doctor Web have created a special tool to help victims of the activities of Trojan remove all malicious components with their mobile devices. To cure the infected Smartphone or tablet download the tool here:, install it, run the application and follow the instructions on the device screen. Once the trojan is removed from the device, root privileges will also be disabled. If you had access to root privileges from being infected with Your Android device, you will need to activate them again.

Source: Doctor Web

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.