| SHA1 | Application package name | Application version with the Trojan |
|---|---|---|
| accd733ee5c1d9066bee4e9d4680fb3478dec63b | com.iapps.subnautica | 1.7 |
| 8097a814e17a7d998279889e4ba7e5e4047e0161 | com.varqui.death | 1.1 |
| c565c1abefbf37d22879aa373e1cebc2001b11be | com.arksur.navol | 0.7 |
| fc23c8c962f09d9e11a2ae1b7e84484c8e7dcc56 | com.gamestruggle.fivenights | 12 |
| 8c65d249e86b101b00491c39f2d6a485c775b418 | com.clip.gehmop | 2.24 |
| 530e720963a4aefa59f41fa8badfd09efdcdc192 | com.spire.forsslay | 1.0 |
| b0d9dcc425ebf30a1316b7fff75e61a73521b8ab | com.harjum.jumpingbeasts | 1.9 |
| 29151c3814622a6b8625ce035695ede101d73657 | com.oardee.survival | 1.12 |
| 1380845ab419343e908562b0a3e158972a8ea1d7 | com.narlos.theforest | 1.7 |
| b4bf4c9966eabdc10c6e1a682b561bec8776a189 | com.grmrk.girldressup | 5.0.8 |
| 80bcaca4729751da41e2fab7ca6ecd71a82291da | com.grmrk.fashiongirls | 5.0.0 |
| 878a0100d6887359d92d30080d5cc0732bc4466b | com.grmrk.prettydressup | 5.0.1 |
| 52ce1ac4a6841bdb533ca125be71935350c93730 | com.karhap.happy | 1.41 |
| accd733ee5c1d9066bee4e9d4680fb3478dec63b | com.iapps.subnautica | 1.15 |
| 249c01eab497a6c84ccc971ec3e7824d05bd991d | com.qarani.beasts | 1.20 |
| c185b0b3834252900fe9f520419ff3b03baaa163 | air.Hospitalfear | 1.9 |
| f4d4c7195a496dafe77a0888d0f08b4e643be569 | air.EscapefromtheDead | 1.9.15 |
| 2cb5d98376cbefddffa6dedf12e6ef69015037fd | com.rat.simulator | 2.0.5 |
| 91e4c84ee78dad35db2ba90cd4aef980eead1cab | com.grmrk.dressupgames | 6.07 |
Android-Trojan that runs on devices working on Android OS. It is a renewed version of the Android.RemoteCode.106.origin Trojan. It is a software module that can be integrated in any application. The applications with Android.RemoteCode.152.origin were distributed through the Google Play catalog.
After the first launch of the application containing this Trojan, Android.RemoteCode.152.origin starts automatically at certain intervals, as well as every time the infected Android device is turned on. At the launch, the malicious program connects to one of the following management servers:
http://sendmobi********.info:443
http://reportmobi*****.info:443
http://185.159.**.*:443
http://mobileadd******.info:443
As the the command from the server is received, the Trojan downloads additional malicious modules and launches them using the DexClassLoader class. For example, it can download the Android.Click.249.origin module, which is designed to download other components necessary for operating the malicious application. Using these modules, Android.RemoteCode.152.origin creates invisible advertising banners, then automatically clicks on them, for which malefactors gain rewards.
