Researchers at antivirus and security firm Dr. Web discovered more than 100 Android apps infected with Android.Spy.277.origin, an adware Trojan that contains many spyware functionality.
The malware-infected applications are disguised as popular apps and have been downloaded 3,200,000 times, according to a Dr. Web blog post.
When the applications open, the victim's personal information and device information is sent to the attacker's command and control server. These include the IMEI identification number, email address used for the Google user account, operating system version, device phone number, geolocation information, CPU type, software development kit version, mobile network carrier, network connection type, Google Cloud Messaging ID, root access availability, infected application name, and whether the malicious application has admin privileges.
This information is used to track the device's activities, and is resent to the attacker's server each time the user opens an application.
The malware prompts users to download additional applications by displaying pop-up advertisements disguised as notifications that warn of device problems, such as damaged battery. Ads disguised as notifications often direct adware victims to affiliate applications. The applications may also contain additional malware.