How Android Users Are Deceived with the Help of Trojans

Trojans are a common pain for all internet users. They can easily penetrate our device and infect the files stored on them.

You can read more about the harm of Trojans and their comparison with other viruses here.

Trojans are often spread via Google Play. Attackers add malicious code to popular applications, but upload them to the store under a different name. Such popular applications often include messengers, SMS messaging applications, blood pressure monitors, and document scanners.

Of course, Google Play moderators are working daily on monitoring this kind of application. But unfortunately, new ones appear at a much faster rate.

What’s more dangerous: virus vs. worm? Find out here.

The first group: How does a Trojan subscriber work?

Usually, to subscribe to a service a person has to go to the content provider’s page and click the “Subscribe” button. After that, the service provider will ask you to confirm your desire to subscribe, where you will need to enter the code from the sent SMS. However, the “Joker” group of Trojan viruses already know how to bypass such a security system.

After entering the device, the application requests access to various files, including SMS. After that, the Trojan uses this access to subscribe an unsuspecting user to paid services.

For example, when a Trojan gets access to notifications, it will be able to intercept the confirmation code in the pop-up notification and use it to confirm a bogus subscription.

The second group: How do Trojan subscribers bypass captcha?

Next, a logical question may arise: how do Trojans bypass the captcha? After all, this is an additional level of security. If Joker is not capable of this yet, then the “MobOk” type of Trojan is more advanced in this regard. They are multifunctional and in addition to the ability to steal notifications and SMSs, they can bypass the captcha. To do this, the Trojan sends a captcha image to a special service that provides captcha recognition.

What is a captcha? Read more about captcha here.

Otherwise, the principle of operation is similar to Trojans from the Joker family. In some cases, MobOk was distributed as a payload of the Triada Trojan — in particular, through pre-installed applications on some smartphone models, unofficial modifications of WhatsApp, or the alternative app store APKPure. Also, sometimes infected MobOk applications can be found on Google Play.

Is it safe to use WhatsApp? Find out more here.

The third group: Trojans subscribers from unofficial sources

Another category of Trojans is Trojans from unofficial sources. One such Trojan belongs to the “Vesub” family and is distributed through unofficial sources for the distribution of applications. For example, under the guise of the Tubemate and Vidmate applications for downloading content from YouTube and other streaming services, or under the guise of an unofficial Android version of GTA5. In addition, it is not uncommon for such Trojans to pose as free versions of Minecraft applications.

It is worth noting that the Vesub Trojans are more efficient than the previous ones, and they can cause very serious harm to your device. Immediately after installation, they proceed to issue unnecessary subscriptions, hiding the corresponding windows from the user and showing him the application download window instead.

The next group of Trojans are known as “Grifthorse.ae” Trojans. They act in an even more straightforward manner. Once activated, they will ask the user to enter a phone number. Then as soon as a person enters it, a subscription is issued and money is debited from the mobile account.

Such Trojans usually pose as tools for recovering deleted files, editing photos and videos, blinking the flash on an incoming call, navigation, scanning documents, and the like. But in fact they are functionally useless.

The fifth group: Trojans with a subscription for autopayment

The last group of Trojan subscribers is “GriftHorse.1.” Despite the similarity in the name with the previous Trojan, this one works according to a completely different scheme. This devious app subscribes you to services with autopayments. Formally, this happens with the consent of the user, but they may not be aware that it is a regular autopayment they are signing up for.

The second surprise is that the first payment is significantly less than the subsequent ones. The money will be debited from the bank card that you are asked to enter to gain access.

How not to download a Trojan to your device

Now is the time to find out how to prevent the registration of an unwanted and useless subscription, because it will be very difficult to delete it. Therefore, it is necessary to act ahead of time.

Here’s what we recommend for protection against Trojan subscribers:

1. Forget about applications from unofficial sources. Such applications will very often contain various viruses that will harm your phone or PC.
2. Check applications even from official sources. Official sites, unfortunately, also do not give a full guarantee. Therefore, read the reviews and see the ratings.
3. Check the date of the app’s appearance in the store. Stores actively remove dangerous fakes, so fraudsters have to constantly create new versions of infected applications. If the application has appeared recently, it is better not to install it on your device.
4. Restrict access to your data for applications. Before you allow the app to read your notifications or SMS, think about whether it is really necessary.

Learn more about how to purify your device after clicking a phishing link here.