Unit 42, Palo Alto Networks threat research unit has observed multiple new samples of the Android Adware family “Ewind”. Researchers believe the attacker is Russian however “Ewind” appears to deliberately target Russians – unusual as Russian actors tend to avoid targeting Russian subjects. The adware Trojan potentially allows full remote access to the infected device, it includes other functionality such as collecting device data, and forwarding SMS messages to the attacker.
Some of the popular Android applications that Ewind targets include:
- GTA Vice City
- AVG cleaner
- Minecraft – Pocket Edition
- Avast! Ransomware Removal
- Opera Mobile.
“Ewind” is more than simply Adware, at the very least it is an actual Trojan – subverting genuine Android apps. The attackers use a simple approach – they download a popular, legitimate Android application, decompile it, add their malicious routines, then repackage the Android application package (APK). They then distribute the trojanized application using their own, Russian-language-targeted Android Application sites.
More information is available on the Unit 42 blog: