Android VDLoader app-push malware in circulation

The folks over at NQ Mobile’s Security Research Center have just discovered a new Android malware, which cannot only push other apps, but the upgraded version of itself to users. NQ Mobile named this malware *VDLoader. After analyzing a great number of app-push malware, VDLoader is the first mobile malware which has the ability to auto-update, bringing a serious threat to Android users.

*Note: VDLoader can only be currently found on third-party Android app markets in China. The Google Play Store is unaffected by this rogue app at this time.

How does VDLoader work? This malware injects into normal applications to hide and broadcast itself. You cannot see the corresponding icon in the application table. It starts the service when the signal change is captured, connects the Internet to acquire commands from the server, and downloads application packages without the users’ knowledge. Unlike other promoting applications, the downloaded applications are infected by the malware. This malware disguises itself as SMS notifications to mislead users. It not only causes data flow consumption (not so good if you are on a limited data plan :() and financial loss, but also brings a much more serious security threats into users’ Android devices. See below:

  • Ciphering – It encrypts several important strings in the codes using AES algorithms, thus introducing more difficulties to the analysis of it.  The malware can parse the decrypted string and extract the server’s address.
  • Interacting with server – It first collects the information of the applications installed on the phone, and sends the list of their package names via HTTP request.






The server will reply the command contains the information about the application to download, including the package name, and the URL of the package. See image below:







Through the parsing of that command, it gets the URLs to connect. Then, it downloads the specific applications and stores them under /sdcard/download. It fakes themselves as SMS notifications, and will be installed after the user clicks the detail items. The downloaded applications, zj_flashlight.apk and zj_NinjaChicken_other.apk are the variants of VDLoader and have similar behaviours. See the VDLoader app image below:








Protect Yourself from VDLoader

NQ Mobile Security users are already fully protected from VDLoader and all other malware threats.  If you don’t have a powerful mobile security application on your phone, we recommend that you take the following precautions to prevent any damage from VDLoader (and other threats):

  • Only download applications from trusted sources, reputable application stores, and markets. Be sure to check reviews, ratings, and developer information before you download anything.
  • Never accept application requests from unknown sources, and closely monitor permissions requested by any application. An application shouldn’t request permission to do more than what it says it will do in its privacy policy.
  • Look out for unusual behavior on your smartphone, such as your device shutting down unexpectedly or displaying constant pop-up messages.
  • Download NQ Mobile Security which is FREE for Android today to make sure you’re protected against mobile malware and other privacy threats.

Safe surfing folks!

This entry was posted in android, google, malware, mobile and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *