Android.Troj.mdk, the Trojan botnet that last week was reported to have infected one million devices, mainly Chinese Android phones, is a new variant of a separate strain of malware, Backscript, researchers say.
Both variants of malware use the same certificate to sign APKs, yet Troj.mdk (MDK) uses Advanced Encryption Standard (AES) encryption to stealthily encrypt data like servers and commands.
Like Kingsoft, the Chinese security company that initially reported about the Trojan early last week, Symantec reports the malware can let attackers remotely control their victims’ devices, harvest user data, download APKs and download adware. Yet while Kingsoft found the malware in 7,000 apps, Symantec claims it has detected Backscript in upwards to 11,000 apps, almost twice as many as Kingsoft, since September 2012, security response manager Flora Liu wrote on Symantec’s Security Response blog.
Like Exprespam, another strain of recently discovered Android malware; Backscript/MDK has been affecting predominantly Chinese devices while the malware has mostly been found in third-party app stores, integrated into popular apps like Temple Run.
In the blog entry, Symantec also acknowledged that as expected, MDK has indeed successfully overtaken Rootstrap, an Android Trojan that stole data from hundreds of thousands of devices last winter, as the largest mobile botnet.
Security experts have predicted that by the end of 2013, the number of threats targeting Android devices could exceed the one million mark, triple the number currently targeting Google’s smartphone platform.
