{
	"id": "240894c9-b398-41b2-929b-a3611ccff2cd",
	"created_at": "2026-04-06T00:10:08.919089Z",
	"updated_at": "2026-04-10T03:32:45.88338Z",
	"deleted_at": null,
	"sha1_hash": "124654e12adc60479fef50f611551fe289c0e4a6",
	"title": "Smartphone shopaholic",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 327140,
	"plain_text": "Smartphone shopaholic\r\nBy Igor Golovin\r\nPublished: 2020-01-09 · Archived: 2026-04-05 21:10:08 UTC\r\nHave you ever noticed strange reviews of Google Play apps that look totally out of place? Their creators might give it five\r\nstars, while dozens of users rate it with just one, and in some cases the reviews seem to be talking about some other program\r\nentirely.\r\nIf so, you may be unknowingly acquainted with the work of Trojan-Dropper.AndroidOS.Shopper.a.\r\nHow Shopper.a works\r\nCybercriminals use Trojan-Dropper.AndroidOS.Shopper.a to boost certain app’s rating and increase the number of\r\ninstallations and registrations. All this can be used, among other things, to dupe advertisers. What’s more, the Trojan can\r\ndisplay advertising messages on the infected device, create shortcuts to ad sites, and perform other actions.\r\nBack to the suspicious reviews, Trojan-Dropper.AndroidOS.Shopper.a. can open Google Play (or another app store), install\r\nseveral programs, and write fake user reviews of them. To make user not notice anything untoward, the installation window\r\nis concealed by the app’s “invisible” window. The lack of installation rights from third-party sources is no obstacle to the\r\nTrojan — it gives itself the requisite permissions through AccessibilityService. This service is intended by Google to\r\nfacilitate the use of smartphones for people with disabilities, but in the hands of cybercriminals it poses a serious threat to\r\ndevice owners. With permission to use it, the malware has almost limitless possibilities for interacting with the system\r\ninterface and apps. For instance, it can intercept data displayed on the screen, click buttons, and emulate user gestures.\r\nMasked as a system app, the malware misleads the user by using the system icon and the name ConfigAPKs. Our eye was\r\ncaught by the app’s heavy obfuscation and suspicious use of AccessibilityService.\r\nhttps://securelist.com/smartphone-shopaholic/95544/\r\nPage 1 of 4\n\nDistribution of Trojan-Dropper.AndroidOS.Shopper.a, October – November 2019\r\nTrojan-Dropper.AndroidOS.Shopper.a was most widespread in Russia, where the largest share of infected users (28.46%)\r\nwas recorded in October – November 2019. Second place went to Brazil (18.70%) and third to India (14.23%).\r\nTechnical details\r\nAt startup, after the screen is unlocked, the app decrypts and downloads the payload.\r\nThen the Trojan collects information about victim’s device (country, network type, vendor, smartphone model, email\r\naddress, IMEI, IMSI), and forwards it to the cybercriminal server at:\r\nhttp://api.adsnative123[.]com/search.php?\r\nsid=1001\u0026sdk_v=A1.5.0\u0026geo=PK\u0026network=WIFI\u0026time=1567059364545\u0026lang=en\u0026udid=dc9c9a616665e073\u0026unkown=true\u0026pname=com.cleaner.qe\r\n7a9d-4e4d-a6c9-69179c3c2490\u0026anum=8\u0026s_udid=\u0026native=2\u0026key=…\r\nIn response, it receives a set of commands:\r\nhttps://securelist.com/smartphone-shopaholic/95544/\r\nPage 2 of 4\n\nDepending on the commands, Shopper.a can:\r\nOpen links received from the remote server in an invisible window (whereby the malware verifies that the user is\r\nconnected to a mobile network).\r\nAfter a certain number of screen unlocks, hide itself from the apps menu.\r\nCheck the availability of AccessibilityService rights and, if not granted, periodically issue a phishing request to the\r\nuser to provide them.\r\nDisable Google Play Protect.\r\nCreate shortcuts to advertised sites in the apps menu.\r\nDownload apps from the third-party “market” Apkpure[.]com and install them.\r\nOpen advertised apps on Google Play and “click” to install them.\r\nReplace shortcuts to installed apps with shortcuts to advertised sites.\r\nPost fake reviews supposedly from the Google Play user.\r\nShow ads when the screen is unlocked.\r\nRegister users through their Google or Facebook accounts in a number of legitimate apps (such as in travel, retail,\r\nutilities and media categories) including the following apps:\r\nApp Package name\r\nAliexpress com.alibaba.aliexpresshd\r\nLazada com.lazada.android\r\nZalora com.zalora.android\r\nShein com.zzkko\r\nJoom com.joom\r\nLikee video.like\r\nAlibaba com.alibaba.intl.android.apps.poseidon\r\nDisclaimer: The malware described above does not exploit any vulnerabilities in legitimate apps that it downloads and\r\nregisters users. The application only abuses Google Accessibility Service.\r\nConclusion\r\nAs noted above, one of the things that drew our attention was the use of AccessibilityService. This service is usually\r\naccessed by people with vision problems to facilitate smartphone use, such as having the names of app controls, web page\r\ncontent, etc., read out automatically. In other cases, it can be used to emulate on the app screen physical smartphone keys\r\nthat have stopped working. If access is requested by a program whose functionality does not require AccessibilityService, be\r\nwary. And the best option is not to install apps from dubious sources at all, including from ads, whatever they promise. Even\r\nif the only danger posed by such apps comes from automatically written reviews, there is no guarantee that its creators will\r\nnot change the payload at some later date. In any event, it’s worth getting hold of a mobile security solution that can\r\nindependently detect and block dangerous apps.\r\nhttps://securelist.com/smartphone-shopaholic/95544/\r\nPage 3 of 4\n\nIOCs\r\nMD5\r\n0a421b0857cfe4d0066246cb87d8768c\r\n0b54b822683a70b9d4a3af08a2d506b2\r\n0b682e9cae5b8623fc3e62048623dcdb\r\n0ea057c5294a6cbfeffd2e91ae945981\r\n0eb70afbb011916facf075f80cc07605\r\n1a6d60b97fdeb29afc0bd16fcaa92d3a\r\n1e82c197037ff0e21ccbc8c6161144c8\r\n1e937712ca84a6364226a35e2fd9a550\r\n1f13ba11ceba8ddb6e0faf61e6d8da23\r\n2d234accdc400c892657b8568e217593\r\n2d755050c896aed9701aa78a3668bf72\r\n3a5ed5f6ecaa71f5c7b7447c1f451144\r\n3ad3f270aef9f56d9117f711a3783a4a\r\n3b1a2420c4afc019a19481a6f4282894\r\n3c312fbb18e7822f87334a9366baf9fc\r\n3cadeea4dedaf7d7db8b84d52cd6caea\r\n03ccb6adbe12daef1b40f7a6d7d26dbc\r\n3dc6538239e90e51233789c5876ccb71\r\n3fe0e78d451bb8389f1d8cb5009c3452\r\n4a3099f300741123e3c18b3a6d587ed8\r\n4e44fb07073ea46390ea94ce26d7d737\r\n5bbc06fc3058b76ee09d3cce608ebdda\r\n5c316045836c4b4110552cc80af2fe75\r\n5e313e5e4e37e87633ea342a24c27534\r\n6ec7e5334f8b11499c150ba28f06e78c\r\n7a0d40f3598a91fc1206b3b2bdd49c2c\r\n7c68eb0bd93d8cf27539d2ff7da5bb15\r\nC\u0026C\r\nhttp://api.adsnative123[.]com\r\nSource: https://securelist.com/smartphone-shopaholic/95544/\r\nhttps://securelist.com/smartphone-shopaholic/95544/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/smartphone-shopaholic/95544/"
	],
	"report_names": [
		"95544"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31",
			"created_at": "2023-01-06T13:46:38.376868Z",
			"updated_at": "2026-04-10T02:00:02.949077Z",
			"deleted_at": null,
			"main_name": "Cleaver",
			"aliases": [
				"G0003",
				"Operation Cleaver",
				"Op Cleaver",
				"Tarh Andishan",
				"Alibaba",
				"TG-2889",
				"Cobalt Gypsy"
			],
			"source_name": "MISPGALAXY:Cleaver",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775791965,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/124654e12adc60479fef50f611551fe289c0e4a6.pdf",
		"text": "https://archive.orkl.eu/124654e12adc60479fef50f611551fe289c0e4a6.txt",
		"img": "https://archive.orkl.eu/124654e12adc60479fef50f611551fe289c0e4a6.jpg"
	}
}