{
	"id": "f9558330-276d-4c99-a49b-fb1b8bc48291",
	"created_at": "2026-04-06T00:19:15.820251Z",
	"updated_at": "2026-04-10T03:30:33.533115Z",
	"deleted_at": null,
	"sha1_hash": "38c0d1785db99fd3928d67efab800510da48bcb3",
	"title": "Doctor Web: A dangerous Android backdoor distributed via Google Play",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 166742,
	"plain_text": "Doctor Web: A dangerous Android backdoor distributed via\r\nGoogle Play\r\nPublished: 2019-07-12 · Archived: 2026-04-05 22:41:04 UTC\r\nBy continuing to use this website, you are consenting to Doctor Web’s use of cookies and other technologies\r\nrelated to the collection of visitor statistics.\r\nLearn more\r\n12.07.2019\r\nReal-time threat news | Hot news | Threats to mobile devices | All the news | Virus alerts\r\nJuly 12, 2019\r\nDoctor Web has identified a new backdoor trojan on Google Play that executes cybercriminal commands,\r\nallowing the criminals to remotely control the infected Android devices and spy on users.\r\nThe malware was dubbed Android.Backdoor.736.origin. It is distributed under the guise of the OpenGL Plugin\r\napplication that is supposed to check the existing version of the OpenGL ES interface and download its updates.\r\nWhen launched, Android.Backdoor.736.origin requests several important system permissions that allow it to\r\ncollect confidential information and work with the file system. It also tries to get permission to overlay its\r\nwindows over the interfaces of other programs.\r\nIts window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window,\r\nthe trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.\r\nhttps://news.drweb.com/show/?i=13349\u0026c=0\u0026p=0\r\nPage 1 of 4\n\nWhen the victim closes the application window, Android.Backdoor.736.origin removes its icon from the list on\r\nthe main screen and creates a shortcut instead. This makes it harder for the user to remove the trojan, since\r\ndeleting the shortcut will not effect the malware itself.\r\nAndroid.Backdoor.736.origin is continuously active in the background and can be launched not only via its icon\r\nor a shortcut, but also automatically at startup and at the cybercriminals’ command via Firebase Cloud Messaging.\r\nThe trojan’s basic malicious functionality is contained in an encrypted auxiliary file, stored in the directory\r\ncontaining the program resources. It is decrypted and loaded into memory upon each launch of\r\nAndroid.Backdoor.736.origin.\r\nThe backdoor communicates with several command and control servers to receive commands from the attackers\r\nand send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging\r\nservice. Android.Backdoor.736.origin is capable of:\r\nsending information on contacts from the contact list to the server;\r\nsending information on text messages to the server (the investigated version of the trojan did not have the\r\npermissions for this);\r\nsending the phone call history to the server;\r\nsending the device location to the server;\r\ndownloading and launching an APK or a DEX file using the DexClassLoader class;\r\nsending the information on the installed software to the server;\r\ndownloading and launching a specified executable file;\r\ndownloading a file from the server;\r\nuploading a specified file to the server;\r\ntransmitting information on files in the specified directory or a memory card to the server;\r\nexecuting a shell command;\r\nlaunching the activity specified in a command;\r\ndownloading and installing an Android application;\r\ndisplaying a notification specified in a command;\r\nrequesting permission specified in a command;\r\nsending the list of permissions granted to the trojan to the server;\r\nhttps://news.drweb.com/show/?i=13349\u0026c=0\u0026p=0\r\nPage 2 of 4\n\nnot letting the device go into sleep mode for a specified time period.\r\nThe trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key\r\nbased on the current time. The same key encrypts the server response.\r\nAndroid.Backdoor.736.origin can install applications using several methods:\r\nautomatically, if the system has root access (using a shell command);\r\nusing a system package manager (system software only);\r\ndisplaying a standard system installation dialog where the user needs to confirm the installation.\r\nAs you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for\r\nphishing because it can display windows and notifications with any content. It can also download and install any\r\nother malicious application, as well as execute arbitrary code. For example, at the command of attackers,\r\nAndroid.Backdoor.736.origin can download and launch an exploit to obtain root privileges. It will then no longer\r\nneed the user's permission to install other programs.\r\nDoctor Web has notified Google about the trojan; it was already removed from Google Play at the time of\r\npublication.\r\nAndroid.Backdoor.736.origin and its components are successfully detected and removed by Dr.Web for Android,\r\nso they do not pose any threat to our users.\r\nRead more about Android.Backdoor.736.origin\r\n#Android, #backdoor, #Google_Play, #spyware\r\nYour Android needs protection.\r\nUse Dr.Web\r\nThe first Russian anti-virus for Android\r\nOver 140 million downloads—just from Google Play\r\nAvailable free of charge for users of Dr.Web home products\r\nFree download\r\nhttps://news.drweb.com/show/?i=13349\u0026c=0\u0026p=0\r\nPage 3 of 4\n\n13349 en 5\r\n0\r\nDoctor Web’s Q1 2026 review of virus activity on mobile devices\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDoctor Web’s Q1 2026 virus activity review\r\n01.04.2026\r\nVirus reviews\r\nRead\r\nDr.Web for personal computers receives SKD AWARDS product excellence distinction\r\n24.03.2026\r\nCorporate news | Dr.Web products\r\nRead\r\nSource: https://news.drweb.com/show/?i=13349\u0026c=0\u0026p=0\r\nhttps://news.drweb.com/show/?i=13349\u0026c=0\u0026p=0\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://news.drweb.com/show/?i=13349\u0026c=0\u0026p=0"
	],
	"report_names": [
		"?i=13349\u0026c=0\u0026p=0"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434755,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38c0d1785db99fd3928d67efab800510da48bcb3.pdf",
		"text": "https://archive.orkl.eu/38c0d1785db99fd3928d67efab800510da48bcb3.txt",
		"img": "https://archive.orkl.eu/38c0d1785db99fd3928d67efab800510da48bcb3.jpg"
	}
}