PC Malware that silently installs apps on your Android device

PC Malware that silently installs apps on your Android device Abstract
February 3, 2016

Highly competitive global Android app stores are proving to be too much for some developers, spawning the growth of underground markets using trojan-like techniques to silently install apps instead.

The AVG VirusLab was recently exploring the Chinese Android App market and encountered PC based Malware with an interesting side-effect – it was silently (without any notifications to the user) installing apps to Android devices directly connected to the PC.

With a competitive landscape of over 1.9 Million Android apps in the Google Play store alone, and more in other global marketplaces, it’s not hard to see why such tactics are appealing to developers.  Advertising a new app has become increasingly difficult, and costly.

Pre-installation of apps, for example, is one of the most successful ways that developers can get attention and market share, yet it is prohibitively expensive and replies on partnerships with a limited number of handset vendors.

China’s underground black market however appears to be providing a cheaper pre-installation alternative for developers to spread their new apps – through special “alliance” operations such as ones we identified called “cyber café alliance” and “fast step union”.

These alliances offer access to a combination of groups such as hackers, distributors, cyber cafes, phishing websites, servers, etc. They are organized and operated systematically and focus on providing a sales and distribution service.

What we captured and described below, is typical of such “promoting” Trojans – malware designed to assist in the promotion or distribution of software or apps using questionable methods.

This particular malware starts by being downloaded to the computer, but its main purpose has little to do with the PC itself.  Using some clever techniques, it will even “help” you install mobile device drivers if you haven’t already.

From then on, once installed on your PC, whenever you connect your mobile device to your computer it will download an “App promotion list” and install those apps silently to your device.

Download the device’s driver from the server:


The server’s response:

{ “platform”:”android”, “service”:”winusb”, “args”:””, “dl”:””, “md5″:””, “size”:”” }

Download Adb and other components:

Download the App list:

Below is an example list:


Use adb.exe to install the Apps:

Apps in the below snapshot are all installed by this malware.

We have noted that this malware is regularly updated. At the time of our research the latest version is 1.7 and this malware checks with a remote server to get the newest version each time it runs.

Query the server to check the version:

And the server responded with:

We found this malware has been actively developed and improved for some time, and below is a record of some of the versions we have observed. It is possible this malware is developed and maintained by a stable team.

But how is this malware distributed to end users’ computers in the first place? The answer is via the alliance model we mentioned above.

In our research, we looked at two cyber café alliances named in Chinese ‘领跑吧网吧联盟 (Leading runner cyber café alliance)’ and ‘快步网盟 (Fast step net union)’ – and we captured some of their distributing servers and their client’s apps:

In order to help protect you from this type of malware, AVG is already detecting them as “Agent5.ZKR” – just one of the many threats we continue to protect you against, on all your devices.

AVG VirusLab
February 3, 2016