Adware Found in Android App with over One Million Installs on Google Play Store

Share this…

Security researchers from Dr.Web say they’ve identified a new malware family inside an Android app found on the Google Play Store under the name of “Multiple Accounts: 2 Accounts.”

At the time of writing, the application is still available from Google’s Play Store, where statistics reveal that there are between 1 and 5 million active installs at the moment.

Developed by a Chinese company, the app advertises itself as a dual-account app that allows users to log into two different social media accounts at the same time, supporting services such as WhatsApp, Facebook, Tumblr, and more.

Android.MulDrop shows ads, downloads other apps

The Russian security firm says this app includes a malware family codenamed Android.MulDrop (Android.MulDrop.924).

According to researchers, this malware can show unwanted ads and covertly download apps on the user’s smartphone, asking the user to start the installation process.


While there are many apps that show ads on the Google Play Store, most of them are upfront about this behavior.

The Multiple Accounts: 2 Accounts disguises this. Dr.Web researchers say the malware is packed inside two JAR files that are encrypted and hidden inside a PNG image named icon.png using steganography.

When running the app, the modules are extracted from the image and launched into execution. Most of the time, the app downloads and shows ads on the user’s phone, which create a revenue stream for its developer.

Android.MulDrop roots devices

Android.MulDrop carries out all its malicious operations through a series of plugins it downloads on the user’s device. These plugins are other malware families incorporated inside Android.MulDrop.

The adware behavior is powered via the Android.DownLoader.451.origin malware, while the app downloading behavior is carried out using Android.Triada.99.

Android.Triada.99, or simply Triada, is one of the most dangerous Android trojans known today, mostly used as a banking trojan. Android.MulDrop uses Triada to root devices in order to download other apps.

There’s a trend of using dual account apps to spread malware

Avast security researchers have seen a trend of Chinese malware authors packing malware inside apps that allow users to log into social media apps using different identities.

Until now, they’ve seen these apps distributed via third-party app stores. Android.MulDrop is the first case that has been seen distributed through the Google Play Store.