By GoldSparrow in Adware

Ewind is the name of an adware family, which targets Android users located in the Russian Federation primarily. The operators of the Ewind adware have opted to use an interesting strategy to propagate their creation:

  • First, the conmen download a genuine application from the Google Play Store.
  • Next, they decompile the application to add the code of the Ewind adware.
  • Finally, they repack the application and upload it to application stores, which are popular in the Russian Federation.

Despite the fact that the applications are considered fake after the conmen have fiddled with them, they still operate as intended, and users may not notice anything out of the ordinary. The operators of the Ewind adware are known to have used this trick to create bogus copies of popular applications and mobile games like Vkontakte, Opera Mobile, Minecraft, GTA Vice Cit and others.

Just like most adware, the main goal of the Ewind program is to bombard users with advertisements whenever they use their devices. However, after studying the Ewind adware program, cybersecurity analysts found that this tool is capable of more than just injecting advertisements. Some of the other features of the Ewind program include obtaining data regarding the device's hardware and software, as well as accessing and collecting text messages. This led malware researchers to believe that the operators of the Ewind program may be capable of taking over the compromised system if they wish to do so. This puts the Ewind adware family in a whole different league.

When an application that contains the code of the Ewind adware is launched, it will request the user to grant it administrator privileges. Interestingly enough, adware programs do not need administrator permissions to inject and display advertisements on the compromised host. This means that displaying advertisements is not the only goal of the Ewind adware program. Users report that the Ewind adware program often spawns advertisements promoting a variety of cryptocurrency services.

The operators of the Ewind program are capable of using it to go through and select specific text messages on the compromised host. This tool can do so by checking the contents of the text messages or by detecting specific phone numbers who are sending them. If the Ewind program locates a text message that fits its criteria, it will send them to the C&C (Command & Control) server of the attackers. This feature allows the Ewind program to bypass 2FA (Two-Factor Authentication) measures. According to researchers, the creators of the Ewind utility are yet to use this particular feature of the tool.

The Ewind adware program is a complex creation that has a lot of potential. Clearly, this is not your everyday adware utility, as the Ewind tool is capable of causing a lot of damage to its targets. Avoid downloading and installing applications from third-party application stores as they are far more likely to have weak security measures that would allow potentially threatening software on their platforms.

Related Posts


Most Viewed