Blackfriday brings malicious apps to the Android ecosystem

November 14, 2017

The month of November brings a lot of shopping deals thanks to Black Friday. The deals and discounts are in abundance online as well as in stores. However these days there is an app for everything, shopping is not far behind as there are apps from all major online retailers. Moreover there are specific apps that showcase the best deals from all around the marketplace.

The month of November sees a spike in installation of such shopping apps, naturally this is a good opportunity for malware writers to spread their malicious apps. We will try to document our findings for the year of 2017 with regards to Black Friday:


One of the first apps we observed was being distributed was DroidJack with the name amazon. We have covered DroidJack in the past where it masqueraded different apps here and here.

Clearly the internal structure remains the same, however the malware writers are using BlackFriday as a means to spread their apps. A point to note though, the current app only uses the name of amazon and nothing else. No efforts were made towards copying the icon.

It is interesting to note that the author of this app has been creating malicious apps with DroidJack components in them, just around the shopping season the author created a DroidJack infested app with the name amazon.

We will continue to update this blog with new findings as the Thanksgiving season reaches its peak.

Sonicwall Capture Labs provides protection against this threat via the following signature:

  • GAV: AndroidOS.DroidJack.MA_2 (Trojan)

Sample analyzed:

  • App name: amazon
  • Package name: net.droidjack.server
  • MD5: bc66d909ea906dc5933e7dacd6a461d1