AgentJL

High-level Description

Year: 2017
Blog: https://www.welivesecurity.com/2017/03/23/download-minecraft-mods-google-play-read/

This malware sample acts as a malware dropper. The sample requests device admin privileges on application launch. Once the user clicks on a button, the app downloads an remote payload and attempts to convince the user to install it for the apps functionality (minecraft mods) to work. The user clicks on the dialog, installs the app, and the remote payload performs ad click fraud (an observed behavior as the server used to retrieve the payload was down at time of analysis).

Signature

The image of the signature can be downloaded here for closer inspection.