All news
Banking trojans disguised as shopping apps attack Malaysian Android users
Doctor Web reports on the discovery of banking trojan apps that target Malaysian users. Malicious actors distribute them as mobile shopping apps. Unlike many other bankers, these not only have icons and basic store names, but also work just like such apps in order to look more plausible and not trigger any suspicions. These trojans steal logins and passwords from accounts of online banking systems. They also hijack SMS containing mobile TANs and one-time passwords that are used to confirm transactions. Moreover, they steal victims’ personal information, including their date of birth and mobile phone and identity card numbers.
Real-time threat watch
Doctor Web identifies attack on WhatsApp and WhatsApp Business messengers installed on counterfeit Android devices
Doctor Web reports that it has discovered backdoors in the system partition of budget Android device models that are counterfeit versions of famous brand-name models. These trojans target arbitrary code execution in the WhatsApp and WhatsApp Business messaging apps and can potentially be used in different attack scenarios. Among them is the interception of chats and the theft of the confidential information that could be found in them; this malware can also execute spam campaigns and various scam schemes. This, however, is not the only risk factor for users. The affected devices are claimed to have a modern and secure Android OS version installed on them. But, in reality, they are based on an obsolete version subject to multiple vulnerabilities.
Real-time threat watch
Study of an APT attack on a telecommunications company in Kazakhstan
In October 2021, one of Kazakhstan’s telecommunication companies contacted Doctor Web, with suspicion of malware in the corporate network. During the first look, we found backdoors that were previously only used in targeted attacks. During the investigation, we also found out that the company’s internal servers had been compromised since 2019. For several years, Backdoor.PlugX.93 and BackDoor.Whitebird.30, the Fast Reverse Proxy (FRP) utilities, and RemCom have been the main attackers' tools.
Real-time threat watch
Mobile device users’ cryptocurrency is at risk
Doctor Web warns on the spread of trojan apps designed to steal cryptocurrency from mobile device users. The malicious software hijacks secret seed phrases that give access to crypto wallets. Users of both Android devices and Apple smartphones are at risk.
Real-time threat watch
Vulnerabilities in Log4j 2 threaten users
Concerning the dangerous vulnerabilities in the Log4j 2 logging library–CVE-2021-44228, CVE-2021-45046, CVE2021-4104, and CVE-2021-42550–Doctor Web is drawing users’ attention to the need to observe protective measures. The library is used for logging in Java projects and is part of the Apache Logging Project. Vulnerabilities allow attackers to execute arbitrary code on the system and cause a Denial of Service or disclose confidential information. Even though Apache has already released several patches, vulnerabilities may still be a danger.
Real-time threat watch
New trojan detected on AppGallery app catalog
Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an Android.Cynos.7.origin trojan built into them. This trojan is designed to collect users’ mobile phone numbers. At least 9.300.000 Android device owners have installed these dangerous games.
Real-time threat watch
The Coper―a new Android banking trojan targeting Colombian users
Doctor Web warns of a newly discovered family of Android banking trojans dubbed Android.BankBot.Coper. The malicious apps have a modular architecture and a multi-stage infection mechanism. They also have several protective techniques helping them withstand removal attempts. That allows the trojans to stay active longer and perform more successful attacks. All known Coper banker trojan modifications target Colombian users to date. However, new versions targeting users from other countries are likely to emerge over time.
Real-time threat watch
About protecting against break-ins via the Windows PrintNightmare vulnerability
In connection with the detection of critical Windows print spooler vulnerabilities in June—CVE-2021-1675 and CVE-2021-34527 (widely known as PrintNightmare)—Doctor Web is drawing users' attention to the need to observe protective measures. Despite the fact that Microsoft has now closed the vulnerabilities, CVE-2021-34527 continues to pose a threat, allowing attackers to penetrate a system and execute arbitrary code with elevated privileges (NT AUTHORITY\SYSTEM) if the user independently switches certain parameters in the Windows registry.
Real-time threat watch
Android trojans steal Facebook users’ logins and passwords
Doctor Web’s malware analysts have discovered malicious apps on Google Play that steal Facebook users’ logins and passwords. These stealer trojans were spread as harmless software and were installed more than 5,856,010 times.
Real-time threat watch
Trojan detected in APKPure Android app store client software
Doctor Web specialists have discovered a malicious functionality in APKPure—the official client application of the popular third-party Android app store. The trojan built into it downloads and installs various apps, including other malware, without users’ permission.
Real-time threat watch
Malware found on the AppGallery app store for the first time
Doctor Web’s virus analysts have uncovered the first malware on AppGallery―the official app store from the Huawei Android device manufacturer. They turned out to be dangerous Android.Joker trojans that function primarily to subscribe users to premium mobile services. In total, our specialists discovered that 10 modifications of these trojans have found their way onto AppGallery, with more than 538,000 users having installed them.
Real-time threat watch
Study of the Spyder modular backdoor for targeted attacks
In December 2020, the Doctor Web virus laboratory was contacted by a telecommunications company based in Central Asia after its employees discovered suspicious files on their corporate network. During the examination, our analysts extracted and studied a malicious sample, which turned out to be one of the backdoors used by the hacker group known as Winnti.
Real-time threat watch
Phishing emails with RAT malware threaten corporate users
In November 2020 Doctor Web virus analysts detected a phishing attack targeting corporate users. The emails in question contained trojan malware that covertly install and launch Remote Utilities software — a tool for remotely accessing another computer.
Real-time threat watch
Eye care Android app found to contain a trojan
Doctor Web’s malware analysts have discovered a trojan built into an app designed to protect Android users’ vision. While working as intended, it also performs malicious actions such as opening web links and displaying websites on top of other app windows.
Real-time threat watch
Study of the APT attacks on state institutions in Kazakhstan and Kyrgyzstan
Real-time threat watch
Fraudsters spread a mobile trojan disguised as a Valorant game
Doctor Web specialists have uncovered a fraudulent campaign targeting mobile device owners. Cybercriminals are publishing misleading videos on YouTube, promoting a mobile version of a new Valorant game and prompting unsuspecting users to install it on their mobile devices. But in reality, a trojan is being installed instead of the real game. This trojan helps malware creators get rewards from various online affiliate programs.
Real-time threat watch
Cybercriminals spread dangerous backdoor as Google Chrome update
Doctor Web virus analysts report that certain websites, from online news blogs to corporate pages created using WordPress CMS, have been compromised. The JavaScript script embedded in the hacked pages code redirects visitors to a phishing site where they are prompted to install an important security update for the Chrome browser. The downloadable file is a malware installer that allows attackers to remotely access and control the infected computers. Over 2000 people have downloaded the fake update so far.
Real-time threat watch
Android.Circle.1 adware trojan found on Google Play is capable of executing BeanShell scripts
Real-time threat watch
Cybercriminals have launched a phishing campaign on Instagram to steal money and obtain personal data
Doctor Web warns: cybercriminals have launched a large-scale phishing campaign under the guise of nonexistent presidential decree No. 1122B dated February 11, 2020 offering a one-off payment to all Russian citizens. Information is distributed throughout Instagram and supported by fake photos and videos based on news releases from federal television channels. Attackers use phishing websites to collect users’ bank card information and also require prepayment for registering the application to receive a lump-sum payment.
Real-time threat watch
Cybercriminals use CNET website to spread the infected VSDC installer
Doctor Web virus analysts report that VSDC video editor’s download link has been compromised on popular software platform CNET. Instead of the genuine program, visitors receive a modified installer bundled with malicious software, allowing cybercriminals to access the infected computers remotely. According to SimilarWeb statistics, monthly visits to CNET’s Downloads section is around 90 million users.
Real-time threat watch
Dangerous trojan spreads via copied website of Russia’s Federal Bailiffs Service
Doctor Web virus lab specialists have detected a malicious copy of the website of Russian Federal Bailiffs Service (FSSP). Cybercriminals use this fake website to infect users with Trojan.DownLoader28.58809.
Real-time threat watch
Doctor Web: Clicker Trojan Installed from Google Play by Some 102,000,000 Android Users
Clicker trojans are widespread malicious programs, designed to increase website visit rates and earn money on online traffic. They simulate user actions on web pages by clicking on links and other interactive elements. Doctor Web virus analysts have detected another such trojan on Google Play.
Real-time threat watch