Real-time threat news
June 23, 2016
- Battery Booster;
- Power Booster;
- Blue Color Puzzle;
- Blue And White;
- Battery Checker;
- Hard Jump - Reborn 3D.
These programs, which are games and service tools, have been downloaded by more than 15,500 users. Besides, Doctor Web security researchers registered over 55,000 downloads of these applications after they gained access to the Trojan’s C&C server. Our specialists have already informed Google about this incident. So far, applications containing
Once one of these applications is launched,
The Trojan can also perform another function—download software, including malicious programs. For instance, Doctor Web specialists detected the
If you do not want to fall victim to these fraudulent schemes, we recommend you to pay careful attention to all pop-up messages and notifications and warn you against entering your phone number into suspicious input forms.
Most of applications compromised with
June 22, 2016
It is no doubt that
The Trojan is distributed as an attachment to the following email message titled “Our BIC code has been changed”:
Greetings! Our BIC code has been changed. Please update your bank classifier. The classifier can be updated automatically in 1C Enterprise 8. File – Open classifier update processor from the attachment. Click YES to update the classifier automatically. Within 1-2 minutes if there is Internet connection.
The email message contains an external data processor for “1C: Enterprise” named ПроверкаАктуальностиКлассификатораБанков.epf. The body of this module is password-protected—thus, standard methods cannot be used to view its source code. If the user runs this file in the 1C:Enterprise mode, the following window is displayed:
Clicking on any button of this window will launch
Meanwhile, the Trojan starts its malicious activity on the computer. First, it searches the 1C database for contractors with known email addresses and then sends the above-mentioned text message with its own copy attached. The Trojan uses the email address specified in the victim’s 1C user account as the sender’s address. If the user has not specified their email, the Trojan substitutes it with email@example.com and attaches the ОбновитьБИКБанка.epf external data processor that contains the Trojan’s copy. If the file is run in the 1C software, the ransomware Trojan will affect the computer as well; yet, this copy of
- Trade Management 11.1
- Trade Management (basic) 11.1
- Trade Management 11.2
- Trade Management (basic) 11.2
- Accounting 3.0
- Accounting (basic) 3.0
- 1C:Comprehensive Automation 2.0
June 15, 2016
The Trojan is implemented as a fully-featured VK audio player. If the user wants to listen to music, they should enter their user profile by typing the login and the password. Yet, in fact, all this private information is immediately sent to the C&C server, which means that attackers get full control over the user’s VK profile.
Doctor Web specialists registered the attempts of virus makers to sell user profiles hacked with
Attackers have already tried to distribute
The Trojan’s authors have created their own VK community, which has more than 44,600 subscribers. All the members are offered to download
In addition, attackers published one more application named “Music and video for VK” («Музыка и видео для ВК») and developed by Gomunkul. At present, this player does not contain the payload.
Despite its apparent harmlessness, this player may become a full-blown Trojan once attackers decide to modify one of its parameters (or add any functions including malicious ones) and update the malicious program. If this happens, the Trojan will continuously prompt the user to install a plug-in necessary for its operation. It should be noted that the plug-in and
More than 1,000,000 users have currently downloaded the player and can fall victim to the Trojan at any time. Because of the danger that this player represents for Android devices, it was added to our virus database under the name of
Doctor Web strongly advises users to install only official applications and protect their devices with anti-virus software.
June 14, 2016
If you have fallen victim to this malicious program, and files on your computer were encrypted before June 2016, it is possible to restore the compromised data. However, it depends on several conditions and especially on the user’s actions.
To decrypt files compromised with CryptXXX, go to the Doctor Web decryption service page. Free decryption services are only available to users who have valid commercial Dr.Web licenses and whose systems—at the moment of infection—were protected by Dr.Web Security Space (Windows) or by Dr.Web Anti-virus for OS X or Linux (version 10 or later) or by Dr.Web Enterprise Security Suite (6+). Other users can purchase Dr.Web Rescue Pack by sending the standard request form: the service is charged if the analysis shows that your files can be recovered. Besides, clients who used this service can get free two-year license for Dr.Web Security Space for 1 computer. To find more information about ransomware Trojans, follow this link.
June 10, 2016
As we have mentioned before, some samples of
It turns out that
Despite the fact that
June 3, 2016
Due to the ability to be spread without any user intervention and infect executable files, the malicious application, or
The most dangerous features of this banking Trojan are the abilities of self-spreading and program infecting. The function of self-spreading is activated by cybercriminals. Then
Dr.Web Anti-virus detects programs infected by this virus as
As Carberp’s successor,
The main purpose of
Functions and architecture of
May 26, 2016
This time, attackers focused their attention on those who prefer to play hacked games, which makes a gameplay easier and faster. To successfully distribute the Trojan, virus makers monitor whether the potential victim surfs the Web in order to find cheat codes for the game to simplify its walkthrough (for example, infinite gold, crystals, and so on) or they would like to download a hacked version of the favorite game. Thus, among the search results, the user sees links that lead to various fraudulent websites specially designed to trick naive gamers.
These websites can inform users about more than 1,000 different mobile games—thus, the search engine displays fraudulent links on top of the search results. It is noteworthy that all these resources have valid digital signatures, which makes them seem quite legitimate.
When the user tries to download a game from this site, they are redirected to another scam webpage that is used to spread
After that, the Trojan determines whether there is an online banking application installed on the device, and how much funds are available on the user’s bank accounts. To do that,
Moreover, attackers control the Trojan from the remote server. Thus, this malware can enable forwarding to the specified number, hide and intercept SMS messages, send text messages and USSD requests, and perform other malicious actions.
Doctor Web specialists strongly recommend to avoid visiting such-like dubious resources and downloading hacked mobile games and applications if you do not want to lose all the money from your bank accounts. Dr.Web for Android successfully detects all the known modifications of this Trojan, and, therefore, this malicious program poses no threat to our users.
May 25, 2016
As a rule, Trojans use TeamViewer to get access to the user’s computer. Yet, in this case, TeamViewer plays another role:
Once TeamViewer is launched,
What is more, there is another encrypted library that is hard-coded in the Trojan's body and is responsible for performing malicious activity of
The malicious program can execute several commands. Yet, its main functions are to establish connection to the server (including authorization to it) and to redirect traffic from the server to the specified remote server via the infected computer. Thus, cybercriminals can remain anonymous on the Web while connecting to remote servers using the computer like via a proxy server.
Dr.Web Anti-virus detects and removes
Doctor Web specialists would like to thank Yandex for providing the Trojan’s sample for research.
May 12, 2016
Early versions of
It is noteworthy that all first versions of the Trojan attacked users only in Russia and CIS countries. At that time, it was spread via spam SMS messages that offered the victim to follow the given link and get familiar with the reply to the announcement posted on the Web. In fact, all those links redirected the user to scam websites that distributed the malicious application under the guise of a benign program.
Later, the number of attacks considerably reduced. Yet, at the end of 2015, Doctor Web security researchers registered the emergence of new and more sophisticated versions of Android.SmsSpy.88.origin designed to infect Android devices all over the world.
This Trojan still masquerades as benign programs—for example, Adobe Flash Player. Once launched,
The Trojan establishes Internet connection and keeps it active by using Wi-Fi or a transmission channel of mobile network operator. Therefore, the Trojan is continuously connected to the C&C server and prevents possible malfunctions. The malware then generates a unique identifier for the infected device. The identifier and other technical details are sent to the server, where the infected device is registered.
The main purpose of
Once one of the specified applications is launched,
One of the malware’s key features lies in the fact that it can attack clients of almost any bank in the world. Thus, cybercriminals create a new template of a fraudulent authentication form and command the Trojan to update its configuration file. Once updated, the file will contain the name of the necessary banking application.
Apart from stealing logins and passwords for user accounts, the Trojan still tries to get information on the user’s bank card information.
However, the Trojan is able to perform other malicious functions: to intercept and send SMS and MMS messages, to send USSD requests, to send SMS messages to all contacts from the contact list, to transmit all saved messages to the server, to set a password to the lock screen, and to lock the home screen by using a specially-formed dialog. If the command is to lock the home screen, the Trojan displays a template of a fake dialog that informs the user that they illegally store and distribute pornography and have to pay for the iTunes Gift Card if they want to unlock the device.
At the beginning of 2016, Doctor Web security researchers accessed to more than 50 botnets that consisted of mobile devices infected with different versions of
Users in the following countries suffered most of all: Turkey (18,29%), India (8,81%), Spain (6,90%), Australia (6,87%), Germany (5,77%), France (3,34%), the USA (2,95%), the Philippines (2,70%), Indonesia (2,22%), Italy (1,99%), South Africa (1,59%), Great Britain (1,53%), Pakistan (1,51%), Poland (1,1%), Iran (0,98%), Saudi Arabia (0,96%), China (0,92%), and Bangladesh (0,85%).
At that, the majority of infected mobile devices were running Android 4.4 (35,71%), 5.1 (14,46%), 5.0 (14,10%), 4.2 (13,00%), and 4.1 (9,88%).
The reason why
To protect your smartphone or tablet from such-like banking Trojans, Doctor Web recommends you to follow the guidance below:
- Use another mobile device for making online bank transactions if possible.
- Set a limit on cash withdrawal from your bank account via online banking services.
- Do not follow links received in dubious SMS messages.
- Do not download applications from unreliable resources.
- Protect your device with anti-virus software.
Dr.Web for Android successfully detects all the known applications containing
May 6, 2016
The Trojan is distributed via a dropper in the form of the Microsoft Excel file with a special macros. This macros collects a self-extracting archive by bytes and runs it. The archive consists of an executable file, which has a valid digital signature registered to Symantec, and a dynamic library, in which all the main functions of the Trojan are implemented.
After being launched,
Before connecting to the server, the backdoor collects the following data on the infected computer: its name, version of the operating system, and information about the processor, RAM, and drives. This information is then transmitted to the server. After that, the Trojan gathers more detailed data on the computer’s drives, which is sent to cybercriminals, together with the kelogger file.
To receive instructions, the Trojan sends a special request to the server. Upon a command, the malware can send a particular file or information about the specified folder, to delete or rename a file, to create a new folder, and to take a screenshot and send it to attackers.
Dr.Web successfully detects and removes BackDoor.Apper.1, and, therefore, this malicious program poses no threat to our users.
April 29, 2016
All applications containing
To solve a sudden problem that that the user had no clue about, the victim, of course, has to install a fraudulent application. And to ensure downloading the offered application,
If the user decides to download the malicious application, they are redirected to the Google Play store and right to the relevant section in which this app is located. For each download, fraudsters receive interest under the terms of affiliate advertising agreements. It explains why
Doctor Web strongly advises Android users to be very careful and not to install dubious applications even if these applications are distributed via Google Play. Dr.Web for Android successfully detects and removes
April 29, 2016
The malicious plug-in for Google Chrome is detected as
If the user follows the specified link, they are redirected to some webpage whose appearance is identical to the Facebook web design. Yet, if another website was used to follow this link, the user is redirected to a blank webpage.
The webpage is named “Hello please watch my video” and contains an allegedly standard video player. If the victim uses Chrome, they are prompted to download and install a browser plug-in that is, in fact, another copy of
Doctor Web security researchers registered more than 12,000 cases involving the
April 22, 2016
At present, number of cases involving online shopping scam continues to grow. To make a profit out of gullible Internet users, attackers implement diverse fraud schemes. In this paper, we are going to focus on one of them that is quite popular on the Russian Internet judging from the number of people affected by it.
As a rule, this scheme starts from emergence of some online store, which offers its customers to buy expensive electronic goods, photography equipment, garden or construction tools, jewelry, and many other products on a very attractive price. Such stores have a big number of positive recommendations published by allegedly happy customers, and its URL is very much alike to URLs of other popular online stores. In addition, these fraudulent websites contain such standard information as their office address, a contact number (answered by a dispatcher), and a founding company’s name. Yet, it is noteworthy that all of them are created using one and the same website template.
Scammers provide fast delivery of goods to any Russian region and offer to pay for them by using QIWI Wallet, a bank card, POS terminals, or other payment services. The only one important condition is that a potential victim has to make a full prepayment.
Having made the prepayment, the victim waits for a purchase confirmation. However, after some time, the website and the phone number become unavailable, and all messages sent by the scammed user to the contact email address are returned. In several days, the same shop with similar range of goods but with a different name and URL emerges on the Internet.
Usually, it is rather problematic to track down these scammers because they use voice-over-IP (VoIP) service to organize their underground activity, and fly-by-night companies, stolen documents, and figureheads—to be able to withdraw money from the account.
Unfortunately, the growing number of such scams can be explained by the fact that victims
- Are often tricked by an unbelievably low price of a product or by attractive benefits that advertised goods or services might have, which sounds too good to be true.
- Neglect to look up when a domain of the online store was registered, by using any WHOIS service.
- Do not search for or pay attention to feedback about the chosen online store.
- Do not use any online map service for finding the location of the office or a warehouse of the online store to make sure that there is not wasteland or an abandoned factory on this place.
Therefore, Doctor Web strongly recommends to be careful when shopping online and to make purchases only from reliable online stores.
April 13, 2016
The infection begins with the ELF file, which is detected by Dr.Web as
In the second thread,
Security researchers registered that
April 8, 2016
This malware, which runs on 32- and 64-bit Windows, is able to carry out a wide range of malicious activities. Thus, it can steal information entered by the user into web data forms and perform web injections and keylogging functions. In addition, the Trojan is also designed to get remote access to the user’s machine by means of Virtual Network Computing (VNC). Moreover, upon a command, the Trojan can run the SOCKS proxy server and download and install various plug-ins.
Like many other today’s malware programs,
All the mentioned-above functions, especially the Trojan’s ability to perform web injections, are used to steal various confidential data from the user’s computer, including login credentials to access online banking systems. Dr.Web successfully detects and removes
April 7, 2016
It is known that DNS (Domain Name System) servers are responsible for Web addressing, providing clients with information on domains. They can be administered by the domain’s owners or by a company to which a website using the domain belongs. However, some other commercial companies can take the responsibility for DNS servers administration. One of them is easyDNS Technologies, Inc. (easydns.com). Among its clients, there are many frequently visited websites, including informer.com and php.net, which are in top ranking according to Alexa.net. The company also rents DNS servers out to its clients. This service is quite popular among those who do not want to handle and maintain their server space by themselves.
Doctor Web security researchers registered that one of DNS servers belonging to easyDNS Technologies, Inc. is configured incorrectly. As a result, it processes incoming AXFR requests for DNS zone transfer from any external sources. AXFR is a type of transaction used to replicate DNS databases. Therefore, clients of easyDNS Technologies, Inc. reveal a list of their registered subdomains—in particular, ones for internal use—to the world. These domains can be used to organize non-public servers, version control systems (VCS), bug trackers, various monitoring services, wiki resources, etc. Having this domain list, attackers can easily examine the network of a potential victim in order to find vulnerabilities.
DNS zone transfer does not pose any financial threat to a company, to which a vulnerable server belongs; yet, a successfully processed AXFR request provides a very detailed information on implemeted software and development tools. For example, cybercriminals can get access to a beta version of a company’s official site, find how many IP addresses are used, and try to crack login credentials to VCS and other internal resources. System administrators primary pay attention to the main website of the company at the expense of non-public resources, to which Internet users do not have any access. However, if these internal resources are in a trusted IP zone, use outdated software with known vulnerabilities, and allow open registration to users, attackers can take advantage of this and gain unauthorized access to confidential data.
Such cases of security misconfiguration are certainly nothing new. Moreover, techniques to search vulnerable DNS servers and find subdomains, involving search engine resources, have long been automated. In particular, all these functions are implemented in the dnsenum utility that comes with the Kali Linux distribution, a penetration testing platform, which proves that this attack vector is rather popular among cybercriminals. Thus, despite the fact that it is convenient to shift responsibility for DNS server administration to third-party organizations, website owners should take care of their information security—better safe than sorry, as the saying goes.
Doctor Web security researchers have already informed easyDNS Technologies, Inc. about the discovered vulnerability. At present, its specialists are taking necessary actions to resolve the problem.
March 31, 2016
The majority of applications that are used to distribute
Once one of the above-mentioned malicious applications is launched, the Trojan transmits the following information on the device to the server:
- Email address connected to a Google user account
- IMEI identifier
- OS version
- SDK system version
- Device model
- Screen resolution
- Google Cloud Messaging identifier (GCM id)
- Cell phone number
- User’s geolocation
- CPU type
- MAC address of the power adapter
- the “user_agent” parameter generated using a special algorithm
- Mobile network operator
- Network connection type
- Network subtype
- Availability of root access
- Whether an infected application has administrator privileges
- Name of an infected application
- Presence of a Google Play application on the device
At every launch of any installed application, the Trojan resends all the information mentioned before together with the name of the running application. In addition, it requests parameters necessary for advertising.
- “show_log”—enable or disable logging;
- “install_plugin”—install a plug-in hidden inside the malicious application;
- “banner”, “interstitial”, “video_ads”—display different types of advertisements (including, on top of the OS interface and other applications);
- “notification”—display a notification with the received parameters;
- “list_shortcut”—create shortcuts with received parameters on the home screen (tapping these shortcuts leads to opening of specified sections in Google Play);
- “redirect_gp”—open a webpage with a specified address in Google Play;
- “redirect_browse”—open a specified webpage in a preinstalled browser;
- “redirect_chrome”—open a specified webpage in Chrome;
- “redirect_fb”—open a Facebook webpage specified by the command.
As you can see below, the Trojan can intimidate the user, for example, by allegedly claiming that the device’s battery is damaged, and offering to download unwanted applications to fix it:
The following examples demonstrate advertisements that are displayed in the notification bar and advertising shortcuts, tapping which leads to webpages of advertised applications published on Google Play:
It is noteworthy that a plug-in hidden in the Trojan’s program package possesses the same features as the
The Trojan is currently known to compromise the following applications:
Doctor Web strongly recommends Android users to pay careful attention to applications they are going to download, and install programs developed only by reputable companies. Dr.Web for Android successfully detects and removes all known modifications of
March 17, 2016
This Trojan, which was named
The main purpose of
Every time the device is connected to the Internet, or its home screen is active (if previously the screen was off for more than one minute),
- User emails
- Roaming availability
- GPS or mobile network coordinates
- Information on the device
- Geolocation of the user
- Presence of a Google Play application on the device
The server replies with an encrypted JSON (Java Script Object Notification) object that can contain the following commands:
- Update the database with information about the advertisement to display.
- Create an advertising shortcut on the home screen.
- Display an advertising notification.
- Display a notification tapping which will result in launch of an installed application.
- Automatically download and install APK files using a standard system dialog. A covert installation of these files is performed only if the Trojan has necessary privileges.
Depending on a received command, the Trojan starts displaying advertisements and performing other money-making actions. In particular, the Trojan is able to
- Display advertisements in the status bar.
- Display advertisements in dialogs.
- Display advertisements in interactive dialogs—tapping “Ok” leads to sending of a text message (only if an application, in which the SDK is incorporated, has necessary privileges).
- Display advertisements on top of running applications and the GUI of the operating system.
- Open advertising webpages in the browser or in a Google Play application.
Dr.Web for Android successfully detects all the known modifications of Android.Gmobi.1 only if they are not located in the system directories.
If your device’s firmware is infected by this Trojan, the malware cannot be removed by the anti-virus without root privileges. However, even if root privileges are gained, there is a high risk of making the device non-operational because the Trojan can be incorporated into some critical system application. Therefore, the safest solution for victims of
March 11, 2016
Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.
If you have fallen victim to
- Notify the police.
- Do not, under any circumstances, attempt to change the contents of directories with encrypted files.
- Do not delete any files from the computer.
- Do not try to restore the encrypted data by yourself.
- Contact Doctor Web technical support (free decryption service is only available to users who have purchased commercial licenses for Dr.Web products).
- Attach a file encrypted by the Trojan to the request ticket.
- Wait for a response from technical support. Due to a large number of requests, it may take some time.
Once again, we would like to point out that free decryption service is only available to users who have purchased commercial licenses for Dr.Web products. For information how to submit a decryption request, please follow this link. Doctor Web cannot guarantee that all your files will be decrypted successfully. However, our specialists will do their best to recover the encrypted data.
March 3, 2016
Once the installer is launched, the user sees a standard greeting on the screen. When they click “Continue”,
Doctor Web specialists found that 1,735,730 malicious programs were downloaded from the cybercriminals’ servers. At that, they also registered 478,099 unique IP addresses that requested these servers. This fact allows to make certain assumptions about the distribution area of the threat. Dr.Web for OS X successfully detects Trojans belonging to the
February 18, 2016
This malicious program named
Once launched, it checks a command line for the presence of the “/test” key. If the key is detected, it prints to the console a message containing the following text: “\n Test - OK”. In 3 seconds, it terminates itself. Probably, this function was intended to test program packers. Shortly after that, the Trojan scans the system for running virtual machines, applications that monitor processes or references to the system registry, and some other debuggers. At finding any program that poses a threat to the Trojan, the backdoor goes to an infinite sleep mode.
If the compromised machine runs Microsoft Windows 8 or later, the Trojan continues operating with current user privileges. In Windows 7,
However, the installation procedure is not complete after that. The Trojan disables demonstration of hidden files in Windows Explorer. Then it starts referring to several system and user profile directories in order to find one open for write. Once a folder is found, the backdoor copies the dropper into it under an arbitrary name and assigns this file with the “hidden” and “system” attributes concealing it from the user. Time of its creation is also changed. Finally,
The backdoor establishes connection to the C&C server with the help of a special encrypted key that is then modified into a text message. The servers’ IPs are also encrypted and hard coded in the Trojan’s body. To get the IP address of the compromised computer,
Doctor Web security researches discovered that
February 12, 2016
From that time, all requests to webpages of online banking systems are executed using this proxy server. It is also applied to inject arbitrary content into these websites once a user opens them on the infected computer. Therefore, a victim is tricked into transferring money from their accounts to cybercriminals’.
If the installation procedure is successful, the malicious program transmits the information about this event to the server. Since the Trojan does not register itself in autorun, it goes to an infinite sleep mode once all its malicious functions are performed.
Dr.Web successfully detects and removes
February 8, 2016
Doctor Web specialists have been keeping a close watch on the Trojan.Dyre distribution and examining its infrastructure. It is noteworthy that this malicious program is a “classic” example of how the CaaS (crime-as-a-service) model is carried out. The “clients of this service” received a builder that was used to generate a sample of the Trojan. Thus, its signature could be changed very often, which made it almost invulnerable for anti-virus software. All collected information stored on the infected device was sent to the C&C servers. The information was then processed and located on an administration panel accessible to those “users” that had paid for it. This panel was divided on several parts, such as botnets management and log-based search. Besides, there were several groups of panels. Incoming data could be filtered depending on the information cybercriminals wanted to get—for example, logins and passwords, and so on.
According to Doctor Web specialists, Trojan.Dyre’s infrastructure is rather unique because it is much more complicated in comparison with other notorious financial malware programs. In most cases, information from compromised machines was sent to the server where a bot control panel was located. However, Trojan.Dyre’s developers implemented various technologies, which proved that the gang had considerable financial and human resources. At that, servers that processed information received from bots were written in .Net, and botnets administrator panels—using the Kohana php framework. To store and process data arrays coming from any spot of the Earth, they used the postgres and mysql bases, and sphinx, a full text search server. All incoming information was assigned to special filters so that cybercriminals could quickly find any information they were interested in—for instance, logins, passwords, bank card numbers, users’ personal data, and so on. To complicate the detection of the servers, Tor servers and proxy servers associated by implementing openvpn were used. A key feature of Trojan.Dyre’s attack was that it located first proxy layer on hacked routers whose routing table was modified. Wi-fi routers were hacked by brute-forcing passwords since users often do not change default settings of their routers, and some victims do not even think that routers can be somehow used to infect their machines.
Nevertheless, Doctor Web analysts managed to identify several addresses of the Trojan’s C&C servers. Moreover, they revealed elements of the Trojan.Dyre infrastructure and intercepted some incoming connections from infected machines. Thus, our specialists timely provided several European banks and law enforcement agencies of some countries with important information.
In spite of materials published by mass media, Doctor Web security researchers believe that Trojan.Dyre still poses a threat as they regularly register spam mailings containing samples of this Trojan, which proves that some servers of its infrastructure are still active. Therefore, this story is more likely “to be continued”.
February 5, 2016
The pack consists of three associated Trojans dubbed
- Download and delete applications
- Enable and disable applications and their components
- Kill processes
- Display notifications
- Register any application as the Accessibility Service application
- Update its components and download plug-ins from the server
The second component of this pack—
- IMEI identifier
- IMSI identifier
- MAC address
- MCC (Mobile Country Code) identifier
- MNC (Mobile Network Code) identifier
- Version of the operating system
- Screen resolution
- Information about installed and available RAM of the device
- Version of the operating system kernel
- Device model
- Device manufacturer
- Version of the firmware
- Serial number of the device
Once the information is sent to the server, the Trojan receives a configuration file necessary for its operation. In specific time periods,
- Version of the configuration file
- Version of the service provided by
- Current system language
- Information about Google account created by the user
- List of installed applications
- Browser history
- List of contacts
- Call history
- Current location
January 28, 2016
The Trojan was incorporated into more than 60 games that were then distributed via Google Play in the names of more than 30 game developers, including Conexagon Studio, Fun Color Games, BILLAPPS, and many others. Although Doctor Web has already informed Google about this incident, to this day, the affected applications are still available on Google Play. It is recommended that you do not download games from the store to devices without anti-virus software in the next few hours.
At first glance, these affected games look similar to numerous such-like applications; and they are games indeed, with just one difference—while a user is playing a game, the Trojan is performing its malicious activity.
However, the main threat of
Upon receiving a necessary image from the server,
Doctor Web security researchers would like to warn users against installing dubious applications even if they are published on Google Play. Dr.Web for Android successfully detects all the known applications containing