Virus alerts
11.12 Doctor Web’s November 2019 virus activity review
December 11, 2019
In November, Doctor Web server statistics confirmed a 3.66% growth in the number of the detected threats as compared with October. The number of unique threats grew by 9.59%. As for email traffic, the most common threats exploited MS Office vulnerabilities. There was also a large number of trojan downloaders and stealers. Adware made up the majority of detected threats. Last month, we also found new Android malware on Google Play. The list featured a dangerous backdoor, trojan adware, and trojans that subscribed users to paid services.
PRINCIPAL TRENDS IN NOVEMBER
- Growth in malware spreading activity
- A decline in ransomware activity
According to Doctor Web statistics servers
Threats of this month:
- Adware.Elemental.14
- Detects adware downloaded from file sharing services because of link spoofing. Instead of normal files, victims get applications that display advertising and install unwanted software.
- Adware.SweetLabs.2
- Alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
- Adware.Downware.19627
- Adware that often serves as an intermediary installer of pirate software.
- Adware.Ubar.13
- A torrent client that installs unwanted software on devices.
- Trojan.InstallCore.3553
- Another notorious adware installer. It displays ad banners and installs software without users’ permission.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits CVE2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer.
- PDF.Phisher.115
- A PDF document used in phishing newsletters.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
- Trojan.PWS.Stealer.23680
- A family of Trojans designed to steal passwords and other confidential information stored on an infected computer.
Encoders
In November, Doctor Web’s technical support service was most commonly dealing with the following trojan encoders:
- Trojan.Encoder.26996 — 34.31%
Trojan.Encoder.858 — 10.42%- Trojan.Encoder.567 — 3.19%
- Trojan.Encoder.28004 — 3.06%
- Trojan.Encoder.10700 — 2.08%
Dr.Web Security Space for Windows protects you from trojan encoders
Dangerous websites
In November 2019, Doctor Web added 162,581 URLs to the Dr.Web database of non-recommended websites.
October 2019 | November 2019 | Dynamics |
---|---|---|
+ 254 849 | + 162,581 | - 36.2% |
Malicious and unwanted programs for mobile devices
In November, we detected new malware on Google Play. Again, users were targeted by the trojan adware of the
Doctor Web virus analysts also detected a new version of the
The following November events relating to mobile malware are the most noteworthy:
- detection of new threats on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
11.12 Doctor Web’s overview of mobile malware detected in November 2019
December 11, 2019
This November, Doctor Web virus analysts detected a number of new threats on Google Play. The list included new modifications to trojans of the
PRINCIPAL TREND IN NOVEMBER
- Malicious software appearing on Google Play
Mobile threat of the month
In November, Doctor Web experts detected a new modification to the
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.DownLoader .677.origin- A downloader of other malicious software.
Android.Triada .481.origin- A multi-functional trojan that performs various malicious actions.
Android.MobiDash.4006 - Trojan code that displays obnoxious advertising.
Android.RemoteCode .197.origin- A malicious application that downloads and executes arbitrary code.
- Program.FakeAntiVirus.2.origin
Detects adware that imitates anti-virus software. - Program.RiskMarket.1.origin
An app store that contains trojan software and recommends that users install it. - Program.HighScore.3.origin
An app store that invites users to install free Google Play apps by paying for them via expensive text messages. Program.MonitorMinor .1.originProgram.MobileTool .2.origin
Spyware that monitors activities of Android users and may serve as a tool for cyber espionage.
Tool.SilentInstaller .6.originTool.SilentInstaller .7.originTool.SilentInstaller .11.originTool.VirtualApk .1.origin
A riskware platform that allows applications to launch APK files without installing them.- Tool.Rooter.3
A utility designed to obtain root privileges on Android devices. It may be used by cybercriminals and malware.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Dowgin.5.origin
- Adware.Toofan.1.origin
- Adware.BrowserAd.1
- Adware.Myteam.2.origin
- Adware.Altamob.1.origin
Trojans on Google Play
Last month, Doctor Web virus analysts detected a number of new modifications to trojans from the
We also detected the new trojan adware,
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
13.11 Doctor Web’s overview of malware detected on mobile devices in October 2019
November 13, 2019
The second autumn month turned out to be rough for Android users. Doctor Web virus analysts detected numerous malicious applications on Google Play, such as
PRINCIPAL TRENDS IN OCTOBER
- A growing number of threats on Google Play
Mobile threat of the month
In early October, Doctor Web reported a few clicker trojans that were added to the Dr.Web virus database as
- they are embedded into harmless applications;
- they are protected by a program packer;
- they are disguised as well-known SDKs;
- they attack users from specific countries.
Our virus analysts continued detecting additional modifications to these clickers throughout the entire month, having found
According to statistics collected by Dr.Web for Android
Android.HiddenAds .472.origin- A trojan that delivers annoying advertisements.
Android.RemoteCode .5564- A malicious application that downloads and executes arbitrary code.
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.DownLoader .677.origin- A downloader of other malicious software.
Android.Triada .465.origin- A multi-functional trojan that performs various malicious actions.
Program.FakeAntiVirus .2.origin
Detection of adware that imitates anti-virus software.Program.MonitorMinor .1.originProgram.MobileTool .2.originProgram.FreeAndroidSpy .1.originProgram.SpyPhone .4.origin
Spyware that monitors activities of Android users and may serve as a tool for cyber espionage.
Tool.SilentInstaller .6.originTool.SilentInstaller .7.originTool.SilentInstaller .11.originTool.VirtualApk .1.origin
A riskware platform that allows applications to launch APK files without installing them.- Tool.Rooter.3
A utility designed to obtain root privileges on Android devices. It may be used by cybercriminals and malware.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
Adware.Patacore .253- Adware.Myteam.2.origin
- Adware.Toofan.1.origin
- Adware.Adpush.6547
- Adware.Altamob.1.origin
Trojans on Google Play
Apart from clicker trojans, Doctor Web virus analysts revealed several versions, as well as modifications to already known malware from the
Apart from that, our experts detected another trojan adware from the
Additionally, the Dr.Web virus database was updated to detect the trojans
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
13.11 Doctor Web’s October 2019 virus activity review
November 13, 2019
In October, Dr.Web server statistics showed an increase in the total number of threats compared to September. The number of unique threats dropped by 6.86%. The most common threat in email traffic was malware that exploits vulnerabilities in Microsoft Office documents, as well as phishing newsletters. A password stealing trojan topped the list of detected malware and unwanted software, but adware still makes up the majority of all threats.
Principal trends in October
- A drop in spreading activity of unique malware
- An upturn in encoder activity
According to Doctor Web’s statistics servers
Threats of this month:
- Trojan.PWS.Siggen2.34629
- A trojan designed to steal passwords.
- Adware.Elemental.14
- Detects adware downloaded from file sharing services because of link spoofing. Instead of normal files, victims get applications that display advertising as well as install unwanted software.
- Adware.SweetLabs.2
- Alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
- Adware.Softobase.15
- An installer that distributes outdated software. It changes browser settings.
- Adware.Ubar.13
- A torrent client that installs unwanted software on devices.
- Trojan.InstallCore.3553
- Another notorious adware installer. It displays ad banners and installs software without users’ permission.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office Word document that exploits the CVE2012-0158 vulnerability to execute malicious code.
- W97M.DownLoader.2938
- A modified Microsoft Office Word document that exploits the CVE2012-0158 vulnerability to execute malicious code.
- PDF.Phisher.115
- A PDF document used in phishing newsletters.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
- Trojan.PWS.Siggen2.34629
- A trojan designed to steal passwords.
- Trojan.PWS.Stealer.19347
- A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Encoders
In October, cases involving the following trojan encoders were most commonly registered by Doctor Web’s technical support service:
Trojan.Encoder.858 — 16.34%- Trojan.Encoder.10700 — 6.27%
- Trojan.Encoder.29750 — 2.81%
Trojan.Encoder.11539 — 2.64%Trojan.Encoder.25574 — 2.64%ACCDFISA v2 — 2.48%- Trojan.Encoder.11464 — 2.15%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In October 2019, the database of non-recommended and malicious websites was updated with 254,849 webpages.
September 2019 | October 2019 | Dynamics |
---|---|---|
+ 238 637 | + 254 849 | + 6.79% |
Malicious and unwanted programs for mobile devices
Last month, Doctor Web virus analysts revealed a number of threats on Google Play. They included clicker trojans from the
The most noticeable October event related to mobile malware:
- rapid distribution of malware on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Find out more with Dr.Web
17.10 Clicker for Android subscribes users to paid services
October 17, 2019
Virus analysts have identified several modifications of this malicious code, dubbed
Apart from that, all malware was protected by the commercial Jiagu packer, which makes it harder for antiviruses to detect them and hinders the code analysis. Thus, the trojan was more likely to avoid detection by the built-in security tools of Google Play.
Besides, virus writers tried to disguise the trojan as well-known advertising and analytics libraries. After being added to the host software, it embedded itself in the Facebook and Adjust SDKs, hiding among their components.
The clicker attacked users selectively; it did not perform any malicious actions if the potential victim was not residing in one of the attackers’ countries of interest.
See below examples of apps with this trojan:
Upon installation and launch, the clicker (hereinafter, we will take its modification
If the user grants it the permissions, the trojan will be able to hide all notifications about incoming text messages and hook them.
Next, the clicker sends the technical data about the infected device to the command and control server and checks the serial number of the victim’s SIM card. If it corresponds to one of the target countries,
If the victim’s SIM card is not registered in a country of interest, the trojan does not take any action and stops its malicious activity. The studied modifications attack residents of the following states:
- Austria
- Italy
- France
- Thailand
- Malaysia
- Germany
- Qatar
- Poland
- Greece
- Ireland
After transmitting the number,
After receiving a website address,
Even though the clicker is not designed to work with text messages and has no access to them, it bypasses the restriction as follows. The trojan service monitors notifications from the default application that works with text messages. When there is an incoming message, the service hides the system notification. Then it hooks the information about the received text from the notification and transmits it to the trojan broadcast receiver. As a result, the user does not see any notifications about incoming texts and does not know what is happening. They only know about the subscription when money withdraws from their account, or if they go to the message menu and see texts related to the premium service.
Doctor Web experts have contacted Google and the detected malicious applications were removed from Google Play. All known modifications of this clicker are successfully detected and removed by Dr.Web for Android and do not pose any threat to our users.
Read more about Android.Click.322.origin
#Android, #Google_Play, #clicker, #paid_subscription

Your Android needs protection.
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
09.10 Doctor Web’s September 2019 virus activity review
October 9, 2019
In September, Dr.Web server statistics showed an increase in the total number of threats by 19.96%, as compared with the previous month. At the same time, the share of unique threats decreased by 50.45%. Users were mostly attacked by adware, as well as software downloaders and installers. In email traffic, again, prevailed the threats that exploit Microsoft Office vulnerabilities to infect devices.
The number of requests to decrypt files affected by trojan encoders has increased.
Principal trends in September
- Growing number of users targeted by encoders
- Advertising trojans and adware remain amongst the most active threats
According to Doctor Web’s statistics servers
The most common threats in September:
- Adware.SweetLabs.1
- Adware.SweetLabs.2
- Alternative app store and add-on for Windows GUI from the creators of
Adware.Opencandy . - Adware.Elemental.14
- Detects adware downloaded from file sharing services because of link spoofing. Instead of normal files, victims get applications that display advertising as well as install unwanted software.
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits the CVE2012-0158 vulnerability in order to run malicious code.
Trojan.SpyBot.699 - Trojan spyware that hooks characters entered using the keyboard (keylogger).
- W97M.DownLoader.2938
- A family of trojan downloaders that exploit vulnerabilities in Microsoft Office applications and can download other malware to a compromised device.
PDF.DownLoader.57 (new threat)- Represents a family of trojan downloaders that spread in specifically created PDF documents.
Exploit.ShellCode.69 - Another malicious Microsoft Office Word document, which uses the CVE-2017-11882 vulnerability.
Encoders
In September, Doctor Web’s technical support service registered 14.59% more requests to decode files encoded by trojan ransomware than in August.
The majority of cases involve the following encoders:
Trojan.Encoder.858 — 16.60%Trojan.Encoder.11464 — 6.93%Trojan.Encoder.11539 — 5.04%Trojan.Encoder.25574 — 2.94%Trojan.Encoder.10700 — 2.52%Trojan.Encoder.567 — 1.89%Trojan.Encoder .24383 — 1.47%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In September 2019, Dr.Web database was updated with 238,637 URLs of non-recommended websites.
August 2019 | September 2019 | Dynamics |
---|---|---|
+ 204,551 | + 238,637 | + 16.66% |
Malicious and unwanted programs for mobile devices
In September, we detected a lot of malware on Google Play. Earlier this month, Doctor Web virus analysts detected the banking trojan
Among the threats spreading via Google Play were the trojan downloaders
Virus analysts have also identified new versions of riskware designed for cyber spying.
The following events are among the most notable regarding mobile security in September:
- distribution of malware on Google Play;
- detection of new spyware versions.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
09.10 Doctor Web’s overview of malware detected on mobile devices in September 2019
October 9, 2019
In September, Android users were threatened by various malware, many of which was distributed via Google Play. Those were the
PRINCIPAL TRENDS IN SEPTEMBER
- Google Play remains the source of malicious and unwanted applications
- Users are still threatened by spyware
Mobile threat of the month
One of the malware detected last month was the
When launched,
The trojan hooked two-factor authentication codes from text messages, as well as access codes from emails. It also hooked and blocked notifications from instant messengers and email clients.
According to statistics collected by Dr.Web for Android
Android.RemoteCode .6122Android.RemoteCode .5564- Malicious applications that download and execute arbitrary code.
Android.HiddenAds .455.originAndroid.HiddenAds .472.origin (new threat)- Trojans that display unwanted ads on mobile devices.
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
Adware.Patacore .253- Adware.Gexin.3.origin
- Adware.Zeus.1
- Adware.Altamob.1.origin
Riskware that silently launches applications without user intervention:
Tool.SilentInstaller .6.origin
Threats on Google Play
In addition to the
Attackers distributed
The banker used the Android Accessibility Service to steal information from text messages, such as confirmation codes and other sensitive data. Similarly to its previous modifications, it could also open phishing pages at the command of cybercriminals.
Last month, virus analysts detected several new adware trojans of the
Among the detected malware were trojan downloaders, such as
In September, several modifications of the Android.Joker trojan family were found on Google Play. These malicious applications were embedded in seemingly harmless software, such as plug-ins for cameras, photo editors, image collections, various system utilities, and other software.
Trojans are able to load and run auxiliary DEX files, as well as execute arbitrary code. They can also automatically subscribe users to expensive services by loading websites with premium content and clicking the appropriate links without user’s knowledge. To confirm the subscription, they hook verification codes from text messages. The Android.Joker malware also transfers the data from victims’ contact lists to the command and control server.
Other trojans that subscribed users to expensive services were dubbed
Spyware
In September, Doctor Web experts discovered several new versions of riskware, designed to spy on Android device users. The list included
To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
04.10 Dangerous trojan spreads via copied website of Russia’s Federal Bailiffs Service
October 4, 2019
Our experts discovered the copy of Russia’s FSSP website at 199.247.**.***. The fake looks almost no different from the original, but some elements are displayed incorrectly, unlike the official website.
If a user tries to click some of the links, they will be redirected to a page prompting to update Adobe Flash Player. At the same time, an .EXE file will be downloaded to the user's device. If the user launches it, Trojan.DownLoader28.58809 will be installed.
This trojan adds itself to the autorun list in the user's system, connects to the command and control server, and downloads another malicious module, Trojan.Siggen8.50183. In addition, a file with a valid Microsoft digital signature is downloaded to the user's device to run the main malicious library. Then Trojan.Siggen8.50183 collects information about the user's system and sends it to the command and control server. After installation, the trojan will always be active on the user's device and will be able to perform various actions upon a command from the server.
When launched on a victim’s device, the trojan can do the following:
- obtain information about disks;
- obtain information about any file;
- obtain information about any folder (i.e. the number of files, subfolders, and their size);
- obtain the list of files in a specified folder;
- delete a file;
- create a folder;
- move a file;
- run a process;
- stop a process;
- obtain the list of processes.
According to our data, cybercriminals have not yet launched any large-scale virus campaigns using the fake website, but it could be used in attacks aimed at individual users or organizations.
Both of these trojans are successfully detected and removed by Dr.Web products and pose no threat to our users.
09.09 Doctor Web’s overview of malware detected on mobile devices in August 2019
September 9, 2019
In the last month of summer, Doctor Web virus analysts detected the clicker trojan
PRINCIPAL TRENDS IN AUGUST
- Detection of new malware on Google Play
- Emergence of new adware modules
Mobile threat of the month
In early August, Doctor Web reported the
- it began operating 8 hours after startup;
- some features were implemented using reflection;
- it could subscribe users to premium mobile services using WAP-Click.
For more information on
According to statistics collected by Dr.Web for Android
Android.HiddenAds .455.origin- A trojan designed to display unwanted ads on mobile devices.
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.Triada .467.origin- A multi-functional trojan that performs various malicious actions.
Android.RemoteCode .197.originAndroid.RemoteCode .5564- Malicious applications designed to download and execute arbitrary code.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Gexin.3.origin
Adware.Patacore .253- Adware.Zeus.1
- Adware.Altamob.1.origin
- Adware.Myteam.2.origin (a new threat)
Threats on Google Play
Along with the
Virus analysts also identified new trojan adware of the
At the end of August, Doctor Web experts discovered another banking trojan that attacked Brazilian Android users. This malware was dubbed
To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian Anti-virus for Android
- More than 140 million downloads on Google Play alone
- Free for users of Dr.Web home products
09.09 Doctor Web’s August 2019 virus activity review
September 9, 2019
In August, Dr.Web server statistics detected a 21.28% decrease in the total number of threats compared to July. The number of unique threats dropped only slightly by 2.82%. The most common threat in email traffic is malware that exploits vulnerabilities in Microsoft Office documents, as well as trojan downloaders. Similarly to the previous month, the majority of detected malware and unwanted software is adware.
Principal trends in August
- A decline in malware spreading activity
- A growing number of non-recommended and malicious websites
- An upturn of encoder activity
Threat of the month
In August, researchers at Doctor Web’s virus lab discovered a dangerous banking trojan spread by cybercriminals via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software websites.
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.InstallCore.3553
- Another well-known adware installer. It displays ads and installs new software without a user’s permission.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- Modified Microsoft Office document. Exploits the CVE2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of trojan downloaders that exploit vulnerabilities in Microsoft Office applications and can download other malware to a compromised device.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document, which uses the CVE-2017-11882 vulnerability.
- Trojan.PWS.Stealer.19347
- A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Encoders
In August, cases involving the following ransomware were most often registered by Doctor Web’s technical support service:
Trojan.Encoder.858 —17.73%Trojan.Encoder.11464 —7.09%Trojan.Encoder.18000 —4.96%Trojan.Encoder.28004 —4.26%Trojan.Encoder.11539 —2.60%Trojan.Encoder.25574 —1.18%Trojan.Encoder.567 —1.65%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In August 2019, Doctor Web added 204,551 URLs to the Dr.Web database of non-recommended websites.
July 2019 | August 2019 | Dynamics |
---|---|---|
+ 123,251 | + 204,551 | + 65.96% |
Malicious and unwanted programs for mobile devices
In August, Doctor Web experts discovered several new malware on Google Play. In early August, the Dr.Web virus database was updated to detect the
At the end of the month, Doctor Web experts discovered another banking trojan that attacked users from Brazil. The malware, dubbed
The following events are among the most notable regarding mobile security in August:
- Distribution of malware on Google Play;
- New unwanted adware modules.
Learn more about malicious and unwanted programs for mobile devices in our August overview.
Find out more with Dr.Web
19.08 Banking trojan Bolik spreads disguised as the NordVPN app
August 19, 2019
A copy of the NordVPN official website, which is a famous VPN service, was recently found by our researchers at nord-vpn[.]club. As with the original, it prompts users to download a program for using the VPN; but apart from the program itself, the fake authors distribute a dangerous banking trojan -
It has the same design, a similar domain name, and a valid SSL certificate.
According to our data, the malware campaign that uses those fake websites is primarily targeted at English-speaking audiences and was launched on August 8, 2019. However, at the time this news was released, the malicious fake NordVPN website already had thousands of visits.
On top of that, at the end of June this year, the same hacker group copied websites of office programs: invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com) and clipoffice[.]xyz (the original is crystaloffice[.]com), where the
The
Earlier this year, we reported another malware campaign from the same hacker group in which they distributed
Both of these trojans are successfully detected and removed by Dr. Web products and pose no threat to our users.
#banker #banking_trojan #stealer
08.08 Doctor Web: Clicker Trojan Installed from Google Play by Some 102,000,000 Android Users
August 8, 2019
The trojan is a malicious module, which, according to Dr.Web classification, was dubbed
Once launched, the trojan sends the following information about the infected device to the C&C server:
- manufacturer and model;
- operating system version;
- user’s country of residence and default system language;
- User-Agent ID;
- mobile carrier;
- internet connection type;
- display parameters;
- time zone;
- data on application containing trojan.
In response, the server sends the necessary settings. Some functions of the malware are using reflection, and the settings contain the names of methods and classes along with the parameters for them. They are used, for example, to register a broadcast receiver and a content observer, which
Upon installation of a new application or download of an apk file by the Play Market client, the trojan sends information about this software along with some technical data about the device to the command and control server. In response,
Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content. For example, after installing applications with the built-in trojan, users complained about being automatically subscribed to expensive content provider services.
Fig. 1. First user comment: “After installation, it subscribes you to paid services! Be careful, do not install this application!!!”
Developer response: “What services? You're wrong.”
Second user: “After installation, I was subscribed to 5 services and now my phone account is empty.”
Fig. 2. User comment: “What kind of joke is this? Paid subscriptions to Beeline (Russian mobile carrier). I have nothing to do with Beeline.”
Fig. 3. User comment: “The moment you log in, it deducts 50 rubles. I don’t know what it is for, please explain.”
Fig. 4. User comment: “After I use the app, they subscribe me to some shady services.”
Doctor Web specialists were unable to recreate the conditions for the trojan to open such websites. However, in the case of
Doctor Web virus analysts have identified 34 applications with the embedded
GPS Fix |
QR Code Reader |
ai.type Free Emoji Keyboard |
Cricket Mazza Live Line |
English Urdu Dictionary Offline - Learn English |
EMI Calculator - Loan & Finance Planner |
Pedometer Step Counter - Fitness Tracker |
Route Finder |
PDF Viewer - EBook Reader |
GPS Speedometer |
GPS Speedometer PRO |
Notepad - Text Editor |
Notepad - Text Editor PRO |
Who unfriended me? |
Who deleted me? |
GPS Route Finder & Transit: Maps Navigation Live |
Muslim Prayer Times & Qibla Compass |
Qibla Compass - Prayer Times, Quran, Kalma, Azan |
Full Quran MP3 - 50+ Audio Translation & Languages |
Al Quran Mp3 - 50 Reciters & Translation Audio |
Prayer Times: Azan, Quran, Qibla Compass |
Ramadan Times: Muslim Prayers, Duas, Azan & Qibla |
OK Google Voice Commands (Guide) |
Sikh World - Nitnem & Live Gurbani Radio |
1300 Math Formulas Mega Pack |
Обществознание - школьный курс. ЕГЭ и ОГЭ (Social Sciences - School Curriculum. State Uniform Examinations, Basic State Examinations.) |
Bombuj - Filmy a seriály zadarmo |
Video to MP3 Converter, RINGTONE Maker, MP3 Cutter |
Power VPN Free VPN |
Earth Live Cam - Public Webcams Online |
QR & Barcode Scanner |
Remove Object from Photo - Unwanted Object Remover |
Cover art IRCTC Train PNR Status, NTES Rail Running Status |
Doctor Web informed Google about this trojan, and some applications we had detected were quickly removed from Google Play. Additionally, several applications have been updated, removing the malicious component. However, at the time of this publication, most applications still contained a malicious module and remained available for download.
Virus analysts recommend that developers responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software. Dr.Web for Android successfully detects and removes applications that have the known modifications of
Read more about Android.Click.312.origin
#Android, #Google_Play, #clicker
05.08 July 2019 virus activity review from Doctor Web
August 5, 2019
In July Dr.Web’s statistics showed a 54.21% decrease in the number of detected threats compared to June. While the unique threats almost doubled. E-mail traffic was dominated by malware that uses Microsoft Office programs’ vulnerabilities. Adware and unwanted programs still occupy the top of all detected threats. The lead ransomware in July, Trojan.Encoder.858, accounted for 21.15% of all requests for data decryption received in support of Doctor Web.
Doctor Web’s researchers have prepared a study that describes trends in the most common threats for smart devices and the Internet of Things (IoT) as a whole. This review is based on statistical data that has been gathered from our honeypots since 2016 and intends to draw attention to the security problem in the field of IoT.
Principal trends in July
- An increase in spreading activity of unique malware
- A decline in ransomware activity
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Adware.Softobase.15
- Installation adware that spreads outdated software and changes the browser’s settings.
- Trojan.Packed.20771
- This program installs malicious browser extensions that redirect search results to different websites.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.DownLoader29.14148
- Downloads and runs malicious software without the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document that uses the CVE-2017-11882 vulnerability.
- JS.DownLoader.1225
- A family of malicious JavaScripts. They download and install malicious software on a computer.
Encryption ransomware
In July, the most common cases involving the following ransomware were registered by Doctor Web’s technical support service:
Trojan.Encoder.858 — 21.15%Trojan.Encoder.567 — 9.45%Trojan.Encoder.11464 — 8.01%Trojan.Encoder.25574 — 4.93%Trojan.Encoder.18000 — 3.90%Trojan.Encoder.11539 — 3.08%Trojan.Encoder.28004 — 1.85%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During July 2019, Doctor Web added 123,251 URLs to the Dr.Web database of non-recommended sites.
June 2019 | July 2019 | Dynamics |
---|---|---|
+ 151 162 | + 123 251 | -18.46% |
Malicious and unwanted programs for mobile devices
In mid-July, Doctor Web researchers detected a new dangerous trojan
Among other detected threats were new trojans of the
New entries for detecting trojans of the
Among the most notable July events related to mobile malware:
- detection of a dangerous backdoor that executes malicious commands;
- detection of new malicious programs on Google Play;
- the spread of trojans designed for cyber espionage.
Find out more about malicious and unwanted programs for mobile devices in our monthly review.
Find out more with Dr.Web
05.08 Doctor Web’s overview of virus activity on mobile devices in July 2019
August 5, 2019
Last month Doctor Web reported the dangerous
PRINCIPAL TRENDS IN JULY
- Distribution of an Android backdoor that was spying on users and executing commands from cybercriminals
- Detection of new trojans and unwanted applications on Google Play
- Distribution of spyware trojans
Mobile threat of the month
In mid-July, Doctor Web virus analysts investigated the
This backdoor spied on users, sending information about their contacts, phone calls, and their device location to the attackers. It also uploaded files from devices to a remote server, as well as download and installed software. Features of
- the main malicious component of the trojan was hiding in an auxiliary module, encrypted and stored in the application’s resource directory;
- with root privileges, it could automatically install software;
- could execute shell commands, received from the C&C server.
For more information regarding
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1424- A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.
Android.RemoteCode .197.originAndroid.RemoteCode .5564Android.RemoteCode .216.origin- Malicious applications designed to download and execute arbitrary code.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Zeus.1
- Adware.Gexin.3.origin
Adware.Patacore .253- Adware.Altamob.1.origin
A riskware platform that allows applications to launch APK files without installing them:
Tool.VirtualApk .1.origin
Threats on Google Play
Since the beginning of July, Doctor Web malware analysts have detected many new adware trojans of the
In addition, a new unwanted advertising module named
Cyberespionage
Last month, the Dr.Web virus database was also updated to detect the spyware trojans
The second one displayed a fraudulent message, prompting a potential victim to update a Google Play component. If the user agreed, the trojan displayed a phishing window that simulated a Google account login page.
Virus writers made a spelling mistake in the phrase “Sign in”, which could indicate a fake. If the victim did not notice this and logged into the account,
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
17.07 Risks and Threats of the Internet of Things (IoT)
August 7, 2019
Introduction
In addition to computers, smartphones, tablets, and routers, the World Wide Web now increasingly covers smart TVs, surveillance cameras, smart watches, refrigerators, cars, fitness trackers, video recorders, and even children's toys. The number of IoT devices already exceeds several billion, and this number is growing every year.
Many of them are badly or not at all protected from attacks. For example, they can be connected using simple or well-known credentials, set for hundreds of thousands of models by default. The owners either do not think about changing the factory settings, or are not able to do this due to restricted access. Cybercriminals can relatively easy access such devices by matching combinations from a dictionary (the so-called brute force method). They can also exploit the vulnerabilities of the operating systems.
Since 2016, Doctor Web have been closely following the threats of the Internet of Things. To do this, our experts have set up a network of baits, i.e. honeypots. They imitate various types of smart devices and record attempts to infect them. Honeypots cover several hardware platforms, including ARM, MIPS, MIPSEL, PowerPC, and Intel x86_64. They allow us to monitor attack vectors, detect and research new malware samples, improve the detection mechanisms, and deal with attacks more effectively.
This article dwells on the identified smart device-targeted attacks, as well as the most common IoT threats.
Statistics
When they only started the monitoring, our malware analysts recorded a relatively low activity of malware aimed at IoT devices. In the first four months of 2016, Doctor Web experts detected 729,590 attacks. However, the number grew 32-fold over a year, hitting 23,741,581. Twelve months later, the figure rose to 99,199,444. Now, the first half of the current year already saw 73,513,303 attacks, almost as many as the entire 2018.
The patterns of attack detection by honeypots is shown on the diagram:
In less than three years, the number of hacking attempts and infecting the IoT devices has increased by 13,497%.
Smart devices were targeted from IP addresses in more than 50 countries. Most attempts were made from the US, the Netherlands, Russia, Germany, Italy, the United Kingdom, France, Canada, Singapore, India, Spain, Romania, China, Poland, and Brazil.
The geographic spread of attack sources and the percentage is shown on this diagram:
After compromising the devices, cybercriminals downloaded one or several trojans onto them. The total number of unique malicious files detected by our traps during the observation period was 131,412. The detection patterns are shown below.
Smart devices run on different processor architectures, and malware often has versions for several hardware platforms at once. Among those mimicked by our honeypots, devices with ARM, MIPSEL, and MIPS processors are targeted more often than the others. This is clearly seen on the diagram:
According to statistics gathered by honeypots, the most active malware is the
Malicious code that targets smart devices falls under several basic categories according to the main features:
- DDoS trojans (such as
Linux.Mirai ); - trojans that distribute, download, and install other malware and components (such as Linux.DownLoader, Linux.MulDrop);
- trojans that enable the remote control of the infected devices (such as Linux.BackDoor);
- trojans that turn devices into proxy servers (such as
Linux.ProxyM , Linux.Ellipsis.1, Linux.LuaBot); - trojans for cryptocurrency mining (such as Linux.BtcMine);
- others.
However, most malware pose multifunctional threats, since many of them can combine several functions at once.
Threat Trends for Smart Devices
- Due to the availability of trojan source codes, such as
Linux.Mirai ,Linux.BackDoor.Fgt , Linux.BackDoor.Tsunami, and others, the number of new malware is growing. - A growing number of malicious applications in non-trivial programming languages, such as Go and Rust.
- Cybercriminals have access to information about many vulnerabilities that can be exploited to infect smart devices.
- The persisting popularity of cryptocurrency miners (mainly Monero) for IoT devices.
See the information below on the most common and notable IoT trojans.
More on IoT Threats
Linux.Mirai
After infecting the target device,
The following diagram shows the patterns of detecting active copies of this malware by honeypots:
Modifications of
Linux.Hajime
Another dangerous malware for smart devices is
The peak of
These trojans are most common in Brazil, Turkey, Vietnam, Mexico, and South Korea. The map shows the countries with the largest number of active
Linux.BackDoor.Fgt
The top five trojans designed for IoT devices include
These backdoors are distributed via the Telnet and SSH protocols, brute-forcing credentials to access the objects. The main purpose of these trojans is to perform DDoS attacks and remotely monitor the infected devices.
Linux.ProxyM
Linux.Ellipsis.1
Linux.LuaBot
Doctor Web has discovered the first versions of the
Linux.BtcMine.174
Cryptocurrency mining is one of the main reasons for infecting IoT devices for cybercriminals. The Linux.BtcMine family of trojans and other malware help them with this. One of them,
The trojan adds itself to autorun, so that rebooting of the infected device does not help. It also keeps checking whether the mining software process is active. If necessary, the trojan initiates it again, ensuring that cryptocurrency is mined at all times.
Linux.MulDrop.14
The Linux.MulDrop trojan family is used to distribute and install other malware. They work on many hardware architectures and device types. In 2017, Dr.Web virus analysts discovered the
Linux.HideNSeek
The Linux.HideNSeek malware infects smart devices, computers, and servers running Linux, integrating them into a decentralized botnet. To spread itself, the trojan generates IP addresses and attempts to connect to them using a brute-force attack, as well as a list of known combinations of authentication data. It can also exploit various hardware vulnerabilities. Linux.HideNSeek can be used to remotely control the infected devices, i.e. execute commands from cybercriminals, copy files, etc.
Linux.BrickBot
Unlike most other malware, the Linux.BrickBot trojans are not intended to bring any profit. They are vandals, designed to disable computers and smart devices. They have been known since 2017.
Linux.BrickBot trojans are trying to infect devices via the Telnet protocol, brute-forcing the credentials. Then they try to erase the data from the permanent storage modules, reset the network settings, block all connections, and perform a reboot. As a result, to restore the objects, the user would need to reflash them or even replace the components. Those trojans are rare, but extremely dangerous.
In late June 2019, the Linux.BrickBot.37 trojan, also known as Silex, became popular. It acted in a similar way as other members of the Linux.BirckBot family, i.e. erasing data from device drives, deleting the network settings, and performing a reboot, after which they could no longer correctly switch on and operate. Our traps detected over 2,600 attacks using this trojan.
Conclusion
Millions of high-tech devices, increasingly used in everyday life, are actually small computers with the corresponding flaws. They are targeted by similar attacks and have the similar vulnerabilities, but due to the nature and limitations of their form, they are far more difficult or even impossible to protect. Additionally, many users are not fully aware of the potential risks and still perceive smart devices as safe and convenient toys.
The IoT market is actively developing and largely repeating the start of the mass distribution of personal computers, when the mechanisms against threats were only being developed. While manufacturers and owners of smart devices are adapting to new realities, cybercriminals have huge opportunities to attack them. Thus, we should expect new malware for the Internet of Things in the near future.
Doctor Web continues to monitor the spread of trojans and other threats aimed at smart devices and will inform our users about all noteworthy events in this area. Dr.Web anti-virus products successfully detect and remove the malware mentioned in this review.
12.07 Doctor Web: A dangerous Android backdoor distributed via Google Play
July 12, 2019
The malware was dubbed
When launched,
Its window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window, the trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.
When the victim closes the application window,
The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service.
- sending information on contacts from the contact list to the server;
- sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
- sending the phone call history to the server;
- sending the device location to the server;
- downloading and launching an APK or a DEX file using the DexClassLoader class;
- sending the information on the installed software to the server;
- downloading and launching a specified executable file;
- downloading a file from the server;
- uploading a specified file to the server;
- transmitting information on files in the specified directory or a memory card to the server;
- executing a shell command;
- launching the activity specified in a command;
- downloading and installing an Android application;
- displaying a notification specified in a command;
- requesting permission specified in a command;
- sending the list of permissions granted to the trojan to the server;
- not letting the device go into sleep mode for a specified time period.
The trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key based on the current time. The same key encrypts the server response.
- automatically, if the system has root access (using a shell command);
- using a system package manager (system software only);
- displaying a standard system installation dialog where the user needs to confirm the installation.
As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers,
Doctor Web has notified Google about the trojan; it was already removed from Google Play at the time of publication.
Read more about Android.Backdoor.736.origin
#Android, #backdoor, #Google_Play, #spyware

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.07 June 2019 mobile malware review from Doctor Web
July 3, 2019
In mid June, Dr.Web virus analysts discovered the
PRINCIPAL TREND IN JUNE
- New malicious and unwanted applications on Google Play
Mobile threat of the month
On June 14, Doctor Web reported the
Clicking such a message would open one of the advertised websites in the browser. Many of them were fraudulent.
Features of
- it is distributed via Google Play under the guise of official software by well-known brands;
- notifications from websites, loaded by the trojan, did not stop when the trojan was removed.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1424- A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.
Android.RemoteCode .197.originAndroid.RemoteCode .4411- Malicious applications designed to download and execute arbitrary code.
Android.Triada .3670- A multi-functional trojan that performs different malicious actions.
Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:
- Adware.Zeus.1
- Adware.Jiubang.2
Adware.AdPush .33.origin- Adware.Toofan.1.origin
A riskware platform that allows applications to launch APK files without installing them:
Tool.VirtualApk .1.origin
A new threat:
Adware.Patacore .253- A representative of a family of unwanted modules that display banner advertisments on Android devices.
Threats on Google Play
Along with
Virus analysts have also discovered a number of new
After installation and launch, the malware hid its icons and began displaying ads.
Another trojan found on Google Play was named
The first versions of this application were safe; but later, in versions 1.1.0 and 1.1.4, it was updated with trojan functionality.
Another downloader was named
At the end of June, the Dr.Web virus database was updated to detect the
To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.07 June 2019 virus activity review from Doctor Web
July 3, 2019
In June, Dr.Web server statistics registered a significant increase in the number of common and unique threats compared with May. Adware and installers are still leading in the total number of detected threats; the highest malware activity has been detected in email traffic. The dangerous stealer, Trojan.PWS.Maria.3 (Ave Maria), previously used to target an oil and gas company, is active again. The Trojan.Nanocore.23 trojan with remote access that helps control an infected computer is distributed via email. A malware campaign using the Trojan.Encoder.858 encoder also took place in June.
Principal trends in June
- Increased malware distribution
- Emailing stealers and RAT Trojans
- Increased encoder activity
Threat of the month
In June, a sample of the rare Trojan.MonsterInstall Node.js trojan was studied in the Doctor Web virus lab. When launched on a victim's device, it downloads and installs the modules it needs for operation, collects information about the system, and sends it to the developer’s server. After receiving a response from the server, it adds itself to autorun and starts mining the TurtleCoin cryptocurrency. Developers of this malware use cheats for popular games from their own webpages to distribute the trojan and infect files on other similar websites.
According to Doctor Web’s statistics servers
Threats of this month:
- Adware.Ubar.13
- A torrent client that installs unwanted software on devices.
- Trojan.InstallCore.3553
- Another notorious adware installer. It displays ad banners and installs software without users’ permission.
- Trojan.Winlock.14244
- Blocks or restricts user access to the operating system and its main functions. To access the system, users are required to transfer money to the trojan developer’s account.
- Trojan.Starter.7394
- A trojan that launches other malware on a device.
- Adware.Softobase.12
- An installer that distributes outdated software. It changes browser settings.
Statistics for malware discovered in email traffic
- Exploit.Rtf.CVE2012-0158
- A modified Microsoft Office Word document that exploits the CVE2012-0158 vulnerability to execute malicious code.
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents and can download other malicious programs to a compromised computer.
- Exploit.ShellCode.69
- A malicious Microsoft Office Word document that exploits the CVE-2017-11882 vulnerability.
Rising threats of the month:
- Trojan.PWS.Maria.3
- A stealer distributed by email in malicious Excel files. It uses the popular CVE-2017-11882 vulnerability to launch an executable file. It was first seen in a phishing campaign targeting the Italian oil and gas industry.
- Trojan.Nanocore.23
- A dangerous trojan with remote access. It allows cybercriminals to control an infected computer, including the camera and microphone on the device if available.
Encoders
In June, Doctor Web’s technical support service registered cases involving the following encoders:
Trojan.Encoder.858 — 30.31%Trojan.Encoder.567 — 7.02%Trojan.Encoder.11464 — 6.47%Trojan.Encoder.11539 — 3.33%Trojan.Encoder.18000 — 3.14%Trojan.Encoder.28004 — 2.59%Trojan.Encoder.25574 — 1.66%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
In June 2019, the Dr.Web database was updated with a total of 151,162 non-recommended website URLs.
May 2019 | June 2019 | Dynamics |
---|---|---|
+ 223,952 | + 151,162 | – 32.5% |
Malicious and unwanted programs for mobile devices
In June, Doctor Web virus analysts discovered many more malicious and unwanted programs on Google Play, including the
New trojan downloaders were also detected this month, such as the
The following mobile malware event of June was the most noteworthy:
- detection of new malware on Google Play.
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
19.06 New Node.js trojan threatens gamers
June 19, 2019
Yandex has submitted a rare sample of the Node.js trojan for research to Doctor Web’s virus laboratory. This malware was distributed via websites with video game cheats and has several versions and components.
When users attempt to download a cheat they download a password-protected 7zip archive to their computers. Inside there is an executable file; which upon launch, will download the requested cheats alongside other trojan’s components.
Upon launching on the victim's device, Trojan.MonsterInstall downloads and installs all the components necessary for its work, gathers information about the system its installed on, and sends it to the developer’s server. After receiving a response, it installs itself in the autorun and starts mining the TurtleCoin cryptocurrency.
Developers of this malware own several websites with game cheats, which they use to spread the malware, but they also infect other similar websites with the same trojan. According to SimilarWeb’s statistics, users browse these websites at least 127,400 times per month.
Websites owned by the malware developers:
- румайнкрафт[.]рф;
- clearcheats[.]ru;
- mmotalks[.]com;
- minecraft-chiter[.]ru;
- torrent-igri[.]com;
- worldcodes[.]ru;
- cheatfiles[.]ru.
Moreover, some cheats from the proplaying[.]ru website turned out to be infected as well.
Doctor Web’s experts recommend that users timely update the anti-virus and avoid downloading suspicious software.
We would also like to thank specialists from Yandex for providing the sample and additional information about the trojan’s points of distribution.
#JavaScript #games #mining
14.06 Doctor Web: Android users threatened by fraudulent push notifications
June 14, 2019
The Web Push technology allows websites to send notifications even when the webpage is not open in the browser if the user agrees to that. When it comes to harmless websites, this feature can be useful and convenient. For example, social media can notify the users on new messages, and news agencies can spread information about new articles. However, cybercriminals and unscrupulous advertisers can abuse this technology by spreading advertising and fraudulent notifications that come from hacked or malicious websites.
PC, laptop browsers, as well as mobile devices support these notifications. Typically, the victim gets to a questionable spamming website by clicking a unique link or an advertising banner.
When launched, the trojan loads a website in Google Chrome. The website is specified in the trojan settings. According to its parameters, it performs several redirects to pages of various affiliated programs. Each of them prompts the user to allow notifications. To be convincing, they inform the victim that it is done for verification purposes (for example, that the user is not a robot), or simply hint on which dialog button to click. Thus, they increase the number of successful subscriptions. See examples of such queries in the images below:
After activating the subscription, websites start sending the user numerous notifications of questionable content. Notifications are displayed in the status bar of the operating system even if the browser is closed and the trojan has already been removed. The contents can be anything, from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various “news”.
Many of them look like real notifications of actual online services and applications installed on the device. For example, they display the logo of a bank, a dating website, a news agency, or a social network, as well as an eye-catching banner. Owners of Android devices can receive dozens of such spam messages per day.
Although these notifications also indicate the address of the website they come from, an unskilled user may fail to notice it, or not give it much thought. See below the examples of fraudulent notifications:
Having clicked a notification, the user is redirected to a website with questionable content. This may include advertising of casinos, betting shops, various Google Play applications, discounts and coupons, fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user. See examples of such websites below:
Many of these resources are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an “important” notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.
Doctor Web experts believe that cybercriminals will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious. If you are already subscribed to spam notifications, perform the following steps:
- Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
- On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.
Dr.Web for Android successfully detects and removes all known modifications of
Read more about Android.FakeApp.174

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
03.06 Doctor Web’s May 2019 virus activity review
June 3, 2019
In May, Dr.Web’s statistics registered a 1.49% increase in the number of unique threats compared to April; while the number of all detected threats increased by 14.51%. Malware and unwanted programs statistics show the prevalence of adware and installers. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs, but in May we also registered an increase in the spread of the dangerous trojan,
Principal Trends in May
- An increase in malware spreading activity
- Trojan stealers distributed via email
Threat of the month
In May, Doctor Web’s researchers warned about unique malware for the macOS operating system–
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.InstallCore.3553
- Another well-known adware installer. It shows ads and installs additional programs without the user’s permission.
- Trojan.Winlock.14244
- A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.
- Trojan.Starter.7394
- A trojan designed to launch other malicious software on a victim’s device.
Statistics for malware discovered in email traffic
Threats of the month:
- W97M.DownLoader.2938
- A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.
- Exploit.ShellCode.69
- Another malicious Microsoft Office Word document. This one uses vulnerability called CVE-2017-11882.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- Exploit.Rtf.435
- A malicious Microsoft Office document that uses the CVE-2017-11882 vulnerability to download the Trojan.Fbng.8 (FormBook) trojan on users’ devices.
- Trojan.PWS.Stealer.19347
- A family of trojans designed to steal passwords and other confidential information stored on an infected computer.
Increased malware activity:
- Trojan.Inject3.15480
- Trojan also known as Trojan.Fbng.8 (FormBook). The Trojan also known as FormBook. It’s designed to steal private data, but can also receive commands from the developer’s server.
Encryption ransomware
In May, victims of the following encryption ransomware most frequently contacted Doctor Web’s technical support service:
Trojan.Encoder.18000 — 15.38%Trojan.Encoder.858 — 9.89%Trojan.Encoder.11464 — 5.49%Trojan.Encoder.25574 — 5.49%Trojan.Encoder.11539 — 5.27%Trojan.Archivelock — 5.05%Trojan.Encoder.567 — 1.98%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During May 2019, Doctor Web added 223,952 URLs to the Dr. Web database of non-recommended sites.
April 2019 | May 2019 | Dynamics |
---|---|---|
+ 345 999 | + 223 952 | - 35.27% |
Malicious and unwanted programs for mobile devices
In May, malware developers again distributed various malicious programs through the Google Play service. Researchers at Doctor Web discovered a trojan,
The most noticeable May event related to mobile malware:
- The spread of new malware on Google Play;
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Learn more with Dr.Web
03.06 May 2019 mobile malware review from Doctor Web
June 3, 2019
In the past month, Android devices were once again targeted by malicious programs distributed via Google Play. The list contained the
PRINCIPAL TREND IN MAY
- Distribution of malicious applications on Google Play
Mobile threat of the month
The malware detected in May included spyware trojans from the
After installation and launch, these malicious programs attempted to assign themselves as the default SMS manager, requesting permission from the user. If permission was granted,
Specific features of the malware:
- it was intended for Spanish-speaking users;
- it was based on the open source SMSdroid software with an added trojan function.
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.RemoteCode .4411Android.RemoteCode .197.origin- Malicious applications designed to download and execute arbitrary code.
Android.HiddenAds .261.originAndroid.HiddenAds .1102- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.
- Adware.Zeus.1
- Adware.Jiubang.2
Adware.AdPush .33.origin- Adware.Toofan.1.origin
- Unwanted program modules that embed themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A riskware platform that allows applications to launch APK files without installing them.
Adware trojan
In early May, Doctor Web analysts discovered the
The malicious program did allow users to listen to music, but then hid its icon after the first launch, preventing users from launching it again.
New malicious and unwanted applications keep appearing on Google Play. Doctor Web recommends Android device owners to install Dr.Web for Android to protect themselves.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
14.05 A new threat for the macOS system spreads disguised as WhatsApp
May 14, 2019
Our researchers discovered the new threat on April 29. This malware was named
When users open one of those websites, the embedded code detects the visitor’s operating system and depending on that uploads either the backdoor or a trojan. If a visitor uses macOS, their device gets infected with
According to our information, the website spreading
06.05 Doctor Web’s April 2019 virus activity review
May 6, 2019
In April, Dr.Web’s statistics showed a 39.44% decrease in the number of unique threats compared to March; while the number of all detected threats decreased by 14.96%. E-mail traffic is still dominated by malware that uses the vulnerabilities of Microsoft Office programs. The previous month’s malware and unwanted programs trend also continues. The malicious browser extensions, unwanted programs and adware account for the majority of detected threats.
The number of non-recommended websites increased by 28.04%. One such website was used for spreading a banking trojan and stealer, along with the video and sound editing software, which we reported at the beginning of the month. Additionally, Doctor Web’s researchers warned about the phishing newsletter sent from official e-mails of large international companies.
Principal trends in April
- A decline in malware spreading activity
- An increase in the number of domain names added to the Dr.Web database of non-recommended websites
Threat of the month
Doctor Web researchers warned users about a compromised, popular website, which distributes video and sound editing software. Hackers hijacked download links on the website causing visitors to download the dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT) stealer, along with the editing software. Trojans of this family are designed to perform web injections, intercept traffic, log keys and steal information from different bank-client systems. Additionally, the attackers later changed the Win32.Bolik.2 trojan to another malware, the Trojan.PWS.Stealer (KPOT Stealer). This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs.
According to Doctor Web’s statistics servers
Threats of the month:
- Adware.Softobase.12
- Installation adware that spreads outdated software and changes the browser’s settings.
- Adware.Ubar.13
- A torrent client designed to install unwanted programs on a user’s device.
- Trojan.Starter.7394
- Trojan designed for launching other malicious software on a victim’s device.
Adware.Downware.19283 - The sort of adware that is usually distributed as an installer for pirated software. Upon installation, it changes a browser’s settings and may install other software without asking for the user’s permission.
Statistics for malware discovered in email traffic
- Exploit.ShellCode.69
- A modified Microsoft Office document. It exploits the CVE-2017-11882 vulnerability in order to run malicious code.
- Exploit.Rtf.CVE2012-0158
- Another malicious Microsoft Office Word document. This one uses a vulnerability called CVE2012-0158.
- JS.DownLoader.1225
- A variety of malicious code written in JavaScript and designed to download and install other malware on a computer.
- Trojan.Encoder.26375
- A malicious program from the encryption ransomware family. This trojan encrypts files and demands a ransom for data decryption.
- W97M.DownLoader.2938
- A family of downloader Trojans that exploit vulnerabilities in office applications. Designed to download other malware onto a compromised computer.
Encryption ransomware
In April, Doctor Web’s technical support was most frequently contacted by victims of the following encryption ransomware:
Trojan.Encoder.858 — 17.95%Trojan.Encoder.18000 — 14.65%Trojan.Encoder.11464 — 7.69%Trojan.Archivelock — 5.49%Trojan.Encoder.567 — 3.85%Trojan.Encoder.11539 — 3.85%Trojan.Encoder.25574 — 2.75%
Dr.Web Security Space for Windows protects against encryption ransomware
Dangerous websites
During April 2019, Doctor Web added 345,999 URLs to the Dr.Web database of non-recommended websites.
March 2019 | April 2019 | Dynamics |
---|---|---|
+ 270 227 | + 345 999 | + 28.04% |
Malicious and unwanted programs for mobile devices
In April, Doctor Web reported the dangerous trojan,
Also during April, new malware such as trojan downloaders and clickers were discovered in the Google Play catalogue, as well as new credential stealers for Instagram, called Android.PWS.Instagram.4 and Android.PWS.Instagram.5.
Additionally, new banking trojans threatened Android smartphone and tablet users. Among them were new versions of the
Among the most noticeable April events related to mobile malware were:
- the spread of malicious programs on Google Play;
- the distribution of banking trojans.
Learn more with Dr.Web
30.04 April 2019 mobile malware review from Doctor Web
April 30, 2019
In April Doctor Web reported on the
PRINCIPAL TRENDS IN APRIL
- The detection of new malicious applications on Google Play
- Distribution of banking trojans
Mobile threat of the month
In early April Doctor Web reported on a dangerous trojan,
According to statistics collected by Dr.Web for Android
Android.Backdoor .682.origin- A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.
Android.HiddenAds .1102Android.HiddenAds .261.origin- Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.
Android.RemoteCode .4411- A malicious application designed to download and execute arbitrary code.
Android.DownLoader .812.origin- A Trojan that downloads other malicious applications.
- Adware.Zeus.1
Adware.AdPush .33.origin- Adware.Toofan.1.origin
- Adware.Jiubang.2
- Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.
Tool.VirtualApk .1.origin- A riskware platform that allows applications to launch APK files without installing them.
Banking trojans for Android
Over the past month, banking trojans threatened users of Android devices. In late April Doctor Web virus analysts detected new modifications of the
These modifications of
These trojan modifications are able to intercept and send SMS on hackers’ command, show phishing windows, make calls, and listen to the surrounding environment using the device’s built-in microphone. On top of that, they can control smartphones and tablets; for example, they can turn on Wi-Fi, connect to the Internet via a mobile network, block the screen, and so on.
In addition, new downloaders from the
Trojans on Google Play
Aside from downloaders, other trojans, such as
This malicious software opens hidden activity with several WebView elements. A website is loaded on one of them to get commands. Hackers use other WebViews to load different JavaScript and specified websites where they simulate user actions. On these websites, they click links and banner ads to drive up hit and click counters. Hackers can also subscribe mobile device owners to paid services by clicking on special buttons if service providers support the Wap-Click technology of fast subscription. To make themselves more difficult to delete, trojans hide their icons from the operating system’s main screen.
In late April, new entries were added to the Dr.Web virus database to detect the trojans
Other threats
The
To distribute itself among a greater number of users, the trojan sent SMS with a link to the download page of its copy to all contacts of the infected device. The main goal of
Users of Android devices are threatened by different trojan applications that are distributed not only via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.

Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products