December 11, 2019

This November, Doctor Web virus analysts detected a number of new threats on Google Play. The list included new modifications to trojans of the Android.Joker family that subscribed users to premium mobile services. Cybercriminals also continued spreading the Android.HiddenAds malware family that displayed annoying ads. We also found a new version of the Android.Backdoor.735.origin backdoor, designed for cyber spying.

Mobile threat of the month

In November, Doctor Web experts detected a new modification to the Android.Backdoor.735.origin trojan, a component of the dangerous Android.Backdoor.736.origin backdoor, reported by Doctor Web in July. This malware, also known as PWNDROID1, was spreading as a utility for configuring and optimising the browser.

Android.Backdoor.735.origin executes cybercriminal commands, allowing them to control the affected Android devices, monitor their owners, as well as download and launch other malicious components.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.DownLoader.677.origin

A downloader of other malicious software.

Android.Triada.481.origin

A multi-functional trojan that performs various malicious actions.

Android.MobiDash.4006

Trojan code that displays obnoxious advertising.

Android.RemoteCode.197.origin

A malicious application that downloads and executes arbitrary code.

• Program.FakeAntiVirus.2.origin
  Detects adware that imitates anti-virus software.
• Program.RiskMarket.1.origin
  An app store that contains trojan software and recommends that users install it.
• Program.HighScore.3.origin
  An app store that invites users to install free Google Play apps by paying for them via expensive text messages.
• Program.MonitorMinor.1.origin
• Program.MobileTool.2.origin
  Spyware that monitors activities of Android users and may serve as a tool for cyber espionage.

• Tool.SilentInstaller.6.origin
• Tool.SilentInstaller.7.origin
• Tool.SilentInstaller.11.origin
• Tool.VirtualApk.1.origin
  A riskware platform that allows applications to launch APK files without installing them.
• Tool.Rooter.3
  A utility designed to obtain root privileges on Android devices. It may be used by cybercriminals and malware.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

• Adware.Dowgin.5.origin
• Adware.Toofan.1.origin
• Adware.BrowserAd.1
• Adware.Myteam.2.origin
• Adware.Altamob.1.origin

Trojans on Google Play

Last month, Doctor Web virus analysts detected a number of new modifications to trojans from the Android.Joker family. They were hidden in seemingly innocuous software, such as useful utilities that help configure mobile devices, games, messengers, wallpaper collections and camera apps. This malware subscribes users to premium mobile services, downloads and launches malicious modules, and can execute arbitrary code.

We also detected the new trojan adware, Android.HiddenAds. Cybercriminals were distributing it under the guise of games, camera apps, photo editors and other software.

To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

November 13, 2019

The second autumn month turned out to be rough for Android users. Doctor Web virus analysts detected numerous malicious applications on Google Play, such as Android.Click clicker trojans that subscribed users to premium services. The detected threats also included malicious software from the Android.Joker family. They also subscribed users to expensive services and were able to execute arbitrary code. Our experts found other trojans as well.

Mobile threat of the month

In early October, Doctor Web reported a few clicker trojans that were added to the Dr.Web virus database as Android.Click.322.origin, Android.Click.323.origin, and Android.Click.324.origin. These malicious apps covertly opened webpages where they subscribed their victims to premium mobile services. The trojans have the following unique features:

• they are embedded into harmless applications;
• they are protected by a program packer;
• they are disguised as well-known SDKs;
• they attack users from specific countries.

Our virus analysts continued detecting additional modifications to these clickers throughout the entire month, having found Android.Click.791, Android.Click.800, Android.Click.802, Android.Click.808, Android.Click.839, and Android.Click.841. Later, they detected similar malicious applications, dubbed Android.Click.329.origin, Android.Click.328.origin, and Android.Click.844. They also subscribed victims to premium services, but may have been developed by different virus writers. All these trojans were hidden in seemingly harmless applications such as camera apps, photo editors and wallpaper collections.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.472.origin

A trojan that delivers annoying advertisements.

Android.RemoteCode.5564

A malicious application that downloads and executes arbitrary code.

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.DownLoader.677.origin

A downloader of other malicious software.

Android.Triada.465.origin

A multi-functional trojan that performs various malicious actions.

• Program.FakeAntiVirus.2.origin
  Detection of adware that imitates anti-virus software.
• Program.MonitorMinor.1.origin
• Program.MobileTool.2.origin
• Program.FreeAndroidSpy.1.origin
• Program.SpyPhone.4.origin
  Spyware that monitors activities of Android users and may serve as a tool for cyber espionage.

• Tool.SilentInstaller.6.origin
• Tool.SilentInstaller.7.origin
• Tool.SilentInstaller.11.origin
• Tool.VirtualApk.1.origin
  A riskware platform that allows applications to launch APK files without installing them.
• Tool.Rooter.3
  A utility designed to obtain root privileges on Android devices. It may be used by cybercriminals and malware.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

• Adware.Patacore.253
• Adware.Myteam.2.origin
• Adware.Toofan.1.origin
• Adware.Adpush.6547
• Adware.Altamob.1.origin

Trojans on Google Play

Apart from clicker trojans, Doctor Web virus analysts revealed several versions, as well as modifications to already known malware from the Android.Joker family on Google Play. The list included Android.Joker.6, Android.Joker.7, Android.Joker.8, Android.Joker.9, Android.Joker.12, Android.Joker.18, and Android.Joker.20.origin. These trojans download and launch malicious auxiliary modules that can execute arbitrary code and subscribe users to premium mobile services. They are distributed under the guise of useful and harmless applications such as wallpaper collections, camera apps with artistic filters, various utilities, photo editors, games, online messengers and other software.

Apart from that, our experts detected another trojan adware from the Android.HiddenAds family, dubbed Android.HiddenAds.477.origin. Cybercriminals were spreading it as a video player and an application that provided information about phone calls. Upon launch, the trojan hid its icon from the Android home screen and began displaying annoying ads.

Additionally, the Dr.Web virus database was updated to detect the trojans Android.SmsSpy.10437 and Android.SmsSpy.10447. They were embedded into an image collection and a camera app. Both malicious applications hooked the contents of incoming text messages. Android.SmsSpy.10437 was also able to execute arbitrary code downloaded from the command and control server.

To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian Anti-virus for Android
• More than 140 million downloads on Google Play alone
• Free for users of Dr.Web home products

Free download

October 17, 2019

Doctor Web has detected a clicker trojan that can automatically subscribe users to paid services in the official Android app store.

Virus analysts have identified several modifications of this malicious code, dubbed Android.Click.322.origin, Android.Click.323.origin, and Android.Click.324.origin. To hide their true purpose, as well as make the trojans harder to detect, cybercriminals used several tricks. They integrated the clicker into harmless applications, such as camera apps and image collections, that did work as described. As a result, users and information security experts had no obvious reason to consider them as a threat.

Apart from that, all malware was protected by the commercial Jiagu packer, which makes it harder for antiviruses to detect them and hinders the code analysis. Thus, the trojan was more likely to avoid detection by the built-in security tools of Google Play.

Besides, virus writers tried to disguise the trojan as well-known advertising and analytics libraries. After being added to the host software, it embedded itself in the Facebook and Adjust SDKs, hiding among their components.

The clicker attacked users selectively; it did not perform any malicious actions if the potential victim was not residing in one of the attackers’ countries of interest.

See below examples of apps with this trojan:

Upon installation and launch, the clicker (hereinafter, we will take its modification Android.Click.322.origin as an example) prompts the user to give it access to notifications of the operating system:

If the user grants it the permissions, the trojan will be able to hide all notifications about incoming text messages and hook them.

Next, the clicker sends the technical data about the infected device to the command and control server and checks the serial number of the victim’s SIM card. If it corresponds to one of the target countries, Android.Click.322.origin sends information about the phone number to the server. The clicker also displays a phishing window to users of certain countries, where it offers them to enter the phone number or log in to their Google account:

If the victim’s SIM card is not registered in a country of interest, the trojan does not take any action and stops its malicious activity. The studied modifications attack residents of the following states:

• Austria
• Italy
• France
• Thailand
• Malaysia
• Germany
• Qatar
• Poland
• Greece
• Ireland

After transmitting the number, Android.Click.322.origin waits for a command from the command and control server, which sends tasks with websites to load and JavaScript code. This code controls the clicker via JavascriptInterface, displays pop-up notifications on the device, clicks on web pages, and performs other actions.

After receiving a website address, Android.Click.322.origin opens it in an invisible WebView, where it also loads the received JavaScript code with the parameters for clicking. After opening a website with a premium service, the trojan automatically clicks on the corresponding links and buttons. Then it hooks verification codes from text messages and independently confirms the subscription.

Even though the clicker is not designed to work with text messages and has no access to them, it bypasses the restriction as follows. The trojan service monitors notifications from the default application that works with text messages. When there is an incoming message, the service hides the system notification. Then it hooks the information about the received text from the notification and transmits it to the trojan broadcast receiver. As a result, the user does not see any notifications about incoming texts and does not know what is happening. They only know about the subscription when money withdraws from their account, or if they go to the message menu and see texts related to the premium service.

Doctor Web experts have contacted Google and the detected malicious applications were removed from Google Play. All known modifications of this clicker are successfully detected and removed by Dr.Web for Android and do not pose any threat to our users.

Read more about Android.Click.322.origin

#Android, #Google_Play, #clicker, #paid_subscription

Your Android needs protection.

Use Dr.Web

• The first Russian Anti-virus for Android
• More than 140 million downloads on Google Play alone
• Free for users of Dr.Web home products

Free download

October 9, 2019

In September, Android users were threatened by various malware, many of which was distributed via Google Play. Those were the Android.DownLoader downloaders, the Android.Banker and Android.HiddenAds banking and adware trojans, as well as other threats. Doctor Web experts have also discovered several new versions of potentially dangerous applications, designed to spy on users, including Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor.

Mobile threat of the month

One of the malware detected last month was the Android.Banker.352.origin banking trojan, spread under the guise of the YoBit crypto exchange official application.

When launched, Android.Banker.352.origin displayed a fake authentication window and stole the credentials entered by customers. Then, it displayed an error message claiming the service was unavailable.

The trojan hooked two-factor authentication codes from text messages, as well as access codes from emails. It also hooked and blocked notifications from instant messengers and email clients. Android.Banker.352.origin stored all the stolen data in the Firebase Database.

According to statistics collected by Dr.Web for Android

Android.RemoteCode.6122

Android.RemoteCode.5564

Malicious applications that download and execute arbitrary code.

Android.HiddenAds.455.origin

Android.HiddenAds.472.origin (new threat)

Trojans that display unwanted ads on mobile devices.

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

• Adware.Patacore.253
• Adware.Gexin.3.origin
• Adware.Zeus.1
• Adware.Altamob.1.origin

Riskware that silently launches applications without user intervention:

• Tool.SilentInstaller.6.origin

Threats on Google Play

In addition to the Android.Banker.352.origin banking trojan, September saw Doctor Web specialists detect the Android.Banker.347.origin malware on Google Play. It targeted Brazilian customers of credit service organizations. It is a modification of Android.BankBot.495.origin, Android.Banker.346.origin, and other bankers, reported by our company in earlier publications.

Attackers distributed Android.Banker.347.origin via Google Play under the guise of software that helped locate family members.

The banker used the Android Accessibility Service to steal information from text messages, such as confirmation codes and other sensitive data. Similarly to its previous modifications, it could also open phishing pages at the command of cybercriminals.

Last month, virus analysts detected several new adware trojans of the Android.HiddenAds family on Google Play, such as Android.HiddenAds.444.origin. This malware was embedded in harmless software and games. When launched, it hid its icon and started to display obnoxious advertising banners. At the command of the command and control server, it could download and try to install APK files.

Among the detected malware were trojan downloaders, such as Android.DownLoader.920.origin and Android.DownLoader.921.origin. They were spreading under the guise of games. The trojans downloaded and tried to install various software, as well as other malicious programs, at the server’s command.

In September, several modifications of the Android.Joker trojan family were found on Google Play. These malicious applications were embedded in seemingly harmless software, such as plug-ins for cameras, photo editors, image collections, various system utilities, and other software.

Trojans are able to load and run auxiliary DEX files, as well as execute arbitrary code. They can also automatically subscribe users to expensive services by loading websites with premium content and clicking the appropriate links without user’s knowledge. To confirm the subscription, they hook verification codes from text messages. The Android.Joker malware also transfers the data from victims’ contact lists to the command and control server.

Other trojans that subscribed users to expensive services were dubbed Android.Click.781 and Android.Click.325.origin. They also loaded websites to subscribe the victims to premium services. Besides, they could hook notifications of the operating system and other software at the server’s command. The cybercriminals were spreading these trojans under the guise of camera applications.

Spyware

In September, Doctor Web experts discovered several new versions of riskware, designed to spy on Android device users. The list included Program.Panspy.1.origin, Program.RealtimeSpy.1.origin, and Program.MonitorMinor. This spyware enables control of texting and phone calls, instant messaging, tracking the location of devices, and receiving other confidential information.

To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

September 9, 2019

In the last month of summer, Doctor Web virus analysts detected the clicker trojan Android.Click.312.origin on Google Play built into harmless applications. We also detected additional malicious software, including the Android.DownLoader.915.origin downloader trojan and trojan adware of the Android.HiddenAds family, distributed under the guise of useful software, as well as the Android.Banker.346.origin banker.

Mobile threat of the month

In early August, Doctor Web reported the Android.Click.312.origin trojan detected in 34 applications on Google Play. It was a malicious module that developers built into their software. A total of 101.7 million users downloaded the software with this trojan.

Android.Click.312.origin opened links via invisible WebView at the direction of the command and control server. It could also load websites in a browser and advertise applications on Google Play. Features of the trojan are as follows:

• it began operating 8 hours after startup;
• some features were implemented using reflection;
• it could subscribe users to premium mobile services using WAP-Click.

For more information on Android.Click.312.origin, refer to the news article on our website.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.455.origin

A trojan designed to display unwanted ads on mobile devices.

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.Triada.467.origin

A multi-functional trojan that performs various malicious actions.

Android.RemoteCode.197.origin

Android.RemoteCode.5564

Malicious applications designed to download and execute arbitrary code.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

• Adware.Gexin.3.origin
• Adware.Patacore.253
• Adware.Zeus.1
• Adware.Altamob.1.origin
• Adware.Myteam.2.origin (a new threat)

Threats on Google Play

Along with the Android.Click.312.origin clicker, we detected the downloader trojan Android.DownLoader.915.origin among the malware on Google Play. It spread as a VPN client. It downloaded and attempted to install applications, as well as opened Instagram, Telegram, and Google Play web pages and other services specified by attackers.

Virus analysts also identified new trojan adware of the Android.HiddenAds family; for example, Android.HiddenAds.1598 and Android.HiddenAds.467.origin. Like other malicious programs of this family, they hid the software icons where they were embedded and displayed obnoxious ads.

At the end of August, Doctor Web experts discovered another banking trojan that attacked Brazilian Android users. This malware was dubbed Android.Banker.346.origin. Like similar trojans reported by our company earlier (for example, at the end of 2018), Android.Banker.346.origin uses the Android Accessibility Service to steal information from text messages, which could contain transaction confirmation codes and other confidential data. The banker also opens phishing pages at the command of cybercriminals.

To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian Anti-virus for Android
• More than 140 million downloads on Google Play alone
• Free for users of Dr.Web home products

Free download

August 8, 2019

Clicker trojans are widespread malicious programs, designed to increase website visit rates and earn money on online traffic. They simulate user actions on web pages by clicking on links and other interactive elements. Doctor Web virus analysts have detected another such trojan on Google Play.

The trojan is a malicious module, which, according to Dr.Web classification, was dubbed Android.Click.312.origin. It is built into ordinary applications, such as dictionaries, online maps, audio players, barcode scanners, and other software. All these programs are operable and look harmless to Android users. Additionally, Android.Click.312.origin only starts its malicious activity after 8 hours after launch, so as not to raise suspicion.

Once launched, the trojan sends the following information about the infected device to the C&C server:

• manufacturer and model;
• operating system version;
• user’s country of residence and default system language;
• User-Agent ID;
• mobile carrier;
• internet connection type;
• display parameters;
• time zone;
• data on application containing trojan.

In response, the server sends the necessary settings. Some functions of the malware are using reflection, and the settings contain the names of methods and classes along with the parameters for them. They are used, for example, to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications.

Upon installation of a new application or download of an apk file by the Play Market client, the trojan sends information about this software along with some technical data about the device to the command and control server. In response, Android.Click.312.origin receives website addresses to open in an invisible WebView, as well as links to load in a browser or on Google Play.

Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content. For example, after installing applications with the built-in trojan, users complained about being automatically subscribed to expensive content provider services.

Doctor Web specialists were unable to recreate the conditions for the trojan to open such websites. However, in the case of Android.Click.312.origin, this fraudulent scheme can potentially be implemented quite simply. Since the trojan informs the command and control server about the current Internet connection type, the server can send a command to open a website of a partner service that supports the WAP-Click technology if the device is connected to the Internet via a mobile carrier. This technology simplifies the subscription to various premium services, but it is often used illegally. Our company covered this problem in 2017 and 2018. In some cases, no confirmation from the user is required to subscribe to an unnecessary service: it can be done by a script on the same page, or even the trojan than can “click” the confirmation button. Since Android.Click.312.origin opens pages in an invisible WebView, the whole procedure can be done without the victim’s knowledge.

Doctor Web virus analysts have identified 34 applications with the embedded Android.Click.312.origin. They were installed by over 51.7 million users. Additionally, the trojan’s modification, dubbed Android.Click.313.origin, was downloaded by at least 50 million people. Thus, the total number of mobile device owners threatened by this trojan, exceeded 101.7 million. See below the list of programs, where this clicker was found:

Doctor Web informed Google about this trojan, and some applications we had detected were quickly removed from Google Play. Additionally, several applications have been updated, removing the malicious component. However, at the time of this publication, most applications still contained a malicious module and remained available for download.

Virus analysts recommend that developers responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software. Dr.Web for Android successfully detects and removes applications that have the known modifications of Android.Click.312.origin embedded into them, so it poses no threat to our users.

Read more about Android.Click.312.origin

#Android, #Google_Play, #clicker

August 5, 2019

Last month Doctor Web reported the dangerous Android.Backdoor.736.origin trojan that executed malicious commands, stole confidential data and displayed fraudulent windows and messages. In July, malware analysts discovered many new adware trojans of the Android.HiddenAds family on Google Play. The Dr.Web virus database has also been updated to detect the unwanted adware Adware.HiddenAds.9.origin, as well as the spyware trojans Android.Spy.567.origin and Android.Spy.568.origin.

Mobile threat of the month

In mid-July, Doctor Web virus analysts investigated the Android.Backdoor.736.origin trojan, spreading under the guise of OpenGL Plugin software. It allegedly checked the version of the OpenGL ES interface and installed its updates.

This backdoor spied on users, sending information about their contacts, phone calls, and their device location to the attackers. It also uploaded files from devices to a remote server, as well as download and installed software. Features of Android.Backdoor.736.origin:

• the main malicious component of the trojan was hiding in an auxiliary module, encrypted and stored in the application’s resource directory;
• with root privileges, it could automatically install software;
• could execute shell commands, received from the C&C server.

For more information regarding Android.Backdoor.736.origin, refer to the news article on our website.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.1424

A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.

Android.RemoteCode.197.origin

Android.RemoteCode.5564

Android.RemoteCode.216.origin

Malicious applications designed to download and execute arbitrary code.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

Adware.Zeus.1

Adware.Gexin.3.origin

Adware.Patacore.253

Adware.Altamob.1.origin

A riskware platform that allows applications to launch APK files without installing them:

Tool.VirtualApk.1.origin

Threats on Google Play

Since the beginning of July, Doctor Web malware analysts have detected many new adware trojans of the Android.HiddenAds family on Google Play, installed by over 8.2 million users. These malware spread under the guise of harmless games and useful applications, such as camera filters, system utilities, alarm clocks, etc. After launching, the trojans hid their icons from the software list on the main screen and started displaying banners that interfered with device operation.

In addition, a new unwanted advertising module named Adware.HiddenAds.9.origin was uncovered. It was embedded into the compass software and a collection of wallpapers for the desktop. It displayed ads even when these applications were closed.

Cyberespionage

Last month, the Dr.Web virus database was also updated to detect the spyware trojans Android.Spy.567.origin and Android.Spy.568.origin. The first one transferred the data from text messages, phone calls, calendar, and phone book entries to a remote server, as well as information about files stored on the device.

The second one displayed a fraudulent message, prompting a potential victim to update a Google Play component. If the user agreed, the trojan displayed a phishing window that simulated a Google account login page.

Virus writers made a spelling mistake in the phrase “Sign in”, which could indicate a fake. If the victim did not notice this and logged into the account, Android.Spy.568.origin stole the data of the current session, and the attackers gained access to confidential information, such as calendar entries, verification codes, phone numbers, and email addresses to restore access to the account.

To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

July 12, 2019

Doctor Web has identified a new backdoor trojan on Google Play that executes cybercriminal commands, allowing the criminals to remotely control the infected Android devices and spy on users.

The malware was dubbed Android.Backdoor.736.origin. It is distributed under the guise of the OpenGL Plugin application that is supposed to check the existing version of the OpenGL ES interface and download its updates.

When launched, Android.Backdoor.736.origin requests several important system permissions that allow it to collect confidential information and work with the file system. It also tries to get permission to overlay its windows over the interfaces of other programs.

Its window contains a button to “check” for updates to the OpenGL ES interface. When a user taps the window, the trojan simulates a search for new versions of OpenGL ES, but does not actually perform any checks.

When the victim closes the application window, Android.Backdoor.736.origin removes its icon from the list on the main screen and creates a shortcut instead. This makes it harder for the user to remove the trojan, since deleting the shortcut will not effect the malware itself.

Android.Backdoor.736.origin is continuously active in the background and can be launched not only via its icon or a shortcut, but also automatically at startup and at the cybercriminals’ command via Firebase Cloud Messaging. The trojan’s basic malicious functionality is contained in an encrypted auxiliary file, stored in the directory containing the program resources. It is decrypted and loaded into memory upon each launch of Android.Backdoor.736.origin.

The backdoor communicates with several command and control servers to receive commands from the attackers and send the collected data. The cybercriminals can also control the trojan via the Firebase Cloud Messaging service. Android.Backdoor.736.origin is capable of:

• sending information on contacts from the contact list to the server;
• sending information on text messages to the server (the investigated version of the trojan did not have the permissions for this);
• sending the phone call history to the server;
• sending the device location to the server;
• downloading and launching an APK or a DEX file using the DexClassLoader class;
• sending the information on the installed software to the server;
• downloading and launching a specified executable file;
• downloading a file from the server;
• uploading a specified file to the server;
• transmitting information on files in the specified directory or a memory card to the server;
• executing a shell command;
• launching the activity specified in a command;
• downloading and installing an Android application;
• displaying a notification specified in a command;
• requesting permission specified in a command;
• sending the list of permissions granted to the trojan to the server;
• not letting the device go into sleep mode for a specified time period.

The trojan AES encrypts all data transmitted to the server. Each request is protected with a unique generated key based on the current time. The same key encrypts the server response.

Android.Backdoor.736.origin can install applications using several methods:

• automatically, if the system has root access (using a shell command);
• using a system package manager (system software only);
• displaying a standard system installation dialog where the user needs to confirm the installation.

As you can see, this backdoor is a serious threat. Not only does it act as spyware, but it can also be used for phishing because it can display windows and notifications with any content. It can also download and install any other malicious application, as well as execute arbitrary code. For example, at the command of attackers, Android.Backdoor.736.origin can download and launch an exploit to obtain root privileges. It will then no longer need the user's permission to install other programs.

Doctor Web has notified Google about the trojan; it was already removed from Google Play at the time of publication.

Android.Backdoor.736.origin and its components are successfully detected and removed by Dr.Web for Android, so they do not pose any threat to our users.

Read more about Android.Backdoor.736.origin

#Android, #backdoor, #Google_Play, #spyware

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

July 3, 2019

In mid June, Dr.Web virus analysts discovered the Android.FakeApp.174 malware on Google Play. It loaded websites where Android device users were signed up for spam notifications. Also this month, new trojans from the Android.HiddenAds family were found, intended to display ads, as well as the Android.DownLoader trojan downloaders, which downloaded other malicious applications. There were other Android threats as well.

Mobile threat of the month

On June 14, Doctor Web reported the Android.FakeApp.174 trojan that loaded questionable websites. Android device users were tricked into subscribing to notifications. If they agreed, the victims started receiving dozens of spam messages that could be mistaken for notifications from previously installed programs or the operating system.

Clicking such a message would open one of the advertised websites in the browser. Many of them were fraudulent.

Features of Android.FakeApp.174:

• it is distributed via Google Play under the guise of official software by well-known brands;
• notifications from websites, loaded by the trojan, did not stop when the trojan was removed.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.1424

A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.

Android.RemoteCode.197.origin

Android.RemoteCode.4411

Malicious applications designed to download and execute arbitrary code.

Android.Triada.3670

A multi-functional trojan that performs different malicious actions.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

Adware.Zeus.1

Adware.Jiubang.2

Adware.AdPush.33.origin

Adware.Toofan.1.origin

A riskware platform that allows applications to launch APK files without installing them:

Tool.VirtualApk.1.origin

A new threat:

Adware.Patacore.253

A representative of a family of unwanted modules that display banner advertisments on Android devices.

Threats on Google Play

Along with Android.FakeApp.174, other malicious and unwanted programs were found on Google Play, including trojans of the same family, dubbed Android.FakeApp.151 and Android.FakeApp.173. They were distributed under the guise of programs that allowed users to earn money for participating in online polls. When launched, the malware loaded fraudulent websites where potential victims were asked to answer a few questions. To receive a “reward”, they were required to pay a certain tax or commission, but they ultimately never received any money.

Virus analysts have also discovered a number of new Android.HiddenAds trojans. The attackers disguised them as useful applications, such as various games and utilities. Overall, they were installed by more than 3,380,000 users.

After installation and launch, the malware hid its icons and began displaying ads.

Another trojan found on Google Play was named Android.DownLoader.3200. It was built into the software for LETSCOM Smart Bracelet and installed by over 50,000 users.

The first versions of this application were safe; but later, in versions 1.1.0 and 1.1.4, it was updated with trojan functionality. Android.DownLoader.3200 downloaded other trojans to mobile devices.

Another downloader was named Android.DownLoader.681.origin. Like Android.DownLoader.3200, it was distributed as a safe program, an audio player in this case. Android.DownLoader.681.origin downloaded malicious applications and tried to install them.

At the end of June, the Dr.Web virus database was updated to detect the Adware.OneOceans.2.origin unwanted program module, intended to display ads. It was built into the Toy Blast: Cube Smash game, downloaded by over 100,000 users.

To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

June 14, 2019

Doctor Web experts discovered the Android.FakeApp.174 trojan that uses Google Chrome to load questionable websites that subscribe users to advertising notifications. Notifications pop up even if the browser is closed and may be mistaken for system notifications. Not only do they bother users of Android devices, but may also lead to losing money and confidential information.

The Web Push technology allows websites to send notifications even when the webpage is not open in the browser if the user agrees to that. When it comes to harmless websites, this feature can be useful and convenient. For example, social media can notify the users on new messages, and news agencies can spread information about new articles. However, cybercriminals and unscrupulous advertisers can abuse this technology by spreading advertising and fraudulent notifications that come from hacked or malicious websites.

PC, laptop browsers, as well as mobile devices support these notifications. Typically, the victim gets to a questionable spamming website by clicking a unique link or an advertising banner. Android.FakeApp.174 is one of the first trojans that helps attackers increase the number of visitors of these websites and subscribe users of smartphones and tablets to such notifications.

Android.FakeApp.174 is distributed under the guise of useful programs; for example, official software of well-known brands. In early June, Doctor Web malware analysts detected two of the trojan modifications on Google Play. After contacting Google, the malware was removed, yet over 1,100 users have already downloaded malicious apps.

When launched, the trojan loads a website in Google Chrome. The website is specified in the trojan settings. According to its parameters, it performs several redirects to pages of various affiliated programs. Each of them prompts the user to allow notifications. To be convincing, they inform the victim that it is done for verification purposes (for example, that the user is not a robot), or simply hint on which dialog button to click. Thus, they increase the number of successful subscriptions. See examples of such queries in the images below:

After activating the subscription, websites start sending the user numerous notifications of questionable content. Notifications are displayed in the status bar of the operating system even if the browser is closed and the trojan has already been removed. The contents can be anything, from false notifications about cash bonuses or transfers or new messages on social media to advertisements of horoscopes, casinos, goods and services, even various “news”.

Many of them look like real notifications of actual online services and applications installed on the device. For example, they display the logo of a bank, a dating website, a news agency, or a social network, as well as an eye-catching banner. Owners of Android devices can receive dozens of such spam messages per day.

Although these notifications also indicate the address of the website they come from, an unskilled user may fail to notice it, or not give it much thought. See below the examples of fraudulent notifications:

Having clicked a notification, the user is redirected to a website with questionable content. This may include advertising of casinos, betting shops, various Google Play applications, discounts and coupons, fake online polls and prize drawings, aggregators of partner links, and other online resources that vary depending on the country of residence of the user. See examples of such websites below:

Many of these resources are involved in well-known fraudulent schemes for stealing funds, but attackers can also launch an attack to steal confidential data at any time. For example, by sending an “important” notification via the browser on behalf of a bank or a social network. Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information.

Doctor Web experts believe that cybercriminals will make more active use of this method to promote questionable services, so mobile users should be careful while visiting websites and not subscribe to notifications if the website is unfamiliar or suspicious. If you are already subscribed to spam notifications, perform the following steps:

• Go to the Google Chrome settings, select “Site Settings” and then “Notifications”;
• On the list of websites with notifications, find the website address, tap it, and select “Clear & reset”.

Dr.Web for Android successfully detects and removes all known modifications of Android.FakeApp.174, so the trojan does not pose any threat to our users.

Read more about Android.FakeApp.174

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

June 3, 2019

In the past month, Android devices were once again targeted by malicious programs distributed via Google Play. The list contained the Android.HiddenAds adware trojans as well as the Android.SmsSpy spyware that intercepted text messages.

Mobile threat of the month

The malware detected in May included spyware trojans from the Android.SmsSpy family, Android.SmsSpy.10206 and Android.SmsSpy.10263. They were distributed via Google Play under the guise of banking software.

After installation and launch, these malicious programs attempted to assign themselves as the default SMS manager, requesting permission from the user. If permission was granted, Android.SmsSpy.10206 and Android.SmsSpy.10263 began intercepting all incoming text messages and transferring them to the attacker's server.

Specific features of the malware:

• it was intended for Spanish-speaking users;
• it was based on the open source SMSdroid software with an added trojan function.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.RemoteCode.4411

Android.RemoteCode.197.origin

Malicious applications designed to download and execute arbitrary code.

Android.HiddenAds.261.origin

Android.HiddenAds.1102

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.

Adware.Zeus.1

Adware.Jiubang.2

Adware.AdPush.33.origin

Adware.Toofan.1.origin

Unwanted program modules that embed themselves into Android applications and display obnoxious ads on mobile devices.

Tool.VirtualApk.1.origin

A riskware platform that allows applications to launch APK files without installing them.

Adware trojan

In early May, Doctor Web analysts discovered the Android.HiddenAds.1396 trojan on Google Play, which was distributed as an audio player.

The malicious program did allow users to listen to music, but then hid its icon after the first launch, preventing users from launching it again. Android.HiddenAds.1396 displayed obnoxious advertising banners that made it difficult to work with the infected mobile device.

New malicious and unwanted applications keep appearing on Google Play. Doctor Web recommends Android device owners to install Dr.Web for Android to protect themselves.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

April 30, 2019

In April Doctor Web reported on the Android.InfectionAds.1 trojan that exploited several critical Android OS vulnerabilities. These vulnerabilities allowed the trojan to infect programs, as well as install and uninstall software independently from users. In addition, virus analysts found new modifications of the banking trojan Android.Banker.180.origin designed to steal money from clients of Japanese credit organizations. Other malicious programs distributed via Google Play were detected. The downloader trojans Android.DownLoader that downloaded banking trojans on mobile devices, clickers from the Android.Click family, the stealers Android.PWS.Instagram that stole Instagram users’ logins and passwords. Aside from that, the Dr.Web virus database was updated with new entries to detect additional malware.

Mobile threat of the month

In early April Doctor Web reported on a dangerous trojan, Android.InfectionAds.1. Hackers embed it into initially benign programs and use popular third-party Android stores for its distribution. This trojan exploits critical vulnerabilities of Android OS to infect APK files (the CVE-2017-13156 vulnerability), as well as to install and uninstall programs (the CVE-2017-13315 vulnerability). Android.InfectionAds.1 also shows annoying banner ads, making it difficult to work with infected devices. See detailed information about the trojan in our virus library.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.1102

Android.HiddenAds.261.origin

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install them in the system catalog.

Android.RemoteCode.4411

A malicious application designed to download and execute arbitrary code.

Android.DownLoader.812.origin

A Trojan that downloads other malicious applications.

Adware.Zeus.1

Adware.AdPush.33.origin

Adware.Toofan.1.origin

Adware.Jiubang.2

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Tool.VirtualApk.1.origin

A riskware platform that allows applications to launch APK files without installing them.

Banking trojans for Android

Over the past month, banking trojans threatened users of Android devices. In late April Doctor Web virus analysts detected new modifications of the Android.Banker.180.origin malware. These modifications were distributed under the guise of package tracking apps (for example, an app titled “佐川急便”) targeting Japanese users. Once installed, these trojans delete their own icons and hide themselves from users.

These modifications of Android.Banker.180.origin are controlled via specially created pages in the Russian social network, Vkontakte. On such pages, the encrypted address of one of the trojan command and control servers is specified in the “Activities” field. The malware looks for this field using a regular expression, decrypts the address, and connects to the server.

These trojan modifications are able to intercept and send SMS on hackers’ command, show phishing windows, make calls, and listen to the surrounding environment using the device’s built-in microphone. On top of that, they can control smartphones and tablets; for example, they can turn on Wi-Fi, connect to the Internet via a mobile network, block the screen, and so on.

In addition, new downloaders from the Android.DownLoader family, such as Android.DownLoader.4303, downloaded Android bankers on mobile devices. They were distributed under the guise of financial applications.

Trojans on Google Play

Aside from downloaders, other trojans, such as Android.Click.303.origin and Android.Click.304.origin were detected on Google Play. They were distributed under the guise of benign applications such as games and programs for watching TV channels. Doctor Web virus analysts detected 36 of theses trojans. More than 151,000 people installed them.

This malicious software opens hidden activity with several WebView elements. A website is loaded on one of them to get commands. Hackers use other WebViews to load different JavaScript and specified websites where they simulate user actions. On these websites, they click links and banner ads to drive up hit and click counters. Hackers can also subscribe mobile device owners to paid services by clicking on special buttons if service providers support the Wap-Click technology of fast subscription. To make themselves more difficult to delete, trojans hide their icons from the operating system’s main screen.

In late April, new entries were added to the Dr.Web virus database to detect the trojans Android.PWS.Instagram.4 and Android.PWS.Instagram.5. Hackers guised them as useful programs for Instagram users, for instance, those intended to drive up the number of likes or followers, as well as to increase the account security. Once launched, trojans asked victims to enter their login and password and then sent that data to the hackers’ server.

Other threats

The Android.FakeApp.2.origin trojan was one of the malicious apps that threatened Android smartphone and tablet owners in April. It was hidden in a program that allegedly provided free 25 GB of Internet traffic to Indian users of the Jio service provider.

To distribute itself among a greater number of users, the trojan sent SMS with a link to the download page of its copy to all contacts of the infected device. The main goal of Android.FakeApp.2.origin was showing banner ads.

Users of Android devices are threatened by different trojan applications that are distributed not only via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

April 12, 2019

Doctor Web virus analysts have investigated the Android.InfectionAds.1 trojan, which exploits several vulnerabilities in the Android OS. It uses them to infect software, as well as install and uninstall applications independently from the user. Another purpose of Android.InfectionAds.1 is to display ads.

The attackers embed the trojan in initially harmless software and then distribute the modified copies via popular third-party Android stores, such as Nine Store and Apkpure. Our experts detected Android.InfectionAds.1 in games and software such as HD Camera, ORG 2018_19\Tabla Piano Guitar Robab Guitar, Euro Farming Simulator 2018, and Touch on Girls. Some of them were installed by at least several thousand mobile device owners. However, the number of infected applications and affected users may be much greater.

When a user launches a program containing a trojan, it extracts auxiliary modules from file resources to decrypt and launch them as well. One of them is designed to display obnoxious ads, while others infect applications and automatically install software.

Android.InfectionAds.1 overlays advertising banners on the system interface and running applications, making it difficult to work with the devices. In addition, if triggered by the command and control server, the trojan can modify the code of popular advertising platforms, such as Admob, Facebook, and Mopub, which are used in many programs and games. It replaces their advertising identifiers with its own identifier so that all profits from displaying advertisements in infected applications are transferred to the attackers.

Android.InfectionAds.1 exploits the critical vulnerability CVE-2017-13315 in Android, which allows the trojan to launch system activities. As a result, it can automatically install and uninstall programs without a user’s knowledge. The trojan is based on the PoC code (Proof of Concept) by Chinese researchers, written to prove the possibility of exploiting this system breach.

CVE-2017-13315 falls under the EvilParcel class of vulnerabilities. This means that a number of system components contain an error that allows for alteration of data during the exchange between applications and the operating system. The final value of the specifically generated fragment of the transmitted data will differ from the initial one. Thus, programs are able to bypass operating system checks, obtain higher privileges, and perform previously unavailable actions. As of now, we know of 7 vulnerabilities of this type, but the number may increase over time.

Using EvilParcel, Android.InfectionAds.1 installs the hidden APK file that contains all components of the trojan. Similarly, Android.InfectionAds.1 is able to install its own updates, downloaded from the command and control server, as well as other software or malware. For example, during our analysis, the trojan downloaded and installed the malware Android.InfectionAds.4, one of its own modifications.

An example of how the trojan installs applications without the user’s permission:

Along with EvilParcel, the trojan also exploits another Android vulnerability known as Janus (CVE-2017-13156). This system breach can be used to infect previously installed applications by embedding the trojan’s copy within them. Android.InfectionAds.1 connects to the command and control server and obtains a list of programs that it needs to infect. If it fails to connect to the remote server, it will infect applications specified in the initial settings. Depending on the modification, the list may contain different items. See below an example from one of the versions of Android.InfectionAds.1 we have investigated:

• com.whatsapp (WhatsApp Messenger);
• com.lenovo.anyshare.gps (SHAREit - Transfer & Share);
• com.mxtech.videoplayer.ad (MX Player);
• com.jio.jioplay.tv (JioTV - Live TV & Catch-Up);
• com.jio.media.jiobeats (JioSaavn Music & Radio – including JioMusic);
• com.jiochat.jiochatapp (JioChat: HD Video Call);
• com.jio.join (Jio4GVoice);
• com.good.gamecollection;
• com.opera.mini.native (Opera Mini - fast web browser);
• in.startv.hotstar (Hotstar);
• com.meitu.beautyplusme (PlusMe Camera - Previously BeautyPlus Me);
• com.domobile.applock (AppLock);
• com.touchtype.swiftkey (SwiftKey Keyboard);
• com.flipkart.android (Flipkart Online Shopping App);
• cn.xender (Share Music & Transfer Files – Xender);
• com.eterno (Dailyhunt (Newshunt) - Latest News, LIVE Cricket);
• com.truecaller (Truecaller: Caller ID, spam blocking & call record);
• com.ludo.king (Ludo King™).

To infect software, the trojan embeds its components in APK files without changing the digital signature. Then it installs the modified versions of the apps instead of the originals. Since the vulnerability helps the digital signature of the infected files remain the same, the programs are installed as their own updates. At the same time, EvilParcel helps perform the installation independently from the user. As a result, the affected software continues its normal operations, but with a functioning copy of Android.InfectionAds.1 within it. Once apps are infected, the trojan gets access to their data. For example, if WhatsApp is infected, the trojan gets access to all users’ messages, if a browser is infected, saved logins and passwords are available to the trojan.

The only way to remove the trojan and restore the security of the infected programs is to remove the applications containing it and reinstall their normal versions from reliable sources, such as Google Play. The updated version of Dr.Web Security Space for Android is able to detect EvilParcel vulnerabilities. This feature is available in Security Auditor. You can download a new distribution package from the Doctor Web official website. Soon it will be available on Google Play as well. All Dr. Web products for Android successfully detect and remove known modifications of Android.InfectionAds.1, so the trojan does not pose any threat to our users.

[Read more about Android.InfectionAds.1]

[More about EvilParcel]

[More about Janus]

#Android, #trojan, #malware

April 3, 2019

In March, Doctor Web reported a vulnerability in the mobile app, UC Browser, which can download new modules from third-party server. Cybercriminals could use this feature to infect Android smartphones and tablets. Additionally, malware analysts shared information about the Flexnet trojan that stole money from bank cards and mobile credit accounts. During March, other malicious applications were detected on Google Play.

Mobile threat of the month

At the end of March, Doctor Web reported a vulnerability in the UC Browser app for Android, discovered by our malware analysts. This program downloaded additional plugins, bypassing Google Play servers and thus violating Google’s policies. Cybercriminals could interfere with the download and make the browser download and launch malicious files instead. Over 500,000,000 mobile users have been exposed to threats. See the details of this vulnerability in our virus library.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

Android.Backdoor.2080

Trojans that execute commands from attackers and allow them to control infected mobile devices.

Android.RemoteCode.197.origin

Malicious application designed to download and execute arbitrary code.

Android.HiddenAds.659

Android.HiddenAds.261.origin

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases covertly install them in the system catalog.

Adware.Zeus.1

Adware.Jiubang.2

Adware.Toofan.1.origin

Adware.Gexin.3.origin

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Tool.VirtualApk.1.origin

A potentially dangerous software platform that allows applications to run APK files without installing them.

Banking trojans for Android

Cybercriminals continue to distribute banking trojans based on the source code of the Android.ZBot malware. One of them is the Flexnet trojan. It steals money from bank cards and can also transfer money from victims' mobile credit accounts to pay for various services. For example, it can help cybercriminals top up the balance of gaming accounts, pay for hosting services, and pay for their own mobile plans. Read more about the Flexnet banking trojan in the news article on our website.

Threats on Google Play

In March, we found more malicious programs on Google Play, including the trojans Android.FakeApp.152 and Android.FakeApp.162, which loaded fraudulent websites. Those websites invite users to take polls for payment in return. To receive money, potential victims are required to make some kind of a verification payment; but in fact, users only transfer the funds to fraudsters and do not receive any reward.

In addition, our malware analysts identified more trojans of the Android.HiddenAds family, including Android.HiddenAds.1133, Android.HiddenAds.1134, Android.HiddenAds.1052, and Android.HiddenAds.379.origin. Our company already reported similar malware in February. These trojans are distributed under the guise of useful applications, such as photo and video editors, camera filters, flashlights, sports software, etc.

After installation and launch, they hide their icons and begin constantly overlaying ads over program windows and the operating system interface, making it difficult to work with the Android devices.

Users of Android devices are threatened by trojans not only distributed via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.

March 26, 2019

Doctor Web malware analysts have detected a hidden ability within the popular UC Browser to download and run questionable code on mobile devices. The application is capable of downloading auxiliary software modules, bypassing Google Play servers. This violates Google Inc.’s rules and poses a serious threat because it enables any code, including malicious ones, to be downloaded to Android devices.

As of now, UC Browser has been downloaded by over 500,000,000 Google Play users. Anyone who has installed this software may be in danger. Doctor Web has detected its hidden ability to download auxiliary components from the Internet. The browser receives commands from the command and control server and downloads new libraries and modules, which add new features and can be used to update the software.

For example, during our analysis, UC Browser downloaded an executable Linux library from a remote server. The library was not malicious; it is designed to work with MS Office documents and PDF files. Initially, this library was not in the browser. After downloading, the program saved the library to its directory and launched it for execution. Thus, the application is actually able to receive and execute code, bypassing the Google Play servers. This violates Google’s rules for software distributed in its app store. The current policy states that applications downloaded from Google Play cannot change their own code or download any software components from third-party sources. These rules were applied to prevent the distribution of modular trojans that download and launch malicious plug-ins. Such trojans include Android.RemoteCode.127.origin and Android.RemoteCode.152.origin reported by our company in January and April 2018.

A potentially dangerous updating feature has been present in the UC Browser since at least 2016. Although the application has not been seen distributing trojans or unwanted software, its ability to load and launch new and unverified modules poses a potential threat. It’s impossible to be sure that cybercriminals will never get ahold of the browser developer’s servers or use the update feature to infect hundreds of millions of Android devices.

The vulnerable feature of UC Browser can be used to perform man-in-the-middle attacks (MITM). To download new plug-ins, the browser sends a request to the command and control server and receives a link to file in response. Since the program communicates with the server over an unsecured channel (the HTTP protocol instead of the encrypted HTTPS), cybercriminals can hook the requests from the application. They can replace the commands with ones containing different addresses. This makes the browser download new modules from malicious server instead of its own command and control server. Since UC Browser works with unsigned plug-ins, it will launch malicious modules without any verification.

See below an example of such an attack, modeled by our virus analysts. The video shows a potential victim who downloads a PDF document via UC Browser and tries to view it. To open the file, the browser tries to download the corresponding plug-in from the command and control server. However, due to the MITM substitution, the browser downloads and launches a different library. This library then creates a text message that says, “PWNED!”.

Thus, MITM attacks can help cybercriminals use UC Browser to spread malicious plug-ins that perform a wide variety of actions. For example, they can display phishing messages to steal usernames, passwords, bank card details, and other personal data. Additionally, trojan modules will be able to access protected browser files and steal passwords stored in the program directory.

Read more about this vulnerability here.

The browser’s “younger brother”, the UC Browser Mini application, can also download untested components, bypassing Google Play servers. It has been equipped with this feature since at least December 2017. So far, over 100,000,000 Google Play users have downloaded the program, putting them all at risk. However, the above MITM attack will not work with UC Browser Mini, unlike UC Browser.

Upon detecting a dangerous feature in UC Browser and UC Browser Mini, Doctor Web specialists contacted the developer of both browsers, but they refused to comment on the matter. So our malware analysts then reported the case to Google, but as of the publication date of this article, both browsers are still available and can download new components, bypassing Google Play servers. Owners of Android devices should independently decide whether to continue using these programs or remove them and wait until they are updated to fix potential vulnerabilities.

Meanwhile, Doctor Web continues monitoring the situation.

March 21, 2019

Doctor Web reports on the Flexnet banking Trojan that targets users of Android devices. This malware not only steals money from bank cards, but also from mobile phone accounts. The attackers use it to pay for online games, web hosting, and other services.

Flexnet is based on the GM Bot Trojan, researched by Doctor Web malware analysts back in February 2015. The malicious app’s source code was published in 2016. Soon, the first versions of Flexnet were created thanks to everything achieved by GM Bot’s authors. Attacks against Android mobile devices using this Trojan continue happening to this day.

The cybercriminals distribute Flexnet Trojans via spam texting. In the messages, the potential victims are encouraged to follow the link and download some program or game. The Trojan disguises itself as applications such as Drug Vokrug (a dating and chatting app), GTA V, tools for Instagram and VKontakte account promotion, as well as other software.

Fig. 1. Example of software icons used by the Trojan.

When launched, the Trojan requests admin privileges, displaying a standard dialog box. If the victim grants the permissions, the Trojan falsely reports an error and removes its icon from the home screen to hide from the user so as not to be removed.

Fig. 2-3. An attempt to request admin privileges and a false error message.

Compared with modern Android bankers, Flexnet’s capabilities are quite limited. The Trojan is capable of hooking and sending text messages, as well as performing USSD requests. However, these functions are enough to steal money using various fraudulent means.

One of them is topping up the in-game accounts of popular computer games via SMS. First, the Trojan checks a user's bank card balance by sending an SMS request to the mobile banking service system. Then it hooks the response message with the account balance and transmits this information to cybercriminals. Next, the attackers request to top up the gaming account, indicating the victim’s phone number and the amount to transfer. The user then receives a text message with a verification code. The Trojan intercepts this message, transfers its contents to the cybercriminals, and finally they give the Trojan a command to send the verification code to confirm the transaction.

See below the example of money theft using this method:

Fig. 4. Top-up of Wargaming accounts. The Trojan hooks the messages from a bank’s billing system and, at the command of cybercriminals, sends a reply with a payment confirmation code to transfer RUB 2,475.

Other fraudulent schemes are implemented in a similar way. For example, the cybercriminals can pay for hosting using money from their victims’ mobile credit. To do this, the Trojan sends text messages with the necessary parameters to certain phone numbers. See below the example of such payment.

Fig. 5. Trojan texting the transfer amount (RUB 299 and RUB 1,000) and account names on the jino.ru hosting service to top up the balance of cybercriminals.

The attackers can steal money even if the victim does not have enough on the balance. They use the credit options provided by mobile carriers. As in other cases, the cybercriminals instruct the Trojan to send a text with the necessary parameters. Owners of the infected devices are oblivious to the money loss because the banker hides all suspicious messages.

Fig. 6. The fraudsters attempt to pay for the My.com service, but the amount on the victim’s mobile credit is not enough to do it. They command the Trojan to use the credit option and successfully perform the transfer. Thus, the device owner is left with a phone debt.

Additionally, the Trojan can transfer money from victims’ bank cards to cybercriminals’ accounts. However, financial institutions use specific algorithms to track suspicious transactions, so the probability of them being blocked is very high, while the above schemes allow the fraudsters to steal relatively small amounts for a long time and go unnoticed.

Another feature of Flexnet involves stealing confidential data. The cybercriminals can get ahold of accounts on social media, online stores, the websites of mobile carriers, and other online services. Knowing the victim’s mobile phone number, the cybercriminals try to log into their account. The service sends a text with a one-time verification code, which the Trojan hooks and sends to the attackers.

Fig. 7. Texts with one-time access codes of various services, hooked by the Trojan.

If the number used on the infected device is not registered with the target services, the cybercriminals can use it to register a new account. In the future, those compromised and newly created accounts can enter the black market and then be used to send spam and arrange phishing attacks.

With the assistance of the REG.ru registrar, several Flexnet command and control servers were blocked, and the cybercriminals no longer control some of the infected devices.

Doctor Web reminds owners of Android smartphones and tablets that software and games should only be installed from reliable sources such as Google Play. You are strongly advised to pay attention to the reviews of other users and use software from trusted developers.

Dr. Web for Android detects all known modifications of the Flexnet Trojan as parts of the Android.ZBot family and successfully removes them from infected devices. This malware poses no threat to our users.

#Android, #banking_Trojan, #two_factor_authentication

March 1, 2019

The last winter month of 2019 was not a quiet time for users of Android devices. In mid-February, Doctor Web specialists found about 40 Trojans of the Android.HiddenAds family on Google Play. The cybercriminals distributed them via advertisements in popular social media and online services. In addition, owners of Android-based smartphones and tablets were targeted by the Trojans Android.FakeApp, used in fraudulent schemes, Trojan downloaders, and other malicious and unwanted applications.

Mobile threat of the month

Last month, Doctor Web’s malware analysts revealed 39 Trojans of the Android.HiddenAds family on Google Play. The attackers actively advertised the Trojans on popular online services with audiences of millions, such as YouTube and WhatsApp. Cybercriminals were offering powerful photo and video editing programs; but in fact, smartphone and tablet owners installed Trojans with a small set of functions. Some 10,000,000 users fell victim to the attackers.

The Trojans were constantly displaying ads, overlaying the interface of other programs and even the operating system. As a result, infected devices became very inconvenient to work with.

For more information about these malicious applications read the news article on our website.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

Android.Backdoor.2080

Trojans that execute the commands of attackers and allow them to control infected mobile devices.

Android.RemoteCode.197.origin

A malicious application designed to download and execute arbitrary code.

Android.HiddenAds.261.origin

Android.HiddenAds.659

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs, which in some cases, covertly install them in the system catalog.

Adware.Zeus.1

Adware.Patacore.1.origin

Adware.Patacore.168

Adware.Jiubang.2

Android.Toofan.1.origin

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Threats on Google Play

Apart from the Android.HiddenAds Trojans, other malware was found on Google Play as well, including new Trojans of the Android.FakeApp family, such as Android.FakeApp.155, Android.FakeApp.154, and Android.FakeApp.158. Cybercriminals were using them for fraud. Users were invited to install applications to take part in online polls for a large sum of cash in return. The Trojans loaded websites with those “polls” where potential victims, after answering a few simple questions, were asked to make a verification payment, supposedly needed to transfer funds to the participant. If users agreed to pay, they did not receive any reward in return.

Android users were also targeted by the Trojan Android.RemoteCode.2958, which downloaded other malware. It was distributed under the guise of benign games and applications and downloaded arbitrary code from the Internet.

Another Trojan, dubbed Android.Proxy.4, used the infected devices as proxy servers to redirect the network traffic of cybercriminals. Like other malware, it was hidden in seemingly innocuous and useful applications.

In addition, the Dr.Web virus database was updated with an entry for applications with the built-in unwanted Adware.Sharf.2 module. It was displaying ads that overlayed software windows and system interface. Doctor Web malware analysts found Adware.Sharf.2 in various programs such as a voice recorder, a GPS compass, and a QR code scanner.

Several games turned out to contain other unwanted advertising modules, dubbed Adware.Patacore.2 and Adware.Patacore.168 by Dr.Web classification. They also displayed obnoxious banners.

We continue detecting more and more malicious and unwanted applications on Google Play, so owners of mobile devices running Android are advised to only install programs from well-known and trusted developers. In all cases, pay attention to the reviews of other users. To protect smartphones and tablets, we recommend you install Dr.Web for Android.

February 19, 2019

Doctor Web's experts detect more and more Trojans of the Android.HiddenAds family, displaying obnoxious ads, on Google Play. Since the beginning of February, about 40 new modifications of such malicious apps have been found and downloaded by some 10,000,000 users. Some of these Trojans have been spread via Instagram and YouTube. Thanks to advertising in popular social media and online services with a huge audience, the number of potential victims who can install dangerous software is significantly increasing.

During February, malware analysts revealed 39 new modifications of the Android.HiddenAds Trojan family on Google Play. They were hidden in useful and seemingly safe programs: photography applications, image and video editors, collections of desktop wallpapers, system utilities, games, and other software. Overall, they were installed by at least 9,940,305 users. Doctor Web has notified Google of the detected Trojans, but as of the publishing date of this news, some of them were still available for downloading.

The main function of Android.HiddenAds malware is to display ads. They constantly show windows with banners and video ads that overlap other programs and the system interface, making it difficult to work with infected devices. See below an example of such an ad:

Since Trojans display banners almost continuously, cybercriminals quickly cover their expenses for promoting their software via popular online services.

To stay on smartphones and tablets for as long as possible, the Android.HiddenAds Trojans hide their icons from the list of applications on the home screen. After that, they can no longer be launched manually and also become harder to find and remove. Besides, over time, some users may forget which programs they have installed, and it also helps the Trojans ‘survive’.

Almost all malware of the Android.HiddenAds family detected in February hide their icons, too, but also create shortcuts instead. Most likely, the Trojan makers tried to divert suspicion, reducing the risk of removal for their software. Unlike icons on the home screen, shortcuts do not allow you to remove applications from the context menu. So if an inexperienced user suspects something and tries to remove the Trojan by deleting its icon, only a shortcut will be removed, while the Trojan will remain on the device and continue to work covertly and bring money to the attackers.

Android users installed many of these malicious applications after viewing ads on Instagram and YouTube, where the cybercriminals promised functional and powerful photo and video processing tools. At first glance, the Trojans match the description and do not arouse suspicion among potential victims. However, apart from one or several basic functions, they contain nothing of what was declared. Here is what users complain about in the reviews:

An active promotional campaign set up by the cybercriminals attracts a large number of mobile device users and increases the number of downloads. Some of these Trojans even get featured in Google Play sections promoting new products and applications gaining popularity, which also increases the number of users that download the malware.

Information about all Trojans that our experts have found as of the publication date of this material is in the summary spreadsheet. However, since cybercriminals constantly create new Android.HiddenAds malware and actively advertise it, other modifications may soon be detected.

Users are advised to perform a full scan of mobile devices with Dr.Web for Android and remove the Trojans that are detected.

Users of smartphones and tablets should be wary of ads on the Internet and avoid downloading all advertised software, even if it is distributed via Google Play. Only install applications from trusted developers and pay attention to the reviews from other users.

#Android, #fraud, #Google_Play, #Trojan

February 1, 2019

In the past month, Android devices were targeted with a lot of malware. In early January, Doctor Web’s virus analysts investigated the Trojan Android.Spy.525.origin, designed for cyberspying. Later, several adware Trojans were discovered and dubbed Android.HiddenAds.361.origin and Android.HiddenAds.356.origin. In January our specialists also detected several new clickers from the Android.Click family, posing as official bookmaker applications. In addition, cybercriminals distributed downloader Trojans of the Android.DownLoader family, which downloaded Android bankers to smartphones and tablets.

Mobile threat of the month

In early January, the Dr.Web virus database was updated to detect the spyware Android.Spy.525.origin. It was distributed on Google Play under the guise of useful applications, as well as via a malicious website that redirected the potential victims to MediaFire, a popular file sharing resource that stored a copy of the Trojan.

Upon command from its command and control server, Android.Spy.525.origin could track the location of an infected smartphone or tablet, steal text message history, obtain information about phone calls, data from the phone book, files stored on the device, as well as display phishing windows.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A Trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.RemoteCode.197.origin

A malicious application designed to download and execute arbitrary code.

Android.HiddenAds.261.origin

Android.HiddenAds.659

Trojans designed to display intrusive advertisements. They are distributed as popular applications by other malicious programs; which in some cases, covertly install themselves in the system catalog.

Android.Mobifun.4

A Trojan that downloads various applications.

Adware.Zeus.1

Adware.AdPush.29.origin

Adware.Patacore.1.origin

Adware.Patacore.168

Adware.Jiubang.2

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Threats on Google Play

Apart from Android.Spy.525.origin, other threats were discovered on Google Play in January. At the beginning of the month, the Dr.Web virus database was updated to detect the Trojans Android.HiddenAds.361.origin and Android.HiddenAds.356.origin. These malicious programs were modifications of Android.HiddenAds.343.origin, which we reported in the review as of December 2018. Android.HiddenAds.361.origin and Android.HiddenAds.356.origin were distributed under the guise of useful programs. When launched, they hid their icons and started displaying ads.

In addition, our malware analysts investigated a variety of downloaders. Cybercriminals presented them as useful programs, such as currency converters, official banking applications, and other software. These Trojans were dubbed Android.DownLoader.4063, Android.DownLoader.855.origin, Android.DownLoader.857.origin, Android.DownLoader.4102, and Android.DownLoader.4107. They downloaded and attempted to install Android bankers on mobile devices to steal confidential information and money from users’ accounts in financial institutions.

One of those banking Trojans was Android.BankBot.509.origin, a modification of Android.BankBot.495.origin, already reported by our company in December 2018. This banker used the Accessibility Service to covertly manage installed applications by pressing buttons and menu items. Another Trojan, dubbed Android.BankBot.508.origin, displayed phishing windows and attempted to steal users’ credentials and other personal information. It also hooked text messages with confirmation codes for transactions.

In late January, Doctor Web’s experts discovered new clicker Trojans from the family Android.Click, including Android.Click.651, Android.Click.664, Android.Click.665, and Android.Click.670. The cybercriminals distributed them under the guise of official applications of bookmaker companies. These malicious apps could load any websites at the command of the command and control server, which is a serious threat.

The Doctor Web specialists continue monitoring the situation with mobile viruses and promptly update the Dr.Web virus database to detect and remove malicious and unwanted programs. Thus, smartphones and tablets with Dr.Web for Android are safe and secure.

December 28, 2018

In the past year, Android mobile device owners were again targeted by many malicious and unwanted programs, many of which were distributed via Google Play. At the same time, the tendency noted in 2017 to use various means for disguising and hiding Trojans to make them harder to detect has noticeably increased.

One of the main threats to mobile device users over the past 12 months were Android bankers, attacking financial institution customers around the world. Malware that could download and run arbitrary code from the Internet posed a serious threat as well.

Virus writers were actively distributing Trojans to implement fraudulent schemes, as well as using other malicious apps to obtain illegal income. In addition, cybercriminals tried to launch mobile cryptocurrency mining and even used Trojan clippers to change the numbers of electronic wallets in the clipboard of Android devices.

The mobile firmware infection issue at the production stage remains relevant. In spring, Doctor Web virus analysts uncovered a Trojan embedded in the image of the Android operating system. More than 40 mobile device models were compromised.

Users were also threatened with malicious spyware throughout the year.

Most remarkable events

At the beginning of the year, information security specialists detected the spread of the Android.CoinMine.15 Trojan miner infecting smart TVs, routers, streaming boxes, and other Android devices. It infected the equipment using the Android Device Bridge debugger. To do this, Android.CoinMine.15 generated random IP addresses and tried to connect to open port 5555. If the connection was successful, the Trojan installed its copy on the accessible device along with auxiliary files, including mining software for Monero (XMR).

In March, Doctor Web reported a new case of detecting the Android.Triada.231 Trojan in the firmware of more than 40 Android smartphone and tablet models. Unidentified attackers have embedded Android.Triada.231 in one of the system libraries at the source code level, while other representatives of the Android.Triada family are usually distributed as separate applications. The Trojan embeds itself in the Zygote system process that launches programs. As a result, Android.Triada.231 infects other processes and can covertly perform malicious actions. For example, it can download, install, and remove software against the user’s will. More details on this case, investigated by Doctor Web experts, are available in this article.

Attackers are increasingly using a variety of methods to prevent the detection of malicious and unwanted programs. In 2018, this trend continued. A popular way to reduce malware visibility is to use loaders. They can help keep Trojans and other dangerous software out of antivirus software’s reach for a longer time and cause less suspicion among potential victims. Using such loaders, cybercriminals can distribute various malware such as Trojan spyware.

In April, the Android.DownLoader.3557 loader was found on Google Play. It downloaded onto devices and prompted users to install the malicious software Android.Spy.443.origin and Android.Spy.444.origin under the guise of important plugins. They tracked the location of an infected smartphone or tablet, received information about all available files, could send victim’s documents to attackers, send and intercept SMS messages, steal data from the contact list, record video, listen to the environment using the built-in microphone of the device, as well as intercept phone calls and perform other actions.

In August, we detected the Android.DownLoader.784.origin loader on Google Play. It downloaded Trojan spyware onto the device which was dubbed Android.Spy.409.origin. Virus writers distributed Android.DownLoader.784.origin under the guise of the Zee Player application, which allowed users to hide photos and videos stored in the memory of mobile devices. The program was fully operational, so the attackers’ victims had no reason to suspect anything bad.

However, Trojan downloaders are increasingly used to distribute Android bankers. In July, Android.DownLoader.753.origin was found on Google Play where it was disguised as financial applications. Some of them were actually functional to appear more trustworthy. Android.DownLoader.753.origin downloaded and tried to install various banking Trojans that stole confidential data.

Later, several similar malicious programs were detected on Google Play. One of them was given the name Android.DownLoader.768.origin. Cybercriminals distributed it under the guise of the official Shell software. Another addition to the Dr.Web virus database was Android.DownLoader.772.origin, which was disguised as a useful utility. Both Trojans were also used to download and install Android bankers.

Loaders are used to infect mobile devices with other malware. In October, virus analysts detected the Trojan Android.DownLoader.818.origin, distributed under the guise of a VPN client via Google Play. Later, Doctor Web experts uncovered several modifications hidden in fake games. They were named Android.DownLoader.819.origin and Android.DownLoader.828.origin. They were intended to install adware Trojans.

Multi-component malicious applications are becoming increasingly common. Each of the modules performs certain functions, which allows attackers, if necessary, to expand the Trojans’ capabilities. This operation principle helps hinder threat detection. Virus writers can quickly update these plugins and add new ones, leaving the Trojan body with a minimum set of functions and making it less noticeable.

Doctor Web experts discovered this combination in February and dubbed it Android.RemoteCode.127.origin. The Trojan, installed by over 4,500,000 users, covertly downloaded and launched malicious modules that performed various activities. One of the Android.RemoteCode.127.origin plugins updated itself with a patch, hidden in a seemingly normal image. This method of hiding malicious objects is known as steganography. Information security specialists have been aware of it for a long time, but it has rarely been used by virus writers.

After decryption and launch, the module downloaded another image with another hidden plugin, which loaded and launched the Android.Click.221.origin. It then opened websites in the background and clicked on elements, i.e. links and banners, to increase hit counters and earn money for clicks.

Examples of images with encrypted modules of Android.RemoteCode.127.origin:

For more information regarding this Trojan, refer to the news article on our website.

Android.RemoteCode.152.origin is another multi-component Trojan capable of loading and executing arbitrary code. It was installed by more than 6,500,000 users. This malicious program covertly downloaded and launched auxiliary modules, including advertising plugins. The Trojan used them to create invisible ad banners and clicked on them, earning profits for virus writers.

In August, Doctor Web analysts investigated the Trojan clipper Android.Clipper.1.origin and its modification Android.Clipper.2.origin. This malicious program substituted the e-wallet numbers of Yandex.Money, Qiwi and Webmoney (R and Z), as well as Bitcoin, Litecoin, Etherium, Monero, zCash, DOGE, DASH, and Blackcoin cryptocurrency in the clipboard. Virus writers distributed the Trojan under the guise of well-known and harmless applications.

When copying the e-wallet number to clipboard, Android.Clipper.1.origin hooked it and transferred it to the command and control server. In response, the malware received the number of the attackers’ e-wallet, and the Trojan set it to replace the one in the clipboard. As a result, if the user did not notice the substitution, they would transfer money to the cybercriminals’ account. See detailed information about Android.Clipper.1.origin in the news article on the Doctor Web website.

Mobile malware landscape

According to Dr.Web’s detection statistics for Android products in 2018, Android devices were most often targeted by adware Trojans, malware that downloaded malicious and unwanted software, as well as Trojans that executed cybercriminal commands.

Android.Backdoor.682.origin

Trojan that executes cybercriminal commands to launch malicious activities.

Android.Mobifun.4

Representatives of a Trojan family designed to display unwanted ads.

Android.HiddenAds

Representatives of a Trojan family designed to display unwanted ads.

Android.DownLoader.573.origin

Malware that downloads applications indicated by virus writers.

Android.Packed.15893

Detects Trojans protected by a program packer.

Android.Xiny.197

Trojan primarily intended for downloading and removing applications.

Android.Altamob.1.origin

Malware that downloads applications indicated by virus writers.

Among the unwanted and potentially dangerous applications found on Android devices during the year, ad-displaying modules were the most common. Applications for downloading and installing various software were also detected on smartphones and tablets.

Adware.Zeus.1

Adware.Altamob.1.origin

Adware.Jiubang

Adware.Adtiming.1.origin

Adware.Adpush.601

Adware.SalmonAds.3.origin

Adware.Gexin.2.origin

They were unwanted modules that software developers and virus writers had injected into applications to display aggressive advertising.

Tool.SilentInstaller.1.origin

Tool.SilentInstaller.6.origin

Potentially dangerous programs designed to download and install other applications.

Banking Trojans

Banking Trojans are still a serious threat to mobile device owners. These malicious applications steal credentials to access the accounts of customers of financial institutions, bank card details, and other confidential data that can be used to steal money. Over the past 12 months, Dr.Web for Android detected over 110,000 of these Trojans on smartphones and tablets. The dynamics for Android banker detection is shown in the following graph:

When authors of the banking Trojan Android.BankBot.149.origin published its source code at the end of 2016, Doctor Web experts predicted the emergence of a variety of similar malware. This assumption turned out to be true: virus writers actively started producing similar bankers, also improving them and adding new functions. One of these Trojans, distributed in 2018, was Android.BankBot.250.origin, as well as its new and even more dangerous version Android.BankBot.325.origin. This banker, known as Anubis, is a multifunctional malicious application. It not only steals confidential data and money of users, but also is capable of executing numerous commands. It can help cybercriminals access infected devices using Android.BankBot.325.origin as a remote administration utility. The detailed study of this Trojan can be found in the article on our website.

In March, Doctor Web experts detected the Android.BankBot.344.origin Trojan hiding in an application named “VSEBANKI – Vse banki v odnom meste” (ALLBANKS – all banks in one place) on Google Play. The attackers claimed it was a universal application for online banking systems of several Russian financial institutions.

When launched, Android.BankBot.344.origin prompted the potential victim to enter an already existing bank account, specifying the credentials, or register by providing bank card details. The information was then transferred to the attackers so they could steal money from the compromised account.

In autumn, virus analysts investigated the banker Android.Banker.2876, which was also distributed on Google Play and attacked the customers of financial institutions in Spain, France, and Germany. It displayed a phishing window and prompted the potential victim to enter their phone number, which was then transferred to virus writers. After that, Android.Banker.2876 started to hook SMS messages and send the contents to attackers. Thus, they could receive transaction confirmation codes and steal users' money.

Later, our experts uncovered Android.BankBot.495.origin intended for Brazilian users on Google Play. Android.BankBot.495.origin took advantage of the accessibility features on Android to read the contents of windows on running applications, transfer confidential data to attackers, and also independently press buttons and control the compromised programs. The Trojan could also display fraudulent windows that prompted users to enter their credentials, credit card details, and other confidential information.

Fraud

Cybercriminals are increasingly using malware for mobile Android devices for fraudulent campaigns. In 2018, we detected many of these Trojans. One of them is Android.Click.245.origin, which was described by Doctor Web in April. It was distributed under the guise of well-known applications, but only loaded fraudulent web pages, inviting potential victims to download various software after entering their mobile phone number. After entering the number, the victim received an SMS message with a confirmation code, which was supposedly needed to complete the application download. However, by entering the code on the website, the user subscribed to a chargeable service. If the owner of the infected device was using mobile Internet, they were subscribed to an expensive service with Wap-Click immediately after clicking on the fake download button. See below an example:

Over the year, our specialists found other Trojans on Google Play that could load any webpage on the command of the command and control server. The list included Android.Click.415, Android.Click.416, Android.Click.417, Android.Click.246.origin, Android.Click.248.origin, Android.Click.458 and several others. They were also distributed under the guise of useful programs, such as collections of recipes, manuals, voice assistants, games, and even bookmaker applications.

Cybercriminals also actively distributed the Android.FakeApp family of Android Trojans, which loaded fraudulent websites with fake polls. Users were asked to answer a few simple questions for a nice cash reward. To receive the payment, the victim had to make another payment for verification. However, the owner of the infected device never received any money after the transfer.

Over the year, malware analysts discovered dozens of fraudulent applications Android.FakeApp and Android.Click, installed by at least 85,000 owners of Android smartphones and tablets. See more details about some of these Trojans in the following article by Doctor Web.

Prospects and trends

Next year mobile device users will again face attacks from banking Trojans and virus writers will continue improving their functionality. It is likely that more Android bankers will turn into multi-function malware capable of performing a wide range of tasks.

The number of fraudulent applications and advertising Trojans will increase also. Virus writers will hardly abandon attempts to make money on cryptocurrency using the computing power of Android devices. We also cannot eliminate the possibility of further cases of firmware infection in the future.

Cybercriminals will improve methods for circumventing antiviruses, as well as new restrictions and protective features built in the Android operating system. Rootkits and Trojans that could bypass these barriers are not out of the question. Malicious programs with new operating principles and new ways to obtain confidential data could emerge on the market. For example, they might use mobile device and eye-tracking techniques to obtain information about text being typed. Furthermore, new malware might use machine learning algorithms and other means of artificial intelligence for the benefit of attackers.

December 28, 2018

In early December, Brazilian Android device users were threatened by a banking Trojan that spread via Google Play. Some other malicious applications were detected in the official Android app store as well. At the end of December, Doctor Web experts discovered a new version of commercial spyware that collects masses of confidential information.

Mobile threat of the month

In early December, virus analysts investigated the banking Trojan, Android.BankBot.495.origin, which attacked customers of Brazilian financial institutions. This malware tried to obtain access to the Android Accessibility Service and use it to independently manage banking apps, read the contents of their windows, and transfer confidential information to attackers. Moreover, Android.BankBot.495.origin laid phishing windows over applications and tricked users into providing their credentials, bank card details, and other confidential data.

Read more about this Trojan in the news article, published by Doctor Web.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A Trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.261.origin

Android.HiddenAds.659

Trojans designed to display intrusive advertisements. They are distributed under the guise of popular applications by other malicious programs, which in some cases covertly install themselves in the system catalog.

Android.DownLoader.573.origin

A Trojan that downloads other malware applications.

Android.Mobifun.4

A Trojan that downloads various applications.

Adware.Zeus.1

Adware.Patacore.1.origin

Adware.Adpush.2514

Adware.AdPush.29.origin

Adware.Jiubang.2

Unwanted program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices.

Threats on Google Play

A lot of malicious and unwanted programs were detected on Google Play over the month. The list includes the adware Trojans Android.HiddenAds.343.origin and Android.HiddenAds.847, distributed under the guise of games and useful applications. When launched, they hid their icon from the home screen and began displaying ads.

We have also detected programs with the unwanted modules Adware.Patacore and Adware.HiddenAds. They displayed ads even when the software containing them was not running. In total, more than 5,300,000 users installed these programs.

Cybercriminals kept spreading fraudulent applications. The Dr.Web virus database has been updated to detect the Trojans Android.FakeApp.149, Android.FakeApp.151, and Android.FakeApp.152. These malicious programs launched web pages where the potential victims were asked to answer a few questions for a reward. To receive the reward payment, a user was first required to transfer a verification payment, but they never received anything in return.

Virus analysts have also discovered the Trojan Android.Proxy.4.origin, which helped virus writers redirect traffic via other users’ smartphones and tablets. Android.Proxy.4.origin was hiding in seemingly harmless games.

Cyberespionage

Among the potentially dangerous programs detected in December was a new version of the commercial spyware Program.Spyzie.1.origin, which allows you to monitor Android device users. It intercepts and reads text messages and emails; it tracks phone calls, web browser history and coordinates of infected smartphone or tablets. It also accesses message history in popular online messengers and steals other information.

Android users are targeted by various malicious and unwanted programs, distributed both online and via Google Play. Apart from that, attackers can install malware themselves if they get physical access to mobile devices. To protect smartphones and tablets, we recommend users install Dr.Web for Android.

December 6, 2018

Doctor Web virus analysts have detected the Android.BankBot.495.origin Trojan attacking Brazilian financial institution customers on Google Play. This Trojan uses Android’s special features (Accessibility Service). It uses them to control infected mobile devices and steal their owners’ confidential data.

Cybercriminals were distributing Android.BankBot.495.origin under the guise of applications that supposedly allow you to monitor Android-based smartphone and tablet users. The Trojan was hidden in the following software: WLocaliza Ache Já, WhatsWhere Ache Já, and WhatsLocal Ache Já. After Doctor Web’s experts informed Google, the company promptly removed the programs from Google Play. The Trojan was downloaded by more than 2,000 users.

When launched, Android.BankBot.495.origin attempts to gain Android Accessibility features by opening system settings and prompting the user to activate the Accessibility option. If a potential victim agrees to grant the Trojan privileges, Android.BankBot.495.origin will be able to control the programs in the background, tap buttons, and steal the contents of the active application windows.

When the user permits the Trojan to access accessibility features, it closes the window, starts the malicious service, and uses it to continue operating in the background. Android.BankBot.495.origin then requests access to display screens over running programs. This option will later be needed to display phishing windows. The previously obtained permission to use the accessibility features helps Android.Bank.Bot.495.origin automatically tap all buttons with the text "PERMITIR" ("Allow") that appears when requesting permissions. As a result, if the system language is Portuguese, the Trojan secures the necessary privileges by itself.

Moreover, the malware uses the special features for self-defense, tracking a number of antiviruses and utilities. When they launch, it tries to close their windows by pressing the “back" button 4 times.

Android.BankBot.495.origin connects to a remote host to accept the initial settings and follows the link given by the virus writers in an invisible WebView window. After several redirections, the Trojan receives a final link with the encrypted IP addresses of two command and control servers. Android.BankBot.495.origin then connects to one of them and accepts a list with app names. The Trojan checks whether they are installed on the device and notifies the server. The Trojan then sends several specific requests one by one. Depending on the server settings, Android.BankBot.495.origin then receives a command to start one of the apps. At the time of our analysis, it could run software of the following financial institutions: Banco Itaú S.A. and Banco Bradesco S.A., as well as the default SMS application.

When the Banco Itaú is launched, the Trojan uses the accessibility feature to read the contents of its window and transfer information on the balance of the user's bank account to the attackers. It then navigates to account management in the application, where it copies and sends the iToken key, a security code used to verify electronic transactions, to the virus writers.

Upon startup of Bradesco, the Trojan reads the victim’s account information and tries to automatically login to it by entering the PIN code received from the command and control server. Android.BankBot.495.origin copies the balance of the user's account and, together with the account information received earlier, transfers it to cybercriminals.

Upon receiving a command to launch an SMS application, the Trojan opens it, reads and saves the text of the available messages and sends them to the server. It also recognizes the messages from CaixaBank S.A. and transmits them in a separate request.

Cybercriminals also use Android.BankBot.495.origin to perform phishing attacks. The Trojan monitors the following software: Itaucard Controle seu cartão, Banco do Brasil, Banco Itaú, CAIXA, Bradesco, Uber, Netflix, and Twitter. If the Trojan detects that one of them has been launched, it displays an overlay window with a fraudulent web page simulating the attacked app, loaded from the second command and control server. The user may be prompted to enter the information on their account, bank account number, bank card details, logins, passwords, and other confidential information.

See an example of such phishing pages below:

Confidential information, entered by the victim, is transmitted to the attackers, and then the Trojan closes the fraudulent window and re-launches the compromised application in order not to raise suspicion from the user for collapsing and closing the app.

Doctor Web recommends you install Android software with extra care, even if you obtain them from Google Play. Attackers can fake well-known software, as well as create seemingly harmless applications. To reduce the risk of installing a Trojan, you should pay attention to the name of the developer, the date when the app appeared on Google Play, the number of downloads, and reviews from other users. In addition, please use an antivirus.

All known modifications to the Android.BankBot.495.origin banking Trojan have been successfully detected and removed by Dr.Web for Android, so they do not pose any threat to our users.

More about this Trojan

#Android, #Google_Play, #banking_Trojan, #phishing

November 30, 2018

In the last month of autumn 2018, Doctor Web’s malware analysts detected a new Android-targeting banking Trojan. It was being spread via Google Play and was attacking the customers of European financial institutions. Other Trojans were detected on Google Play in November, as were unwanted software programs.

Mobile threat of the month

In mid-November, Doctor Web’s experts discovered the banking Trojan Android.Banker.2876, which was attacking the customers of several European financial organizations. It was stealing confidential information and was also intercepting and sending SMS.

Features of Android.Banker.2876:

• Distributed via Google Play;
• imitated the banking applications of Spanish, French, and German financial organizations;
• hid its icon from the app list on the home screen;
• contained an embedded game that would launch after users closed its window.

For more information regarding this Trojan, refer to this news article on our website.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A Trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.Mobifun.4

A Trojan that downloads various applications.

Android.HiddenAds.288.origin

A Trojan designed to display advertisements. It is distributed under the guise of popular apps by other malicious programs that in some instances covertly install it in the system directory.

Android.DownLoader.573.origin

A Trojan that downloads other malware applications.

Android.RemoteCode.183.origin

A malicious program designed to download and execute arbitrary code.

Adware.Zeus.1

Adware.Adpush.2514

Adware.Patacore.1.origin

Adware.Avazu.5.origin

Adware.Gexin.2.origin

Unwanted program modules incorporated into Android applications and designed to display obnoxious ads on mobile devices.

Threats on Google Play

In early November, on Google Play, Doctor Web’s virus analysts detected applications containing the unwanted adware modules Adware.HiddenAds.7.origin and Adware.HiddenAds.8.origin. They displayed ads independently of the programs in which they had been embedded.

Later in the month, Doctor Web’s experts identified on Google Play other Android.FakeApp family Trojans which were added to the Dr.Web virus database as Android.FakeApp.138, Android.FakeApp.139, and Android.FakeApp.144. They were hidden in applications that allegedly paid people to participate in polls. When launched, the malware loaded fraudulent websites where potential victims were asked to answer a few questions. After that, in order to receive a “reward”, the user was required to pay a fee for a wire transfer, currency conversion, or any other procedure named by the attackers. If the owner of an affected mobile device agreed to pay, the requested amount was transferred to the pockets of cybercriminals, while the fraud victim got nothing.

In addition, attackers distributed the Trojan downloader Android.DownLoader.832.origin under the guise of various utilities. It downloaded and tried to install other malicious applications.

Google Play remains the most secure Android app resource. However, cybercriminals are still managing to use it to distribute malicious software. To protect their Android mobile devices, users are recommend to install Dr.Web for Android antivirus products.

November 16, 2018

Banking Trojans remain among the most dangerous malware programs; they help attackers steal confidential information and money from users. Doctor Web malware analysts have detected one such Trojan on Google Play. It has been attacking the customers of a number of European banks.

The Trojan, dubbed Android.Banker.2876, was being distributed under the guise of the official applications of European financial institutions: Spain’s Bankia, Banco Bilbao Vizcaya Argentaria (BBVA), and Santander; France’s Credit Agricole and Groupe Banque Populaire; and Germany’s Postbank. Our experts have found a total of six modifications of Android.Banker.2876. All of them were promptly removed from Google Play after Doctor Web contacted Google.

Once launched by a user, the Trojan requests permission to manage and make phone calls and send and receive SMS. Android devices below version 6.0 automatically grant these permissions during the Trojan’s installation. See the below example of a request:

Android.Banker.2876 collects and sends confidential information—the mobile device’s phone number and SIM card data, as well as a number of specifications about the mobile device—to the Firebase cloud and then notifies the attackers that the device has been infected successfully. The Trojan then displays a dialog requiring the victim to enter their phone number to continue working with the program. Each modification of the banker Trojan is designed for a specific audience. For example, if the Trojan is disguised as the application of a Spanish bank, the interface of Android.Banker.2876 and the displayed text will be in Spanish.

The phone number entered by the victim is transferred to the cloud database. The user is then shown a second dialog telling them to wait for “registration” confirmation. The dialog has a “Submit” button. When pressed, it launches a game built into the Android.Banker.2876, startling the user.

If the Trojan was successful when it uploaded the information about the mobile device to the cloud, it hides its icon from the home screen and then automatically runs in the background whenever the infected smartphone or tablet is on.

Android.Banker.2876 intercepts all incoming SMS and stores their contents in a local database. The text in the messages is uploaded to Firebase and is also distributed via SMS to the cybercriminals’ mobile number. As a result, the attackers are able to obtain one-time passwords used to confirm bank transactions and other confidential data that can be used for phishing attacks. In addition, the phone numbers collected by the Trojan can help the malware’s developers arrange fraudulent campaigns.

All known modifications of Android.Banker.2876 are successfully detected and removed by Dr.Web for Android, so they do not pose any threat to our users.

More about this Trojan

October 31, 2018

In October, information security specialists discovered an Android Trojan capable of executing C# scripts sent from a remote server, as well as downloading and launching malicious modules. More malicious applications were also detected on Google Play this month.

Mobile threat of the month

Doctor Web specialists have detected applications with the built-in downloader Trojan Android.DownLoader.818.origin distributed as a VPN client on Google Play. The malware downloaded and tried to install an adware Trojan to mobile devices. Later, malware analysts uncovered other modifications of this downloader, dubbed Android.DownLoader.819.origin and Android.DownLoader.828.origin. The fraudsters disguised them as games.

The Trojans' unique features are as follows:

• they request administrative privileges to hinder their removal from the system;
• they hide the app icon from the list of programs on the main screen of the operating system;
• they download other Trojans disguised as system software and prompt the user to install them.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

Android.Backdoor.1521

The Trojans that execute cybercriminals’ commands and help them to control infected mobile devices.

Android.HiddenAds.261.origin

Android.HiddenAds.288.origin

The Trojans are designed to display intrusive advertisements. They are distributed under the guise of popular applications by other malicious programs, which in some cases quietly install themselves in the system catalog.

Android.DownLoader.573.origin

A Trojan that downloads other malware applications.

Adware.Zeus.1

Adware.Gexin.2.origin

Adware.Adpush.2514

Adware.SalmonAds.3.origin

Adware.Aesads.1.origin

Unwanted program modules incorporated into Android applications and designed to display obnoxious ads on mobile devices.

Trojans on Google Play

At the beginning of the month, Doctor Web experts detected the Trojan Android.FakeApp.125 on Google Play. It was distributed as a program allegedly paying money for answering simple questions. In reality, Android.FakeApp.125 was loading and displaying fraudulent websites upon the signal of the managing server.

Later, security researchers detected the Trojan Android.Click.245.origin, disguised by cybercriminals as the Clover game, popular in VKontakte. Like Android.FakeApp.125, Android.Click.245.origin loaded fraudulent websites and displayed them to users.

In late October, Doctor Web analysts investigated the malware Android.RemoteCode.192.origin and Android.RemoteCode.193.origin. They were hiding in 18 seemingly harmless programs—barcode scanners, navigation software, file download managers, and various games, installed on at least 1,600,000 Android mobile devices. The Trojans could display advertisements, download and launch malicious modules, as well as open YouTube videos, increasing their popularity.

Aside from that, the Dr.Web virus database was updated with entries to detect new malware Android.DownLoader.3897, Android.DownLoader.826.origin and Android.BankBot.484.origin. They downloaded and tried to install banking Trojans on mobile devices.

Other threats

Among the mobile malware detected in October was the Android banker Android.BankBot.1781 with a modular architecture. At the command of the managing server, it could download various Trojan plug-ins, as well as download and execute C# scripts. Android.BankBot.1781 could steal bank card data, SMS messages, and other confidential information.

Cybercriminals distribute malicious programs to Android mobile devices via Google Play and fraudulent or hacked websites. To protect smartphones and tablets, it is recommended that users install Dr.Web anti-virus products for Android.