Threats to mobile devices

Baohuo, the gray eminence. Android backdoor hijacks Telegram accounts, gaining complete control over them

Thu, 23 Oct 2025 10:32:20 GMT

October 23, 2025

Doctor Web has identified a dangerous backdoor, Android.Backdoor.Baohuo.1.origin, in maliciously modified versions of the Telegram X messenger. In addition to being able to steal confidential data, including user logins and passwords, as well as chat histories, this malware has a number of unique features. For example, to prevent itself from being detected and to cover up the fact that an account has been compromised, Android.Backdoor.Baohuo.1.origin can conceal connections from third-party devices in the list of active Telegram sessions. Moreover, it can add and remove the user from Telegram channels and also join and leave chats on behalf of the victim, also concealing these actions. In fact, with this backdoor’s assistance, malicious actors gain full control over the victim’s account and the messenger functionality, while the trojan itself is a tool for boosting the number of subscribers in Telegram channels. Cybercriminals control the backdoor in different ways, one of which is via the Redis database; such a control mechanism is something that has not been seen previously in Android threats. According to our experts’ estimates, the number of devices infected with Android.Backdoor.Baohuo.1.origin has exceeded 58,000.

Android.Backdoor.Baohuo.1.origin started being distributed back in mid-2024, as evidenced by earlier modifications found during its analysis. The main method for delivering this backdoor to target devices is through in-app ads in mobile programs. Potential victims are shown ads that encourage them to install the Telegram X messenger. When clicking on such banners, users are redirected to malicious websites from which the trojan APK file is downloaded.

These sites are designed to look like an app catalog, while the messenger itself is positioned on them as a platform for conveniently finding a partner for communication and dating. This is indicated by banners with overlaid advertizing text about “free video chats” and invitations to “talk” (for instance, disguised as screenshots of the video call window) as well as by reviews from supposedly happy users that the threat actors actually composed. It should be noted that these webpages have functionality for selecting the displayed language, but the images themselves do not change.

One of the malicious sites from which the trojan version of Telegram X is downloaded. Potential victims are offered the chance to install an app where, according to “reviews”, it is easy to find a partner for communication and dating

Currently, cybercriminals have prepared standard templates with banners in only two languages—Portuguese, for users from Brazil, and Indonesian. Thus, Brazilian and Indonesian audiences are the main target for the attackers. At the same time, it is possible that over time, the threat actors’ interest will extend to users from other countries.

Studying the attackers’ network infrastructure allowed us to determine the scale of their activity. On average, Doctor Web’s malware analysts observe about 20,000 active connections of Android.Backdoor.Baohuo.1.origin. At the same time, the total number of infected devices has exceeded 58,000. Around 3,000 different models of smartphones, tablets, TV box sets, and even cars with Android-based on-board computers have been infected.

Countries with the highest number of devices infected with Android.Backdoor.Baohuo.1.origin (according to Doctor Web’s anti-virus laboratory)

However, malicious websites are not the only source for Android.Backdoor.Baohuo.1.origin’s distribution. Our experts have also detected it in third-party app catalogs, including APKPure, ApkSum, and AndroidP. Additionally, in the APKPure app store, the malware is posted on behalf of the official messenger developer, despite the fact that the digital signatures of the original version and the trojan modification are different. We have notified the online platforms where the trojanized versions of Telegram X were found.

The modified Telegram X with Android.Backdoor.Baohuo.1.origin implanted in it was distributed through APKPure on behalf of the messenger’s genuine developer

Doctor Web’s anti-virus laboratory discovered several Android.Backdoor.Baohuo.1.origin variations, which can be conditionally divided into 3 main modification groups:

versions where the threat actors embedded the backdoor into the main executable DEX file of the messenger;
versions where the backdoor is dynamically loaded in the form of a patch into the executable DEX file using the LSPatch tool;
versions where the backdoor is located in a separate DEX file in the app’s resources directory and loaded dynamically.

Regardless of the modification type, Android.Backdoor.Baohuo.1.origin initializes when the messenger is launched. The messenger itself remains functional, and for users it looks like a regular program. In reality, however, malicious actors have complete control over it through the backdoor and can even alter the logic of its operation.

When cybercriminals need to perform an action that does not require interfering with the app’s main functionality, they use pre-prepared “mirrors” of the necessary messenger methods. For example, mirrors can be used to display phishing messages in windows that look indistinguishable from real Telegram X windows.

Methods are separate blocks of code in the structure of Android programs that are responsible for performing certain tasks.

If the action is not standard for the messenger, then the Xposed framework is used. It directly changes a certain functionality of the app via dynamic method modification. In particular, it can be used to hide certain chats and authorized devices as well as to steal the clipboard contents.

The main difference between the earlier versions of the malicious program and the current ones is in how the malware is controlled. Older versions communicated with cybercriminals and received commands from them via a C2 server, which is a traditional channel. However, over time, malware writers added to Android.Backdoor.Baohuo.1.origin the ability to receive additional commands that come from the Redis database, thus expanding its functionality. At the same time, they also provided for the duplication of new commands through a regular C2 server in case the database becomes unavailable. This is the first known case of using Redis to control Android malware.

When launched, Android.Backdoor.Baohuo.1.origin connects to the initial C2 server to download a configuration that, among other parameters, contains data to connect to Redis. Through this database, threat actors not only send specific commands to the malicious app but also update the trojan’s settings. For example, they assign current addresses for the C2 server and the NPS server. Malware writers use the latter to connect infected devices to their internal network (intranet) and turn them into a proxy for accessing the Internet.

Android.Backdoor.Baohuo.1.origin regularly connects to the C2 server via API requests and can receive the following tasks:

upload incoming SMS and contacts from the infected device’s phonebook to the C2 server;
upload the contents of the clipboard to the C2 server when minimizing the messenger and restoring its window;
receive URLs from the C2 server to display ads, as well as the server address from which the trojan’s update in the form of a DEX file will be downloaded;
receive encryption keys that are used when certain data is uploaded to the C2 server (for instance, the clipboard contents);
request a group of commands for collecting information about installed apps, the message history, and contacts from the device’s phonebook, and about the devices logged into Telegram (this request is executed every 30 minutes);
request an URL from the C2 server to download an update for Telegram X;
request from the C2 server a configuration which is then saved as a JSON file;
request information about the Redis database;
upload information about the device to the C2 server whenever messenger network activity is detected;
receive from the C2 server a list of bots that are to be added to the Telegram contact list;
upload the following information to the C2 server every 3 minutes: the current app’s permissions, the device’s state (whether its screen is on or off, whether the app is active), and the mobile phone number with the name and password for the Telegram account;
every minute, request commands in the same format as the commands from the Redis database.

To receive commands via Redis, Android.Backdoor.Baohuo.1.origin connects to the attackers’ corresponding server where it registers its own sub-channel. Threat actors connect to this sub-channel and post tasks in it, which the backdoor then executes. The malicious program can receive the following commands:

create a blacklist of chats that will not be displayed in the Telegram X window;
conceal specified devices from the user in the list of authorized devices for their account;
block notifications from blacklisted chats for a specified time;
display a window with information about the Telegram X messenger update (when the user clicks it, they are redirected to a target website);
send the C2 server information about all of the installed apps;
terminate the user’s current authorized Telegram login session on the infected device;
display a window with information about the Telegram X app update, where the user is asked to install an APK file (if the file is missing, the trojan downloads it first);
remove the Telegram Premium icon in the app’s interface for the current user;
upload to the C2 server information from the Telegram X databases that store chat history, messages, and other confidential data;
subscribe the user to a specified Telegram channel;
leave a specified Telegram channel;
join a specified Telegram channel on behalf of the user, using the provided URL;
obtain the list of devices authorized in Telegram;
request the user’s authentication token and upload it to the C2 server.

It should be noted that hijacking data from the clipboard (when the user minimizes the messenger and restores its window) allows various scenarios for stealing confidential data to be implemented. For example, the victim can copy the password or mnemonic phrase used to access their crypto wallet, copy text from some important document to send it to business partners, etc. The trojan will intercept this information from the clipboard and send it to the malicious actors.

Dr.Web Security Space for mobile devices successfully detects and deletes all known versions of Android.Backdoor.Baohuo.1.origin, so this malware does not pose a threat to our users.

More details about Android.Backdoor.Baohuo.1.origin
Indicators of compromise

Doctor Web’s Q3 2025 review of virus activity on mobile devices

Wed, 01 Oct 2025 03:00:00 GMT

October 1, 2025

According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.MobiDash ad-displaying trojans were the most widespread threats of Q3 2025. They were detected on protected devices 18.19% more often than during the previous observation period.

The adware trojans Android.HiddenAds, whose activity decreased for the second quarter in a row, fell to second place. In the past 3 months, users encountered them 71.85% less often. These malicious apps conceal their icons, making the trojans harder to detect and remove, and then display ads, including full-screen videos.

Third place was again occupied by the Android.FakeApp trojans that cybercriminals use in various fraudulent schemes; the number of times they were detected decreased by 7.49%. Instead of providing the declared functionality, these malicious apps often load various websites, including fraudulent and malicious ones, as well as bookmaker and online casino websites.

Despite a 38.88% decline in activity, Android.Banker trojans remain the most widespread banking malware. Threat actors use them to gain illegal access to banking accounts and steal money. These trojans can display phishing windows to hijack logins and passwords, imitate the appearance of real banking software, intercept SMS to obtain one-time codes, etc.

Android.Banker trojans were followed by the Android.BankBot trojans, which were detected 18.91% more often than in Q2. Such trojans also try to gain access to users’ online banking accounts by intercepting confirmation codes. At the same time, these malicious apps can execute various commands coming from cybercriminals. Some of them also allow infected devices to be controlled remotely.

Rounding out the top three, Android.SpyMax banking trojans were detected 17.25% less often than in the previous quarter. These malicious apps are based on the source code of the spyware trojan SpyNote and provide a wide range of functions, including the ability to remotely control affected devices.

In August, we informed users about a malware distribution campaign involving the Android.Backdoor.916.origin multi-functional backdoor. Cybercriminals use this piece of malware to steal confidential data and spy on Android device users. Threat actors sent messages to potential victims via various messengers, offering an “anti-virus” that can be installed from the attached APK file. Doctor Web’s anti-virus laboratory discovered the first versions of this backdoor back in January 2025 and has continued to monitor its development ever since. Our experts believe that this backdoor is used in targeted attacks and is not intended for mass distribution. The main target for cybercriminals is representatives of Russian businesses.

Over the course of Q3, a large number of malicious programs were distributed on Google Play for a combined total of over 1,459,000 installations. Among them were dozens of Android.Joker trojans that subscribe victims to paid services and Android.FakeApp malicious fake programs. In addition, our malware analysts discovered yet another app that supposedly allowed virtual rewards to be converted into real money.

Principal trends of Q3 2025

Android.MobiDash ad-displaying trojans became the most widespread threats
The activity of Android.HiddenAds adware trojans continued to decline
The number of Android.BankBot banking trojan attacks increased
Banking trojans Android.Banker and Android.SpyMax were less active
Cybercriminals used a multi-functional backdoor, Android.Backdoor.916.origin, to attack representatives of Russian businesses
Many malicious apps were found on Google Play

According to statistics collected by Dr.Web Security Space for mobile devices

Android.MobiDash.7859: A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.FakeApp.1600: A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.Click.1812: The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background.
Android.HiddenAds.673.origin: A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Triada.5847: The detection name for a packer for Android.Triada trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with malicious Telegram messenger mods in which these trojans are embedded.

Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.CloudInject.5
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.

Tool.NPMod.3
Tool.NPMod.1
Tool.NPMod.4: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.LuckyPatcher.2.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to a shared database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.

Adware.AdPush.3.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.Youmi.4: The detection name for an unwanted adware module that adds advertizing shortcuts onto the Android OS home screen.
Adware.Basement.1: These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.

Threats on Google Play

In Q3 2025, Doctor Web's anti-virus laboratory detected over 50 trojans from the Android.Joker family which subscribe users to paid services. They were distributed under the guise of different software, including messengers, various system tools, image-editing apps, camera apps, programs for working with documents, etc.

One trojan was hidden in the system-optimizing app Clean Boost (Android.Joker.2412), and another — in the app Convert Text to PDF (Android.Joker.2422) for creating PDF documents

Moreover, our specialists discovered more fake apps from the Android.FakeApp family being used in fraudulent schemes. As before, cybercriminals passed off some of them as financial apps, like reference books and teaching aids and software for accessing investing services. Other Android.FakeApp trojans were distributed as games and under certain conditions could load bookmaker and online casino websites instead of operating as promised.

Examples of Android.FakeApp trojans disguised as financial apps. Android.FakeApp.1889 offered users the chance to test their financial literacy and Android.FakeApp.1890 the opportunity to develop financial intellection

Our experts also discovered Program.FakeMoney.16—an unwanted app, distributed as software called Zeus Jackpot Mania. In this program, users could get virtual rewards that they could supposedly convert into real money and withdraw it.

Program.FakeMoney.16 on Google Play

To “withdraw” the money, victims had to give this app some of their data. However, ultimately, they did not receive any payments.

Program.FakeMoney.16 asks users to provide their full name and information about their bank account

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Android backdoor spies on employees of Russian businesses

Wed, 20 Aug 2025 10:47:54 GMT

August 20, 2025

Doctor Web is informing users about Android.Backdoor.916.origin, a multi-functional backdoor that spreads in the wild and targets Russian businesses. The malware is capable of executing multiple commands received from attackers and has rich functionality for espionage and data theft. Among other capabilities, it can listen to conversations, broadcast from a device’s camera, steal content from messengers and browsers, and use its keylogger functionality to hijack entered text, including passwords.

The first Android.Backdoor.916.origin versions emerged in January 2025. Since discovering the backdoor, Doctor Web’s anti-virus laboratory has tracked the malware’s evolution and detected a number of versions (information about them is provided in the corresponding indicators of compromise) of it. Our experts believe that Android.Backdoor.916.origin is likely designed more for targeted attacks than for mass distribution among Android device users. Its main target is Russian business representatives.

Threat actors use direct messages in messengers to distribute the backdoor’s APK file under the guise of an anti-virus called “GuardCB”. The app’s icon resembles the emblem of the Russian Federation’s Central Bank; the emblem is set against the background of a shield. At the same time, the app’s interface provides only one language—Russian. Thus, the malware is entirely focused on Russian users. This is confirmed by other detected modifications with names like “SECURITY_FSB”, “ФСБ” (FSB), and others, which cybercriminals are trying to pass off as security-related programs that are supposedly related to Russian law enforcement agencies.

Icons of the malware mislead potential victims

The app does not in fact have any anti-virus features. When it runs, Android.Backdoor.916.origin acts like it is performing an anti-virus scan on a device, while the probability of “detecting” threats is programmed into it. The more time that has passed since the previous “scan”, the higher the chance is, but no more than 30%. The number of allegedly found threats is determined randomly and ranges from 1 to 3.

When it first launches, Android.Backdoor.916.origin requests access to many system permissions:

Geolocation;
Audio recording;
Access to SMS, contacts, call history, media files, permission to make calls;
Camera (to take pictures and record videos);
Permission to run in the background;
Device administrator rights;
Accessibility Service.

Examples of the requested permissions

The malware then launches several of its own services and checks their activity every minute, restarting them again if needed. The backdoor uses these services to connect to the C2 server and receive a large number of commands. Among them are:

upload incoming and outgoing SMS to the C2 server;
upload the contacts list to the C2 server;
upload call history to the C2 server;
upload geolocation data to the C2 server;
start or stop audio streaming through the device’s microphone;
start or stop video streaming from the device’s camera;
start or stop streaming the device’s screen;
upload all images stored on a memory card to the C2 server;
upload images from a memory card to the C2 server according to a given range of names;
upload a specified image from a memory card to the C2 server;
enable or disable the backdoor’s self-protection;
execute a received shell command;
upload information about the device’s network and interfaces to the C2 server.

The backdoor streams the different types of data it collects to separate C2 server ports.

Android.Backdoor.916.origin uses Accessibility Service to execute keylogger functionality and intercept content from messengers and browsers. These apps are monitored by the trojan:

Telegram
Google Chrome
Gmail
Яндекс Старт (Yandex Start)
Яндекс Браузер (Yandex Browser)
WhatsApp

The backdoor also uses Accessibility Service to protect itself from being deleted if it receives the corresponding command from the threat actors.

Android.Backdoor.916.origin has functionality that allows it to operate with a large number of C2 servers whose information is stored in its configuration. Moreover, it can switch between hosting providers, the number of which can be as high as 15, but this option is not being used at the moment. Doctor Web’s anti-virus laboratory has informed domain registrars about the violations it has uncovered.

Dr.Web Security Space for mobile devices reliably detects and removes all known Android.Backdoor.916.origin modifications, keeping our users well protected from this threat.

More about Android.Backdoor.916.origin

Indicators of compromise

Doctor Web’s Q2 2025 review of virus activity on mobile devices

Tue, 01 Jul 2025 06:00:00 GMT

July 1, 2025

According to detection statistics collected by Dr.Web Security Space for mobile devices, adware trojans from various families remained the most common malware. Members of the Android.HiddenAds trojan family were again the most active, despite the fact that users encountered them 8.62% less often. These were followed by Android.MobiDash adware trojans; the number of attacks involving them increased by 11.17%. Android.FakeApp malicious programs, used in various fraudulent schemes, ranked third; they were detected on protected devices 25.17% less frequently.

The activity of Android.Banker banking trojans increased by 73.15%, compared to the previous quarter. At the same time, some other banking trojan families were detected less often, e.g., Android.BankBot (by 37.19%) and Android.SpyMax (by 19.14%).

In April, our virus analysts informed the public about the discovery of a large-scale campaign to steal cryptocurrency from Android smartphone users. During this campaign, malicious actors hid Android.Clipper.31 in a modified version of the WhatsApp messenger and implanted it into the firmware of some budget Android smartphone models. This trojan hijacks messages sent and received in the messenger, searches the Tron and Ethereum crypto wallet addresses in them, and replaces legitimate addresses with ones belonging to the scammers. At the same time, the trojan conceals this substitution, and users of infected devices see the “correct” wallets in their messages. Moreover, Android.Clipper.31 sends all images in the jpg, png, and jpeg formats to a remote server to search mnemonic phrases for their victims’ crypto wallets.

Also in April, we reported on a spyware trojan targeting Russian military personnel. The Android.Spy.1292.origin malicious program was hidden in a modified version of Alpine Quest mapping software. It was distributed via a fake Telegram channel of an app created by the threat actors as well as via one of the Russian Android app catalogs. Android.Spy.1292.origin sent various confidential data to the attackers, including user accounts, their mobile phone number, contacts from the phone book, and information about the infected device’s geolocation and the files stored in its memory. When commanded by malicious actors, the trojan could steal specified files. The malware creators were particularly interested in confidential documents sent via popular messengers as well as in Alpine Quest’s location log file.

At the same time, during this most recent observation period, Doctor Web’s virus laboratory detected more threats on Google Play. Among them were various trojans and unwanted ad-displaying software.

Principal trends of Q2 2025

Android.HiddenAds adware trojans intensified their activity
Adware trojans from the Android.MobiDash family also heightened their activity
Android.Banker banking trojans were less commonly detected on protected devices, compared to the previous quarter
Decreased numbers of Android.BankBot and Android.SpyMax banking trojan family attacks were noted
A trojan designed to steal cryptocurrency was found in the firmware of several budget Android smartphone models
Malicious actors distributed a trojan that spied on Russian military personnel
More threats emerged on Google Play

According to statistics collected by Dr.Web Security Space for mobile devices

Android.HiddenAds.657.origin
Android.HiddenAds.4214
Android.HiddenAds.4213: Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.7859: A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.FakeApp.1600: A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.

Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.NPMod.3
Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.
Tool.SilentInstaller.14.origin: A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.AdPush.3.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Basement.1: These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.
Adware.Fictus.1.origin: An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
Adware.Jiubang.1: Unwanted ad-displaying software for Android devices that displays a banner showing recommended programs when applications are being installed.

Threats on Google Play

Over the course of the second quarter of 2025, Doctor Web’s virus analysts discovered several dozen threats on Google Play, including various fake programs from the Android.FakeApp family. These trojans were again actively being distributed under the guise of finance-related programs and, instead of the promised functionality, could load fraudulent websites.

Android.FakeApp.1863 and Android.FakeApp.1859 are examples of the trojans that were discovered. The former was hidden in the “TPAO” app and targeted Turkish users who were told that the app could help them “easily control their deposits and incomes”. The latter was disguised as a “financial assistant” (“Quantum MindPro”) and was geared toward a French-speaking audience.

Games remain another popular disguise for such fake programs. Under certain conditions, they load online casino and bookmaker websites instead of providing gaming functionality.

Android.FakeApp.1840 (“Pino Bounce”) is one of the fake games that could load an online casino site.

In addition, our specialists detected the unwanted ad-displaying software Adware.Adpush.21912. It was hidden in the “Coin News Promax” app, which contains informational materials about cryptocurrencies. Adware.Adpush.21912 displays notifications that, when clicked, load into WebView the link specified by the С2 server.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Android spyware trojan targets Russian military personnel who use Alpine Quest mapping software

Mon, 21 Apr 2025 01:00:00 GMT

April 21, 2025

Doctor Web’s experts have discovered Android.Spy.1292.origin, spyware whose main target is Russian military personnel. The attackers hide this trojan inside modified Alpine Quest mapping software and distribute it in various ways, including through one of the Russian Android app catalogs. Among other things, the malware sends the attackers phonebook contact information and the infected device’s geolocation. Moreover, this spyware collects data about the files stored on the devices and, when commanded by threat actors, can download additional modules possessing the functionality needed to steal the files.

Alpine Quest is topographic software that allows different maps to be used both in online and offline mode. It is popular among athletes, travelers, and hunters but also widely used by Russian military personnel in the Special Military Operation zone—and this is what the malware campaign organizers decided to exploit. Threat actors embedded Android.Spy.1292.origin into one of the older Alpine Quest app versions and distributed the trojanized variant under the guise of a freely available version of Alpine Quest Pro, a program with advanced functionality. They created a fake Telegram channel for the software; the channel provided a link for downloading the app in one of the Russian app catalogs. The same trojan version, disguised as the app’s “update”, was later distributed via this very same channel.

The Telegram channel through which threat actors distributed the Android.Spy.1292.origin trojan

Because Android.Spy.1292.origin is embedded into a copy of the genuine app, it looks and operates as the original, which allows it to stay undetected and execute malicious tasks for longer periods of time.

Each time it is launched, the trojan collects and sends the following data to the C&C server:

the user’s mobile phone number and their accounts;
contacts from the phonebook;
the current date;
the current geolocation;
information about the files stored on the device;
the app’s version.

At the same time, it duplicates some of this information in the attackers’ Telegram bot. For instance, the trojan sends it the geolocation data every time the device’s location changes.

After receiving information about the available files, threat actors can command the trojan to download and run additional modules that are to be used to steal the necessary files. The analysis performed by our specialists indicates that the creators of the trojan are particularly interested in confidential documents that users sent via the Telegram and WhatsApp messengers as well as the locLog location log file created directly by the Alpine Quest program.

As a result, Android.Spy.1292.origin not only allows user locations to be monitored but also confidential files to be hijacked. In addition, its functionality can be expanded via the download of new modules, which allows it to then execute a wider spectrum of malicious tasks.

Doctor Web’s specialists recommend installing Android programs only from reputable sources, such as official app catalogs, and opting against downloading software from Telegram channels and dubious websites, especially when it comes to supposedly freely available paid versions of programs. At the same time, it is important to pay attention to who is distributing the apps of interest, as attackers often disguise themselves as real developers, using similar names and logos.

To protect Android devices, it is essential to use an anti-virus. Dr.Web Security Space for mobile devices reliably detects and deletes the Android.Spy.1292.origin trojan, keeping our users well protected from this threat.

Indicators of compromise

More details about Android.Spy.1292.origin

Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft?

Mon, 14 Apr 2025 02:00:00 GMT

April 14, 2025

Every year, cryptocurrencies become more and more common as a payment method. According to the data for 2023, in developed countries about 20% of the population has at some time used such a means of payment, and in developing countries, where the banking sector does not meet the needs of the population, the number of cryptocurrency users is even higher. In cryptocurrency adoption rankings, Russia is among the top ten countries in terms of number of users. Anonymity, fast transactions, global accessibility and low transfer fees are the main advantages that attract ordinary users. Fraudsters, on the other hand, appreciate the irreversibility of the transactions, the lack of regulation, and the lack of user knowledge due to the relative novelty of the technology, which allows them to implement a variety of illicit enrichment schemes.

Starting from June 2024, the Doctor Web virus laboratory has received a number of reports from our customers who installed Dr.Web Security Space antivirus on their newly purchased Android phones. A scan of the system partition revealed a suspicious application disguised as WhatsApp messenger. During their investigation, our analysts were able to establish that those cases were not a mere blip on the radar. It turned out that they were all part of a campaign to steal cryptocurrency through clipping.

Clipping means stealing information by intercepting and/or spoofing data that a user copies to the clipboard. Most commonly, clippers are designed to search the clipboard for strings corresponding to cryptocurrency wallet addresses. On average, such strings contain between 25 and 42 characters. And to avoid any hassle, users typically use standard "copy" and "paste" operations to work with such data. A clipper can take advantage of this by intercepting the contents of the clipboard and discreetly replacing all cryptocurrency wallet addresses with those of the cybercriminals.

Using messengers trojanized by clippers to steal financial information is not a new tactic for hackers: one such campaign began in 2023. At that time, a group of attackers used a number of legitimate platforms, such as YouTube, to distribute links to malicious Telegram and WhatsApp apps. These links were placed in the video descriptions. The main target audience was Chinese users, who do not have access to foreign messengers. And since they have to use a number of tricks to get around the geoblocking, usually by downloading programs from third-party sites, this campaign was quite successful.

Now the attackers moved to the next level, gaining access to the supply chain of a number of Chinese manufacturers of Android-based smartphones. These are the smartphones that have been reported to Doctor Web's virus lab. Fraudulent applications were detected directly in the software pre-installed on the phone. In this case, the malicious code was added to the WhatsApp messenger.

It should be noted that in most cases the compromised devices were low-end and had names similar to the models of well-known brands: S23 Ultra, Note 13 Pro, P70 Ultra, and so on. At the same time, their actual technical specifications were far from what their product page claimed. The threat actors used an application that allowed them to easily spoof all of the technical information displayed not only on the About Device page but also in the reports of such popular applications as AIDA64 and CPU-Z. In addition, although the About Device page claimed that the phones have the latest version of Android 14 installed on them, all of the devices were actually running the same build of Android 12. A third of the models listed below are manufactured under the SHOWJI brand. Unfortunately, we were unable to identify the manufacturer of the remaining models.

SHOWJI S19 Pro	Note 30i	Camon 20
SHOWJI Note 13 Pro	S23 Ultra	P70 Ultra
SHOWJI X100S Pro	S18 Pro	M14 Ultra
SHOWJI Reno12 Pro	6 Pro	S24 Ultra

Smartphone models purchased by our users that came with preinstalled malicious software

Product descriptions in bad Russian boasting “Fast Tastydragon CPU” [sic!] and “50 million cameras” [even sic’er!]

Screenshot of the application used to spoof technical specifications of the device and the result of its operation

To verify device specifications with greater certainty, you can use an app called DevCheck. In most cases, this application accurately determines the product specifications, even if the manufacturer is trying to mislead the consumer.

To create their trojanized WhatsApp application, the threat actors used the LSPatch tool. This framework allows the behavior of the main application to be modified, without altering its code, and additional software modules to be loaded. In this case, the criminals placed the malicious module com.whatsHook.apk in the assets folder, which performs the following functions:

application update hijacking. Now, instead of checking for updates at hxxps://www.whatsapp[.]com/android/current/WhatsApp[.]apk, the application accesses one of the attackers' servers, e.g., hххps://apk-download[.]pro/download/whatsapp[.]apk. This keeps the application trojanized and allows it to make the changes the threat actors need;

Method that hijacks requests to the legitimate update server

Class that swaps the legitimate update address with the fake one

searches for strings in received and sent messages that match the wallet address patterns for the Tron (34-character string starting with T) and Ethereum (42-character string starting with 0x) cryptocurrencies and replaces them with the attackers' addresses. The cybercriminals expanded the basic clipper functionality, and now the victim does not even suspect that something is wrong. In the case of an outgoing message, the compromised device displays the correct address of the victim's own wallet, while the recipient of the message is shown the address of the fraudsters' wallet. And when an incoming message is received, the sender sees the address of their own wallet; meanwhile, on the victim's device, the incoming address is replaced with the address of the hackers' wallet. The scammers change wallet addresses with each iteration of the campaign, but the trojan also contains backup addresses ("TN7pfenJ1ePpjoPFaeu46pxjT9rhYDqW66", "0x673dB7Ed16A13Aa137d39401a085892D5e1f0fCA") that can be used if for some reason communication cannot be established with the C2 server. In addition, the trojan sends all messages from all WhatsApp chats to the attacker's server;

Parser that searches for strings matching Tron wallet addresses

Parser that searches for strings matching Ethereum wallet addresses

searches for all .jpg, .png, and .jpeg images in the following folders and sends them to the attackers’ server

DCIM	DOWNLOADS
PICTURES	DOCUMENTS
ALARMS	SCREENSHOTS

This is done to find the so-called mnemonic (recovery) phrase for crypto wallets, which is a set of 12-24 words in a specific order. Such a phrase is displayed once when a wallet is created, and many users simply take a screenshot of it instead of writing it down or saving it to a separate medium. For legitimate purposes, such phrases allow the wallet to be accessed if the user forgets the password. For attackers, obtaining such data means the ability to instantly withdraw all the money from the cryptocurrency wallet.

An example of a mnemonic phrase for recovering access to a cryptocurrency wallet. The user must enter these words in numerical order.

sends information about the device: the device manufacturer, model, language settings, and the name of the trojanized application. In total, the scammers modified about 40 different applications. These include the aforementioned WhatsApp and Telegram, as well as other messengers, QR code scanners, etc. But, most important, it was popular cryptocurrency wallet applications (MathWallet, Trust Wallet, and others) that were affected.

This trojan has been given the unique name Shibai in the Doctor Web virus database due to the string Log.e("", "-------------------SHIBAI-释放------------") contained in its code. We assume that this is a reference to the name of another crypto coin.

Unfortunately, this campaign has gained a great deal of momentum. The hackers employ more than 60 C2 servers to manage it and approximately 30 domains to distribute malicious applications. We were also able to obtain information about the financial gains made by the trojan’s creators. One of the wallets has received more than a million dollars over the last two years. Overall assets in another wallet amounted to half a million dollars. The rest of the wallets (about 20 of them) held amounts up to $100,000. It is impossible to get a complete picture of the profitability of this campaign, as the wallet addresses are obtained from the server of the attackers, and they may be different from time to time.

One of the crypto wallets with the most assets

To protect yourself from such attacks, our virus analysts recommend installing Dr.Web Security Space antivirus for mobile devices, shunning smartphones with features that clearly do not match their price, downloading applications only from trusted sources, such as Google Play, RuStore and AppGallery, and not storing on their devices screenshots with mnemonic phrases, passwords, and keys in unencrypted form.

Doctor Web’s Q1 2025 review of virus activity on mobile devices

Thu, 27 Mar 2025 00:00:00 GMT

March 27, 2025

According to detection statistics collected by Dr.Web Security Space for mobile devices, ad-displaying Android.HiddenAds trojans remained the most common Android malware. Moreover, they were detected on protected devices more than twice as often as in the fourth quarter of last year. Second place once again went to Android.FakeApp malware, which cybercriminals use in various fraudulent schemes—their activity increased by almost 8%. Adware trojans from the Android.MobiDash family ranked third; the number of their detections almost quintupled.

Similar dynamics were observed among many banking trojans. For instance, an increase was recorded in the number of attacks involving Android.BankBot and Android.Banker trojan family members—by 20.68% and 151.71%, respectively. At the same time, Android.SpyMax trojans, whose activity grew throughout almost all of 2024, were detected 41.94% less frequently than in the previous quarter.

Over the past 3 months, Doctor Web’s specialists discovered dozens of new threats on Google Play. Our virus laboratory’s findings in this catalog included cryptocurrency-stealing malware and other trojans that display intrusive ads, along with the traditionally large number of Android.FakeApp trojans.

PRINCIPAL TRENDS OF Q1 2025

Increased activity on the part of adware trojans
Increased numbers of Android.BankBot and Android.Banker banker malware attacks
Decreased activity on the part of Android.SpyMax spyware trojans
The emergence of many new threats on Google Play

According to statistics collected by Dr.Web Security Space for mobile devices

Android.HiddenAds.657.origin
Android.HiddenAds.655.origin
Android.HiddenAds.4214: Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.FakeApp.1600: A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.MobiDash.7859: A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Program.FakeMoney.11
Program.FakeMoney.14: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.
Tool.SilentInstaller.14.origin: A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.Basement.1: These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.
Adware.AdPush.3.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Fictus.1.origin: An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.

Threats on Google Play

In Q1 2025, Doctor Web’s virus laboratory detected several dozen malicious programs. Among them were various modifications of the trojans Android.HiddenAds.4213 and Android.HiddenAds.4215, which conceal their presence on infected devices and start displaying ads on top of other apps’ windows and the operating system UI. They masqueraded as software for taking photos and videos with different effects, image-editing programs, an image collection app, and a women’s health diary.

The Android.HiddenAds adware trojans concealed in the apps “Time Shift Cam” and “Fusion Collage Editor”

Our specialists also discovered Android.CoinSteal.202, Android.CoinSteal.203, and Android.CoinSteal.206, malicious programs designed to steal cryptocurrency that are distributed under the guise of official software from the Raydium and Aerodrome Finance blockchain platforms and the Dydx cryptocurrency exchange.

The “Raydium” and “Dydx Exchange” programs are trojans that steal cryptocurrency

When launched, these malicious apps ask potential victims to enter a mnemonic phrase (the seed phrase)—supposedly to connect their crypto wallet. But, in reality, the data that users provide is sent to threat actors. To further mislead users, forms for entering mnemonic phrases can be disguised as requests from other crypto platforms. As shown in the example below, Android.CoinSteal.206 displayed a phishing form allegedly on behalf of the crypto exchange PancakeSwap.

At the same time, Android.FakeApp fake programs were once again being distributed via Google Play. Fraudsters passed off many of them as finance-related software, including teaching aids, instruments for accessing investing services, and personal finance software. They loaded various phishing websites, including those used by threat actors to collect personal information.

Examples of the Android.FakeApp trojan apps distributed under the guise of financial software: «Умные Деньги» (“Smart Money”) is Android.FakeApp.1803, and “Economic Union” is Android.FakeApp.1777

Under certain conditions, other Android.FakeApp trojans loaded bookmaker and online casino sites. Such malware variants were distributed as different games and other software, like a speed-typing trainer and a drawing tutorial. Among them were new modifications of the Android.FakeApp.1669 trojan.

Examples of malicious fake apps that, instead of providing the declared functionality, could load online casino and bookmaker websites

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Doctor Web’s review of virus activity on mobile devices in 2024

Thu, 30 Jan 2025 00:00:00 GMT

January 30, 2025

In 2024, ad-displaying trojans were once again the most widespread Android threats. Fraudulent software, ransom trojans, clickers, and banking trojans were more active than in the previous year. Among the latter, compared to 2023, the most common were simple banking trojans that steal only online bank account access data and SMS confirmation codes.

Among the most active unwanted software programs were apps offering users the opportunity to complete various tasks in exchange for virtual rewards, which can supposedly be converted into real money. The most commonly detected riskware apps were tools that allow Android programs to launch without being installed. And the most active adware programs were specially modified WhatsApp messenger versions whose functions had been injected with code for loading adware URLs.

Over the course of last year, Doctor Web's malware analysts discovered hundreds of new threats on Google Play, with over 26.7 million cumulative downloads. Among these were malicious programs, including a spyware trojan, and unwanted and adware apps.

Our experts also uncovered a new attack on Android-based TV box sets. Around 1.3 million devices were affected by a backdoor that infected the system storage and, when commanded by attackers, could download and install third-party software.

In addition, Doctor Web’s virus analysts noted the growing popularity of a number of techniques aimed at making Android malware more complicated to analyze and more difficult for antiviruses to detect. These techniques included various manipulations with the ZIP archive format (the APK files of Android apps are based on the ZIP format), manipulations with the apps’ configuration file AndroidManifest.xml, and others. These methods were most often found to be used in banking trojans.

PRINCIPAL TRENDS IN 2024

Ad-displaying malware remained the most widespread threat;
An increase in banking trojan activity;
Cybercriminals increasingly used simple Android.Banker banking trojans, which steal only login data for online bank accounts and also verification codes from SMS;
Threat actors increasingly resorted to manipulating the format of APK apps and their structural components to avoid being detected by anti-viruses and to make it more difficult for their malware to be analyzed;
An increase in the number of Android.Locker ransomware trojans and Android.Click trojan clickers;
The emergence of many new threats on Google Play.

The most notable events of 2024

Last May, Doctor Web’s experts informed users about the Android.Click.414.origin trojan clicker, which was found in an app used to control sex toys and in software for tracking physical activity. Both programs were distributed through Google Play and had more than 1.5 million installs combined. Android.Click.414.origin had a modular structure and used its components to execute certain tasks. For example, the trojan covertly loaded advertising websites and performed various actions on them. It could scroll webpages, enter text into forms, mute audio on webpages, and take screenshots of webpages to analyze their contents and click on desired areas. In addition, Android.Click.414.origin sent detailed information about infected devices to its C&C server. At the same time, the clicker did not specifically attack certain users, and it did not start on devices where the interface language was set to Chinese.

Some versions of the Love Spouse and QRunning programs had the Android.Click.414.origin trojan hidden in them

In September, our specialists revealed the details of their analysis regarding cases of Android TV box sets being infected with the Android.Vo1d backdoor. This modular malware affected nearly 1.3 million devices belonging to users in 197 countries. It placed its components into the system storage area and could covertly download and install third-party software when commanded by threat actors.

Countries found to have the highest number of TV boxes infected with the Android.Vo1d backdoor

Already in November, our virus analysts used Android.FakeApp.1669 as an example to show how threat actors use the DNS protocol to covertly connect malware to C&C servers. Android.FakeApp.1669 is a rather primitive trojan whose only task is to load target websites. It differs from most of the threats similar to it in that it receives the addresses of target sites from the TXT record of a malicious DNS server. For this, it uses the modified code of an open source dnsjava library. At the same time, Android.FakeApp.1669 manifests its malicious nature only when connected to the Internet through certain providers; in other cases it operates as harmless software.

An example of a target domain’s TXT record. It was sent by the DNS server upon request via the Linux ‘dig’ tool while one of the Android.FakeApp.1669 modifications was undergoing analysis

Statistics

According to detection statistics collected by Dr.Web Security Space for mobile devices, malicious programs were the threats most commonly detected in 2024.They accounted for 74.67% of all registered detections. Adware programs, with a share of 10.96%, ranked second. Riskware apps, which accounted for 10.55% of all detections, ranked third. The fourth most common threats were unwanted apps, which users encountered in 3.82% of cases.

Malicious programs

Once again the malicious Android apps most commonly encountered were ad-displaying trojans from the Android.HiddenAds family. Over the course of last year, their share of the total number of malware programs detected by the Dr.Web anti-virus increased by 0.34 pp. to 31.95% of all detections.

In this malware family, the most active member was Android.HiddenAds.3956 (15.10% of the detections for the entire family and 4.84% of all malware detected). This is one of many variants of Android.HiddenAds.1994 malware that users have been encountering for several years now. This particular version, Android.HiddenAds.3956, emerged in 2023 along with other modifications. We predicted that it could take a leading position in the family, which is what eventually happened. In 2024, its new variants also became widespread: Android.HiddenAds.3980, Android.HiddenAds.3989, Android.HiddenAds.3994, Android.HiddenAds.655.origin, Android.HiddenAds.657.origin, and some others.

At the same time, our experts also noticed activity on the part of the Android.HiddenAds.Aegis subfamily. Unlike most other Android.HiddenAds malware, members of this group have the ability to autorun and have some other features. Modifications like Android.HiddenAds.Aegis.1, Android.HiddenAds.Aegis.4.origin, Android.HiddenAds.Aegis.7.origin, and Android.HiddenAds.Aegis.1.origin were the ones most commonly detected on devices protected by Dr.Web anti-virus.

The second most widespread malicious programs were trojans from the Android.FakeApp family, which cybercriminals use in various fraudulent schemes. Last year, they accounted for 18.28% of all malware detections, which is 16.45 pp. higher than the year before. Typically, such trojans load unwanted websites designed for phishing attacks and online fraud.

Android.Spy trojans, which have spyware functionality, ranked third with a share of 11.52%; their share decreased by 16.7 pp., compared to 2023. As in the year before, the most common member of this family was Android.Spy.5106. It accounted for 5.95% of all detected malware.

In 2024, we observed a mixed trend in the distribution of malware that is designed to download and install other apps and capable of executing arbitrary code. Compared to the previous year, the share of Android.DownLoader downloader trojans decreased by 0.49 pp. to 1.69%; the share of Android.Mobifun trojans decreased by 0.15 pp. to 0.10%; and the share of Android.Xiny trojans decreased by 0.14 pp. to 0.13%. At the same time, Android.Triada and Android.RemoteCode trojans were detected more often. The number of detection cases for the former increased by 0.6 pp. to 2.74%, and for the latter by 0.95 pp. to 3.78%.

The share of Android.Packed malware protected by software packers decreased from 7.98% to 5.49%, nearly returning to the 2022 figure. The number of attacks involving Android.MobiDash adware trojans also decreased—from 10.06% to 5.38%. At the same time, the number of Android.Locker ransomware and Android.Proxy trojan detections increased slightly—from 1.15% to 1.60% and from 0.57% to 0.81%, respectively. Android.Proxy trojans allow threat actors using infected Android devices to redirect their network traffic through them. In addition, the activity of Android.Click malicious programs increased significantly, from 0.82% to 3.56%. These trojans can open advertising websites and perform clicks on webpages.

The ten most commonly detected malicious programs in 2024:

Android.FakeApp.1600: A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.HiddenAds.3956
Android.HiddenAds.3851
Android.HiddenAds.655.origin
Android.HiddenAds.3994
Android.HiddenAds.657.origin: Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Click.1751: This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers and receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in the browser.
Android.HiddenAds.Aegis.1: A trojan app that conceals its presence on Android devices and displays intrusive ads. It has a number of characteristics that differentiate it from other members of the Android.HiddenAds family. For example, this trojan can run automatically after its installation. Moreover, it implements a mechanism that allows its service to remain constantly running. And, in some cases, it can also use hidden Android operating system functions.
Android.MobiDash.7815: A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Unwanted software

The unwanted program most commonly detected in 2024 was Program.FakeMoney.11. It accounted for more than half (52.10%) of the total number of unwanted software detected on protected devices. It belongs to a class of apps that offer users a chance to make money by completing various tasks but ultimately do not provide any real rewards.

Programs that Dr.Web anti-virus detects as Program.CloudInject.1 ranked second, with a share of 19.21% (up 9.75 pp. from the previous year). Such apps are modified through the CloudInject cloud service. When modified, they have dangerous permissions and an obfuscated code added to them, and the purpose of that code cannot be controlled.

Program.FakeAntiVirus.1 program activity declined for the second year in a row. With a share of 10.07%, which is down 9.35 pp. from 2023, these programs became the third most widespread unwanted software. They imitate anti-virus software, detect nonexistent threats, and ask users to buy full versions to “fix” the issues that have allegedly been found.

Over the course of last year, users encountered a variety of programs for monitoring and controlling activity. Such software can be used to collect data, both with the consent of device owners and without their knowledge. In the latter case, these actually turn into spying tools. The following monitoring programs were most often detected on devices protected by Dr.Web anti-virus: Program.TrackView.1.origin (2.40% of cases), Program.SecretVideoRecorder.1.origin (2.03% of cases), Program.wSpy.3.origin (0.98% of cases), Program.SecretVideoRecorder.2.origin (0.90% of cases), Program.Reptilicus.8.origin (0.64% of cases), Program.wSpy.1.origin (0.39% of cases), and Program.MonitorMinor.11 (0.38% of cases).

Additionally, Program.Opensite.2.origin Android programs, with a share of 0.60% of all the unwanted software detected, were also spotted. These programs are designed to load target websites and display ads.

The ten unwanted programs most commonly detected in 2024:

Program.FakeMoney.11
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.
Program.SecretVideoRecorder.1.origin
Program.SecretVideoRecorder.2.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.wSpy.3.origin: This is a commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.
Program.Reptilicus.8.origin: An application that allows Android device users to be monitored. It can track device location, collect information from SMS and social media messages, intercept phone calls and record the surroundings, take screenshots, act as a keylogger, copy files from a target device and perform other actions.
Program.Opensite.2.origin: The detection name for single-type Android programs whose function is to load target websites and display ads. Such apps often masquerade as other software. For instance, there exist modifications that are distributed under the guise of YouTube player. They load a genuine YouTube website and display advertisement banners, using the advertising SDKs connected to them.

Riskware

In 2024, Tool.SilentInstaller utilities, which allow Android programs to launch without being installed, retained their leading positions in terms of riskware software detection numbers. In total, they accounted for more than a third of all apps of this type identified on protected devices. Modifications like Tool.SilentInstaller.17.origin (16.17%), Tool.SilentInstaller.14.origin (9.80%), Tool.SilentInstaller.7.origin (3.25%), and Tool.SilentInstaller.6.origin (2.99%) were most often detected.

Other common riskware apps were programs modified using the NP Manager utility. This tool embeds a special module into the target software, which allows the digital signature verification process to be bypassed once the apps have been modified. Dr.Web anti-virus detects such programs as different variants of the Tool.NPMod family. Of these, Tool.NPMod.1 variants were most commonly detected. Over the course of 2024, they significantly strengthened their position, accounting for 16.49% of all riskware detections, up 11.68 pp. from 2023. At the same time, the share of programs modified using the NP Manager tool and detected with another virus record, Tool.NPMod.2, was 7.92%. As a result, members of this family were responsible for almost a quarter of potentially dangerous software detections.

Programs protected by the Tool.Packer.1.origin packer were also among the leaders. They were detected in 13.17% of cases, up 12.38 pp. from the year before. Moreover, the number of Tool.Androlua.1.origin detections increased from 3.10% to 3.93%. This is a framework that makes it possible to modify Android apps and run Lua scripts that can potentially be malicious.

At the same time, one 2023 leader, the Tool.LuckyPatcher family of utilities, was, on the contrary, less active—down from 14.02% to 8.16%. These tools allow Android programs to be modified and scripts downloaded from the Internet to be added to them. Also less frequently encountered were programs protected by the obfuscating utility Tool.Obfuscapk (down from 3.22% to 1.05%) and by the packer Tool.ApkProtector (down from 10.14% to 3.39%).

The ten most widespread riskware apps detected on protected Android devices in 2024:

Tool.NPMod.1
Tool.NPMod.2: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.SilentInstaller.17.origin
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modification and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software in the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.
Tool.Packer.3.origin: The detection name for Android programs whose code is encoded and obfuscated by the NP Manager tool.

Adware

The most common adware in 2024 was the new Adware.ModAd family, which accounted for 47.45% of detections. The previous year’s leaders, members of the Adware.Adpush family, dropped to second place with a share of 14.76% (a 21.06 pp. decrease in the number of detections). Third place, with a share of 8.68%, was occupied by another new adware family, Adware.Basement.

Also commonly encountered were families like Adware.Airpush (their share decreased from 8.59% to 4.35%), Adware.Fictus (down from 4.41% to 3.29%), Adware.Leadbolt (down from 4.37% to 2.26%), and Adware.ShareInstall (down from 5.04% to 1.71%). Unwanted ad-displaying Adware.MagicPush programs, which ranked second in 2023, significantly curtailed their activity and did not even make it into the top 10; they moved straight to eleventh place with a share of 1.19% (a 8.39 pp. decrease).

The ten most widespread adware apps detected on protected Android devices in 2024:

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.Basement.1: These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.
Adware.Fictus.1
Adware.Fictus.1.origin: An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
Adware.Adpush.21846
Adware.AdPush.39.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.Youmi.4: The detection name for an unwanted adware module that adds advertizing shortcuts onto the Android OS home screen.
Adware.Inmobi.1: The detection name for some versions of the Inmobi adware SDK. These are capable of making phone calls and adding event entries into an Android device’s calendar.

Threats on Google Play

In 2024, Doctor Web’s virus analysts discovered over 200 threats with more than 26.7 million combined downloads. In addition to Android.Click.414.origin, these included many other threats, such as ad-displaying Android.HiddenAds trojans. They were distributed under the guise of all kinds of software: image-editing programs, QR code scanners, image collection apps, and even an “anti-theft” alarm for protecting smartphones from falling into the wrong hands. Such trojans conceal their icons after installation and proceed to display aggressive ads that overlap the interface of the operating system and other programs and prevent the device from being used normally.

Examples of adware trojans discovered on Google Play in 2024. Android.HiddenAds.4013 was hiding in the photo editor “Cool Fix Photo Enhancer”, Android.HiddenAds.4034 was in the “Cool Darkness Wallpaper” image-collection app, Android.HiddenAds.4025 was in the QR scanning program “QR Code Assistant”, and Android.HiddenAds.656.origin was in the “anti-theft” alarm program “Warning Sound GBD”

Our experts also discovered various trojans that threat actors were protecting with a complicated software packer.

The “Lie Detector Fun Prank” program was the Android.Packed.57156 trojan, and the “Speaker Dust and Water Cleaner” app was the Android.Packed.57159 trojan; both were protected with a software packer

Other malware we found were members of the Android.FakeApp family, which are used in various fraudulent schemes. The main task of most of these trojans is to open a target URL, while some of them, under certain conditions, can also operate as the software they are disguised as. Many of them were distributed as different apps, including financial programs, like teaching aids and reference books, profit calculators, apps for accessing trading, and instruments for home bookkeeping. Others were disguised as notepads and diaries, software for participating in quiz games, surveys, etc. They also loaded fraudulent investment sites.

Examples of Android.FakeApp trojans that opened links to fraudulent websites: Android.FakeApp.1681 (disguised as the “SenseStrategy” app), Android.FakeApp.1708 (disguised as the “QuntFinanzas” app)

Some Android.FakeApp fake programs were distributed as a variety of games. Many of them could actually provide the declared functionality, but their main task was to load online casino and bookmaker sites.

Examples of Android.FakeApp trojans that were disguised as games and loaded bookmaker and online casino websites: Android.FakeApp.1622 (“3D Card Merge Game”) and Android.FakeApp.1630 (“Crazy Lucky Candy”)

Some trojans from this family were once again camouflaged as job-search programs. Such scam apps load fake vacancy listings and offer users the opportunity to create a resume by providing personal information. In other cases, the trojans can ask potential victims to contact “the employer” via a messenger. In reality, they will actually be writing to the scammers, who will try to lure them into one or another fraudulent scheme.

Examples of the Android.FakeApp trojans that scammers passed off as job-search apps: Android.FakeApp.1627 (the “Aimer” app) and Android.FakeApp.1703 (the “FreeEarn” app)

In addition, more trojans that subscribe users to paid services were uncovered on Google Play. One of them was Android.Subscription.22, which was being distributed as the “InstaPhoto Editor” photo-editing program.

The Android.Subscription.22 trojan is designed to subscribe users to paid services

Other such trojans were members of the related Android.Joker and Android.Harly families, which have a modular architecture. The former can download additional components from the Internet, while the latter are distinguished by the fact that they typically store the modules they need in encrypted form in their file resources.

Examples of apps that subscribed victims to paid services. The Android.Joker.2280 was hiding in the horoscope program “My Horoscope”, and the Android.Harly.87 was hiding in the game “BlockBuster”

In addition to malware, Doctor Web’s specialists discovered new unwanted software on Google Play, which included different modifications of Program.FakeMoney.11 and Program.FakeMoney.14. These belong to a family of programs that offer users virtual rewards for completing various tasks (often this involves watching ads). The rewards can allegedly be converted into real money or prizes, but to withdraw their “earned” reward, users must collect a certain sum. However, even if they succeed in doing so, they will not get any real payments.

One of the Program.FakeMoney.11 variants was distributed as the game “Copper Boom”, and Program.FakeMoney.14 was disguised as the game “Merge Party”

In addition, throughout the year, our malware analysts discovered new adware programs. Among them were apps and games with the built-in adware module Adware.StrawAd, which is capable of displaying ads from various advertising service providers.

Examples of games containing the adware module Adware.StrawAd: “Crazy Sandwich Runner” (Adware.StrawAd.1), “Poppy Punch Playtime” (Adware.StrawAd.3), “Finger Heart Matching” (Adware.StrawAd.6), and “Toimon Battle Playground” (Adware.StrawAd.9)

Adware.Basement adware programs were also distributed via Google Play. Ads from these often lead to malicious and fraudulent websites. It is noteworthy that this family shares a code base with the unwanted Program.FakeMoney.11 apps.

Examples of Adware.Basement unwanted adware programs: “Lie Detector: Lie Prank Test”, “TapAlarm:Don't touch my phone”, and “Magic Voice Changer” are examples for Adware.Basement.1; and “Auto Clicker:Tap Auto” for Adware.Basement.2

Banking trojans

According to detection statistics provided by Dr.Web Security Space for mobile devices, in 2024, banking trojans represented 6.29% of the total number of registered malicious apps, which is up 2.71 pp. from the previous year. Starting in January, their activity steadily declined, but from mid-spring onwards, the number of attacks started to increase again. Their activity remained virtually unchanged during the third quarter, after which they continued to be more active, reaching an annual maximum in November.

In 2024, well-known banking trojan families became widespread again. Among them were the malicious programs Coper, Hydra (Android.BankBot.1048.origin, Android.BankBot.563.origin), Ermac (Android.BankBot.1015.origin, Android.BankBot.15017), Alien (Android.BankBot.745.origin, Android.BankBot.1078.origin), Anubis (Android.BankBot.670.origin). In addition, attacks using the following were observed: Cerberus (Android.BankBot.11404), GodFather (Android.BankBot.GodFather.3, Android.BankBot.GodFather.14.origin), and Zanubis (Android.BankBot.Zanubis.7.origin).

Over the course of 2024, malicious actors actively distributed Android.SpyMax spyware trojans, which have rich malicious functionality. They are also widely used as banking trojans. This family originally included the multifunctional RAT trojan SpyNote (RAT — Remote Administration Trojan or Remote Access Trojan). However, after its source code was leaked, many new modifications based on this code started to emerge, including CraxsRAT and G700 RAT. Dr.Web Security Space detection statistics show that members of this family became more active in the second half of 2023; since then, almost every month they have been detected in increasing numbers, and this trend continues.

Android.SpyMax trojans target users all over the world. Last year, they were also found to be involved in numerous attacks on Russian users, as 46.23% of the detections of this family were registered on devices belonging to this particular audience. These trojans were also most actively distributed among Brazilian (35.46% of detections) and Turkish (5.80% of detections) Android device owners.

It is noteworthy that these malicious programs are mainly distributed in Russia not via spam or classic phishing, but during one stage of telephone fraud. At the beginning of their call, threat actors traditionally try to convince their victims that they are employees of a bank or a law enforcement agency. They inform them about a problem that has allegedly occurred, e.g., an attempt to steal money from the victim’s bank account or an unplanned loan; or, on the contrary, they report “good news” about free money that is supposedly due their victims from the government. When the scammers realize that a user has believed them, they encourage their victim to install an “anti-virus update”, a “banking program”, or some other similar app—for example, to “ensure a secure transaction”. Such a program will, in fact, contain an Android.SpyMax trojan.

In 2024, Russian users also encountered the Falcon banking trojan family (Android.BankBot.988.origin, Android.Banker.5703) and the Mamont family (Android.Banker.637.origin, Android.Banker.712.origin). In addition, attacks involving the banking trojans Android.Banker.791.origin and Android.Banker.829.origin were observed. These targeted Android device owners from Russia and Uzbekistan. Other attacks were perpetrated by Android.Banker.802.origin and affected Russian, Azerbaijani, and Uzbekistani users. Android.Banker.757.origin targeted users from Russia, Uzbekistan, Tajikistan, and Kazakhstan.

Our experts once again detected attacks coming from the MoqHao trojans (Android.Banker.367.origin, Android.Banker.430.origin, Android.Banker.470.origin, Android.Banker.593.origin) that were aimed at users from many countries, including Southeast Asian and Asia-Pacific countries. The same audience was also targeted by other trojans. For example, South Korean Android device owners encountered families like Fakecalls (Android.BankBot.919.origin, Android.BankBot.14423, Android.Banker.5297), IOBot (Android.BankBot.IOBot.1.origin), and Wroba (Android.Banker.360.origin). Other Wroba modifications (Android.BankBot.907.origin, Android.BankBot.1128.origin) attacked users from Japan.

Banking trojans that threatened Chinese users included, for instance, the Android.Banker.480.origin trojan, and Vietnamese users were attacked by Android.BankBot.1111.origin. At the same time, cybercriminals used trojans like TgToxic (Android.BankBot.TgToxic.1) to attack bank customers from Indonesia, Thailand, and Taiwan, and the GoldDigger trojan (Android.BankBot.GoldDigger.3) was used to target users from Thailand and Vietnam.

Attacks on Iranian users were again recorded. These users encountered such banking trojans as Android.Banker.709.origin, Android.Banker.5292, Android.Banker.777.origin, Android.BankBot.1106.origin, and some others. And banking trojans that attacked Turkish bank customers included representatives of the Tambir family (Android.BankBot.1104.origin, Android.BankBot.1099.origin, Android.BankBot.1117.origin), along with some others.

Banking trojans like Android.Banker.797.origin, Android.Banker.817.origin and Android.Banker.5435 targeted Indian users. These trojans were camouflaged as software that was allegedly related to the credit institutions Airtel Payments Bank, PM KISAN, and IndusInd Bank. In addition, Rewardsteal banking trojans (Android.Banker.719.origin, Android.Banker.5147, Android.Banker.5443) remained active. These primarily targeted Indian customers of banks like Axis bank, HDFC Bank, SBI, ICICI Bank, RBL bank, and Citi bank.

In Latin American counties, PixPirate (Android.BankBot.1026.origin) trojan activity was observed; these trojans target Brazilian bank customers.

Among the trojans targeting European users were Anatsa (Android.BankBot.Anatsa.1.origin) and Copybara (Android.BankBot.15140 and Android.BankBot.1100.origin). The latter mainly targets users from Italy, the United Kingdom, and Spain.

During 2024, Doctor Web’s virus analysts observed an increase in the popularity of certain methods of protecting Android malware (primarily banking trojans) from analysis and detection. In particular, attackers performed various manipulations with the ZIP format on which Android APK files are based. As a result, many instruments of static analysis that use standard algorithms to work with ZIP archives are unable to correctly process such “damaged” files. At the same time, the Android OS accepts such modified trojans as normal programs, allowing them to be installed and run.

One common technique is to manipulate the fields compression method and compressed size in the local file header inside the APK. Threat actors intentionally specify the wrong values for the fields compressed size and uncompressed size or write an incorrect or nonexistent compression method in the compression method field. Another option is to specify a method that does not involve compression for the archive. The header fields compressed size and uncompressed size will not match, although they should.

Another popular technique is to use incorrect information about the disk in the ECDR (End of Central Directory Record) and in the CD (Central Directory that contains data about files and archive parameters). Both these parameters should match for a single archive. However, cybercriminals can specify different values for these as if it were not a single archive, but a multi-archive.

Also widespread was a technique whereby a flag was set in the local file headers of some files in the archive, indicating that these files are encrypted. In reality they are not encrypted but due to this, such an archive will be parsed incorrectly.

Along with manipulating the structure of APK files, malware creators also used other practices, such as modifying the AndroidManifest.xml configuration file of Android apps. In particular, they added garbage bytes b'\x00' to this file’s attribute structure, causing it to be read incorrectly.

Prospects and trends

The past year has shown that cybercriminals are still actively enriching themselves at the expense of Android device owners. Their main tools remain ad-displaying and banking trojans, malicious programs with spyware capabilities, and fraudulent software. In this regard, we should expect the emergence of new threats of this type in 2025.

Despite the steps taken to improve the security of Google Play, this app catalog still remains an Android threat distribution source. Therefore, new malicious and unwanted apps emerging in it should not be ruled out.

Another case of Android TV box sets being infected was detected last year, indicating that malware creators use different attack vectors. It is quite possible that threat actors will not only turn their attention to such devices again, but will also continue to look for other potential targets among the variety of Android gadgets.

It is possible that malware developers will continue to actively introduce new techniques that allow their malicious programs to bypass analysis and detection.

Doctor Web’s specialists continue to both monitor the evolution of mobile cyber threats and ensure that our users are protected. To improve your mobile device security, install Dr.Web Security Space, which helps in the fight against malicious, unwanted, and other dangerous programs; fraudsters; and other threats.

Indicators of compromise

Doctor Web’s Q4 2024 review of virus activity on mobile devices

Thu, 26 Dec 2024 10:00:00 GMT

December 26, 2024

According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.HiddenAds ad-displaying trojans were the malware programs most frequently detected in the fourth quarter of 2024 (Q4). The second most common threats were Android.FakeApp trojans, which are used in fraudulent schemes. Trojans from the Android.Siggen family, capable of executing various malicious tasks, ranked third.

Over the course of Q4, Doctor Web’s malware analysts discovered many threats on Google Play. Among them were numerous Android.FakeApp trojans and malware from the Android.Subscription and Android.Joker families, which subscribe users to paid services. More Android.HiddenAds adware trojans were also detected. In addition, threat actors distributed malicious apps protected with a sophisticated software packer.

PRINCIPAL TRENDS OF Q4 2024

High activity on the part of Android.HiddenAds adware trojans and Android.FakeApp fraudulent apps
The distribution of many malicious programs through the Google Play catalog

According to statistics collected by Dr.Web Security Space for mobile devices

Android.FakeApp.1600: A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.HiddenAds.655.origin
Android.HiddenAds.657.origin: Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Packed.57083: The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
Android.Click.1751: This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers and receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in the browser.

Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.SilentInstaller.14.origin: A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.
Tool.Androlua.1.origin: The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.Basement.1: These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.
Adware.Fictus.1.origin: An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
Adware.AdPush.3.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.

Threats on Google Play

In Q4 2024, Doctor Web’s malware analysts discovered over 60 malicious apps on Google Play, most of which were trojans from the Android.FakeApp family. Some of them were distributed as financial programs, teaching aids, reference books, and other software, including diaries, notepads, and so on. Their primary task was to load fraudulent websites.

The “QuntFinanzas” and “Trading News” apps, which, among other numerous Android.FakeApp trojans, loaded fraudulent sites

Malicious actors disguised other Android.FakeApp trojans as games. These could load online casino and bookmaker websites.

“Bowl Water” and “Playful Petal Pursuit” are examples of games with trojan functionality

Our experts also uncovered new variants of the Android.FakeApp.1669 trojan that was hiding behind the mask of various programs and could also load online casino websites. Android.FakeApp.1669 is interesting in that it gets the target website URL from the malicious DNS server’s TXT file. At the same time, it only manifests itself when connected to the Internet through certain providers.

Examples of new Android.FakeApp.1669 trojan modifications. The “WordCount” app was disguised as a text tool, and the “Split it: Checks and Tips” app was supposed to help café- and restaurant-goers pay their bills and calculate tips.

Several new members of the Android.HiddenAds adware trojan family were among the threats detected on Google Play. They conceal their presence on infected devices.

This “Cool Fix Photo Enhancer” photo-editing software was hiding the Android.HiddenAds.4013 ad-displaying trojan

Moreover, trojans protected with a sophisticated software packer were also discovered: Android.Packed.57156, Android.Packed.57157, and Android.Packed.57159, for example.

The “Lie Detector Fun Prank” and “Speaker Dust and Water Cleaner” programs are trojans protected with a software packer

Our specialists also detected Android.Subscription.22, malware designed to subscribe users to paid services.

Instead of editing photos, the “InstaPhoto Editor” program subscribed users to a paid service

At the same time, cybercriminals again distributed trojans from the Android.Joker family, which also subscribed victims to paid services.

The SMS messenger “Smart Messages” and the third-party keyboard “Cool Keyboard” tried to covertly subscribe victims to a paid service

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Malicious apps on Google Play: how threat actors use the DNS protocol to covertly connect trojans to C&C servers

Mon, 11 Nov 2024 13:44:17 GMT

November 11, 2024

Many Android.FakeApp trojans are tasked with opening links to various sites, and from a technical point of view, such malware programs are quite primitive. When launched, they receive a command to load a specific web address. As a result, the users who have installed them see the contents of some unwanted site on their screens instead of the program or game they are expecting. However, sometimes notable samples can emerge among such fake applications: Android.FakeApp.1669, for example. It differs from most of the threats that are similar to it in that it uses a modified dnsjava library to get the configuration from a malicious DNS server that contains the target link. At the same time, such a configuration is sent to the trojan only when it is connected to the Internet via certain service providers—mobile Internet providers, for example. In other cases, the trojan does not manifest itself in any way.

Android.FakeApp.1669 is represented by a large number of modifications that are disguised as various programs on distribution sources that include Google Play. For instance, the currently known trojan variants have been downloaded from the official Android OS digital store at least 2,160,000 times.

Examples of the programs in which Android.FakeApp.1669 was hidden

Below is the list of the Android.FakeApp.1669 variants that Doctor Web’s malware analysts discovered on Google Play. Our experts detected more trojans, but some of them are no longer in this app store.

App name	Number of downloads
Split it: Checks and Tips	1,000,000+
FlashPage parser	500,000+
BeYummy - your cookbook	100,000+
Memogen	100,000+
Display Moving Message	100,000+
WordCount	100,000+
Goal Achievement Planner	100,000+
DualText Compare	100,000+
Travel Memo	100,000+ (is deleted)
DessertDreams Recipes	50,000+
Score Time	10,000+

When launched, Android.FakeApp.1669 sends a DNS request to its C&C server to receive the TXT record associated with the name of a target domain. In turn, the server gives this record to the trojan only if the infected device is connected to the Internet via target providers, which include mobile Internet providers. Such TXT records usually contain domain data and some additional technical information, but in the case of Android.FakeApp.1669, the malware’s configuration is encoded into it.

Android.FakeApp.1669 uses modified code of the dnsjava Open Source library to send DNS requests.

All trojan modifications are tied to specific domain names, which allows the DNS server to send each of them their own configuration. Moreover, the sub-domain names of these target domains are unique to each infected device. They contain encoded data about the device, including sensitive information:

device model and brand;
screen size;
ID (it consists of two numbers: the first is the malware’s installation time, and the second is a random number);
whether the device’s battery is charging and its current charge percentage;
whether the developer settings are enabled.

For example, when analyzed, the Android.FakeApp.1669 variant hidden in the Goal Achievement Planner program requested the server to send it the TXT record for the domain 3gEBkayjVYcMiztlrcJXHFSABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]simpalm[.]com.; the variant from the Split it: Checks and Tips program requested the record for the domain 3gEBkayjVYcMiztlrcJXHFTABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]revolt[.]digital., and the variant from the DessertDreams Recipes app requested the record for the domain 3gEBkayjVYcMiztlrcJXHFWABDgJaFNNLVM3MjFCL0RTU2Ftc3VuZyAg[.]outorigin[.]com..

An example of a target domain’s TXT record, which was sent by the DNS server upon request via the Linux ‘dig’ tool when one of the Android.FakeApp.1669 modifications was undergoing analysis

The contents of these TXT records can be decrypted by doing the following:

reversing the string;
decoding the Base64 data;
decompressing the gzip data;
splitting it into lines by the character ÷.

The resulting data will look like this (the example below relates to the TXT record for the Goal Achievement Planner app):

url
hxxps[:]//goalachievplan[.]pro
af_id
DF3DgrCPUNxkkx7eiStQ6E
os_id
f109ec36-c6a8-481c-a8ff-3ac6b6131954

This data contains the link that the trojan loads in WebView inside its window over its main interface. This link leads to the website that starts a long chain of redirects, at the end of which is an online casino site. As a result, Android.FakeApp.1669 literally transforms into a web application that displays the contents of the loaded website and not the functionality declared on the app’s page on Google Play.

Instead of providing the expected functionality, the malicious program displayed the contents of a loaded online casino website

At the same time, when the trojan has Internet access via non-targeted service providers (and also when offline), it operates as the advertized program—on condition that the creators of a particular malware modification provided some functionality for such a case.

The trojan did not receive a configuration from the C&C server and launched as a normal app

Dr.Web Security Space for mobile devices successfully detects and deletes all known Android.FakeApp.1669 modifications, so this trojan does not pose a threat to our users.

Indicators of compromise

More details on Android.FakeApp.1669

Doctor Web’s Q3 2024 review of virus activity on mobile devices

Tue, 01 Oct 2024 03:00:00 GMT

October 1, 2024

According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.FakeApp trojan apps, used by threat actors in various fraudulent schemes, were the malicious programs most frequently detected on protected devices in the third quarter of 2024. Adware trojans from the Android.HiddenAds family ranked second. The third most commonly detected threats were Android.Siggen trojans—programs that have different malicious functionality and that are difficult to classify into any particular family.

In August, Doctor Web’s experts discovered the Android.Vo1d backdoor, which had infected nearly 1.3 million Android TV box sets belonging to users in 197 countries. This malicious app places its components into the system storage area of infected devices and, when commanded by threat actors, can covertly download and install various programs.

In addition, banking trojans targeting Indonesian users were found. One of these, Android.SmsSpy.888.origin, is protected with a software packer and detected as Android.Siggen.Susp.9415. It was distributed under the guise of the BRI bank customer support app BRImo Support.

When launched, the trojan loads the real bank website https://bri.co.id in WebView. At the same time, it uses a Telegram bot API to send technical information about the infected device into the Telegram chat created by the threat actors.

Android.SmsSpy.888.origin intercepts incoming SMS and also sends them into this chat. When it receives messages like 55555, <number>, <text>, it interprets them as commands and sends corresponding messages containing the text <text> to the number <number>. This way, the malware can both send SMS spam and spread among users.

Another trojan that attacked Indonesian users was Android.SmsSpy.11629. This malicious program is an SMS spy that is distributed under the guise of all kinds of apps. The variant in question was targeting Bank Mandiri Taspen customers and was passed off by the attackers as an official banking app—Movin by Bank Mandiri Taspen. The trojan displays instructions to potential victims and asks them to accept a user agreement. When a user accepts it, the trojan requests the permissions needed to work with SMS.

Next, the malicious program loads a real page of the bank’s website https://mail.bankmantap.co.id/: in WebView:

Android.SmsSpy.11629 intercepts all incoming SMS. Next, it uses the Telegram bot API to send these messages into the attackers’ Telegram chat. It adds the text developed by : @AbyssalArmy to all of the messages.

At the same time, our malware analysts again discovered threats on Google Play. Among them were many new fake apps and several ad-displaying trojans.

PRINCIPAL TRENDS OF Q3 2024

The Android.Vo1d backdoor infected over a million TV box sets
High activity on the part of Android.FakeApp malicious apps, which are used to commit fraud
High activity on the part of Android.HiddenAds adware trojans
The emergence of new malware on Google Play

According to statistics collected by Dr.Web Security Space for mobile devices

Android.FakeApp.1600: A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.HiddenAds.3994: A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.7815
Android.MobiDash.7813: Trojans that display obnoxious ads. These are special software modules that developers incorporate into applications.
Android.Click.1751: This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers. It receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in their browser.

Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.

Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.
Tool.SilentInstaller.17.origin: A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of this platform, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.NPMod.1
Tool.NPMod.2: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.Basement.1: These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.
Adware.Fictus.1.origin: An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
Adware.Adpush.21846
Adware.AdPush.39.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.

Threats on Google Play

In Q3 2024, Doctor Web’s malware analysts continued uncovering threats on Google Play. Among these were many new Android.FakeApp fake programs that were distributed under the guise of a variety of software. Malicious actors passed some of them off as finance-related programs, such as investing apps, financial reference books and teaching aids, different home bookkeeping tools, and so on. Quite a few of these did actually provide the stated functionality, but their primary task is to load fraudulent websites. Such sites promise potential victims quick and easy money through investments, trading natural resources, cryptocurrency, etc. To supposedly join the “service”, users are asked to register an account or to provide personal data by filling out an “application”.

It is noteworthy that fraudsters disguised one of the Android.FakeApp trojans as an online dating and chat app. However, it also loaded a bogus “investing” site.

Other Android.FakeApp trojans were again distributed as games. Under certain conditions, they loaded online casino and bookmaker sites.

Among these fake apps, our experts also detected new trojan variants that masquerade as job-search tools. Such malware loads fake job lists and suggests to users that they contact the applicable employer via a messenger (this “employer” is, in fact, a fraudster) or that they create a “resume” by providing personal data.

Doctor Web’s virus analysts also discovered more Android.HiddenAds trojans on Google Play. These trojans conceal their icons from the home screen menu and start displaying intrusive ads. The detected malware was camouflaged as various apps, including image collections, photo-editing software, and barcode scanners.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Doctor Web’s Q2 2024 review of virus activity on mobile devices

Mon, 01 Jul 2024 04:00:00 GMT

July 1, 2024

According to detection statistics collected by the Dr.Web for Android anti-virus, in the second quarter of 2024, Android.HiddenAds adware-displaying trojans were most commonly detected on protected devices. The second most common malicious programs were trojans from the Android.FakeApp family. Cybercriminals use these to execute various fraudulent schemes. The most frequently detected representative of this family was Android.FakeApp.1600, a trojan that our experts discovered in late May. It is distributed via malicious sites from which it is downloaded as a gaming app. However, when launched, this fake app loads the website specified in its settings. Known modifications of the program load an online casino site. Its visitors are offered the chance to play a “wheel of fortune” type of game, but when they try to do so, they are redirected to a registration page. The high detection rates of this malicious program can be explained by the fact that the people behind it are promoting it via in-app ads in other software, for example. When users tap on such an ad, they end up on a corresponding malicious website from which the trojan is downloaded. The third most widespread malicious programs were Android.Spy trojans, which possess spyware functionality.

At the same time, Doctor Web’s virus laboratory uncovered more threats on Google Play. Among them were various fake apps from the Android.FakeApp family and the unwanted Program.FakeMoney.11 app, which supposedly allows virtual rewards to be converted into real money that can then be withdrawn. Moreover, threat actors again used Google Play to distribute a trojan that subscribes victims to paid services.

PRINCIPAL TRENDS OF Q2 2024

Android.HiddenAds ad-displaying trojans remain the most active Android threats
The emergence of more threats on Google Play

According to statistics collected by Dr.Web for Android

Android.FakeApp.1600: A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
Android.HiddenAds.3956
Android.HiddenAds.3980
Android.HiddenAds.3989: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeMoney.11: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.SilentInstaller.17.origin
Tool.SilentInstaller.14.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.
Tool.NPMod.1
Tool.NPMod.2: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) during the messenger’s operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.AdPush.39.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In Q2 2024, Doctor Web’s virus laboratory discovered more Android.FakeApp trojans on Google Play. Some of them were being distributed under the guise of finance-themed software and apps for participating in surveys and quizzes:

They could load fraudulent sites on which potential victims, supposedly on behalf of famous credit organizations, as well as oil and gas companies, were offered the chance of getting a finance education or becoming investors. To access one or another “service”, users had to answer several questions and then provide personal data.

Other Android.FakeApp trojans were hiding in different games. Under certain conditions, instead of the declared functionality, they would load bookmaker and online casino websites.

Another trojan from this family, Android.FakeApp.1607, was disguised as an image collection app. It did provide the claimed functionality but could also load online casino websites instead.

Threat actors passed off several Android.FakeApp members as job-search programs:

These trojans (Android.FakeApp.1605 and Android.FakeApp.1606) load fake vacancy lists where users are asked to contact “employers” via messengers (Telegram, for example) or to send out a “resume” by providing personal data. After attracting their potential victims’ attention, fraudsters can lure them to various dubious money-making schemes in an attempt to steal their money.

Our specialists also discovered another unwanted program from the Program.FakeMoney family. Such apps offer users various tasks to complete in order to receive virtual rewards. These rewards supposedly could then be withdrawn as real money. In fact, these programs mislead Android device owners as no real payouts are made. The purpose of such software is to encourage users to keep using it as long as possible so that the displayed ads bring a profit to the developers.

One identified app (Program.FakeMoney.11) is a variation of the win-win “one-arm bandit” game. When users play it and also watch the in-app ads, they receive virtual rewards. When they try to withdraw their “earned” money, the program delays this process, putting more and more conditions on it. If users eventually “successfully” submit a withdrawal request, they will end up in some “under consideration” queue of up to several thousand other “applicants”.

In addition, another trojan from the Android.Harly family (Android.Harly.87) was distributed via Google Play. Malicious programs of this family subscribe victims to paid services.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Smart-sex-toy users targeted by clicker trojan

Sat, 04 May 2024 04:00:00 GMT

4 may 2024

Virus analysts at Doctor Web uncovered an Android application containing a clicker trojan that silently opens advertising sites and clicks on webpages. Such trojans can be used to stealthily display ads, generate click fraud, sign up unsuspecting victims for paid subscriptions or launch DDoS attacks.

Origins Tracing™ technology, which detects threats based on behavioral analysis, has been used in the Dr.Web for Android antivirus for more than a decade. It was this component that prevented the infection of one of our user’s devices by detecting the presence of suspicious components in a Love Spouse app downloaded from the Google Play store. The application is used to control adult toys. It contained the Android.Click.414.origin clicker trojan disguised as the com.android.logcatch library, a standard debugging component. In addition to the Love Spouse app, the same trojan has been detected in the QRunning physical activity tracking app. Both apps were developed by Chinese companies. The apps are quite popular, having been installed on over 1.5 million devices. Apparently, the malicious code was embedded recently, in the last few versions of the apps. It should be mentioned that the Love Spouse developer has since updated that application, and as of version 1.8.8, it no longer contains the trojan. However, no corrective updates have been released yet for QRunning.

Screenshots of Love Spouse and QRunning apps

This malware is a modification of the Android.Click.410.origin trojan that popped up on our radar last April. At that time, the virus lab received a ticket from our user whose antivirus had detected a new file on the system partition of their V88mini TV box. It was the downloader for Android.Click.410.origin. There is no reliable information on how exactly the infection occurred. However, we should note that the operating system installed on this device was not what it claimed to be. The product card claimed that the TV box was based on Android 12, and the system information page showed the same. However, the Build ID value, which is a unique identifier of the OS build, corresponds to Android 7. Unfortunately, this situation is quite typical for low-end TV boxes. And as if to prove this point, a similar ticket soon came in from another user. The same Android.Click.410.origin trojan and the same OS spoofing tactics were observed on a X96Q TV box. Only in this case the trojan was embedded in the Desk Clock application.

Probable culprits. For more information on just how big of a threat these devices can be, see our news story on Pandora trojans

Detailed analysis revealed that the trojan has a modular design. One of the modules is used to gather information about the device, while the other two modules stealthily download webpages, display advertisements and perform clicks. The trojan can also detect that its host application is running in a controlled environment. If it detects signs of emulation, it tells its control server not to send advertising tasks. It is also worth noting that the trojan is selective and will not even run on devices where the interface language is set to Chinese.

If successfully launched, the trojan sends fairly detailed device information (brand, model, OS version, IP address, region selected in the settings, carrier code, and others) to its control server and then activates one of its two built-in strategies. As part of these tasks, the trojan secretly loads websites using the WebView component included in the Android operating system. This component allows webpages to be loaded without launching a browser. The trojan can scroll webpages, enter text into forms, and mute audio if the websites it opens play audio or video. To perform these actions, the trojan executes JavaScript code received from its C2 server in the WebView where the target ad page is loaded. In addition, the trojan can take screenshots of the loaded page and send them to the server, analyze them pixel by pixel, and determine clickable areas. For some tasks, the trojan uses Bing, Yahoo, and Google search engines to provide advertising links based on keywords.

Initially, this malware was detected in apps available on unofficial Android app sites, but in February 2024, this trojan infiltrated the official Google Play app store. The Love Spouse app was most likely compromised sometime after the release of version 1.8.1, which did not yet contain the trojan.

The seller is surprised by the feedback from one of our users that there is a trojan in the Love Spouse app and recommends using “a reputable antivirus instead”.

Doctor Web reminds users to be careful when installing software on their devices. Dr.Web Security Space for Android detects and neutralizes Android.Click trojans, protecting our users' devices from malware.

Indicators of compromise

Doctor Web’s February 2024 review of virus activity on mobile devices

Mon, 01 Apr 2024 05:00:00 GMT

April 1, 2024

According to detection statistics collected by the Dr.Web for Android anti-virus, February 2024 saw a significant increase in Android.HiddenAds trojan family activity―it was up 73.26% from January. At the same time, users were 58.85% less likely to encounter the adware trojan family Android.MobiDash.

The activity of banking trojans from various families decreased by 18.77%, while Android.Spy spyware trojan activity decreased by 27.33%. In contrast, the number of Android.Locker ransomware trojan detections increased by 29.85%.

PRINCIPAL TRENDS IN FEBRUARY

A significant increase in activity on the part of advertising tojan programs from the Android.HiddenAds family
Fewer attacks carried out by banking trojans and malicious spyware
An increase in the number of malicious ransomware programs detected on protected devices

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3956
Android.HiddenAds.3851: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.HiddenAds.Aegis.1
Android.HiddenAds.Aegis.4.origin: These are the trojan apps that conceal their presence on Android devices and display intrusive ads. They have a number of characteristics that differentiate them from other members of the Android.HiddenAds family. For example, these trojans can run automatically after they are installed. Moreover, they implement a mechanism that allows their services to remain constantly running. And, in some cases, they can also use hidden Android operating system functions.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Adware.ModAd.1: The detection name for some modified versions (mods) of the WhatsApp messenger whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) during the messenger’s operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware.Adpush.21846
Adware.AdPush.39.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Doctor Web’s January 2024 review of virus activity on mobile devices

Fri, 29 Mar 2024 03:00:00 GMT

March 29, 2024

According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%.

The number of attacks carried out by various banking trojan families increased by 17.04%, Android.Spy spyware trojan attacks increased by 11.16%, and Android.Locker ransomware attacks increased by an insignificant 0.92%.

At the same time, our specialists uncovered more threats on Google Play, including a new family of unwanted adware modules dubbed Adware.StrawAd and new trojans from the Android.FakeApp family. Malicious actors use the latter to execute various fraudulent schemes.

PRINCIPAL TRENDS IN JANUARY

Adware trojans from the Android.HiddenAds family maintained their lead in terms of the number of times they were detected on protected devices
Many Android malware families became more active
More threats were discovered on Google Play

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3851
Android.HiddenAds.3831: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106
Android.Spy.4498: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.MobiDash.7805: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Adware.StrawAd.1: The detection name for Android programs containing the built-in Adware.StrawAd.1.origin unwanted adware module. This module displays ads from various advertising service providers when Android device screens are unlocked.
Adware.AdPush.39.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.

Threats on Google Play

At the beginning of January 2024, Doctor Web’s virus laboratory tracked down a number of games on Google Play containing the built-in Adware.StrawAd.1.origin unwanted adware platform:

Crazy Sandwich Runner
Purple Shaker Master
Poppy Punch Playtime, Meme Cat Killer
Toiletmon Camera Playtime
Finger Heart Matching
Toilet Monster Defense
Toilet Camera Battle
Toimon Battle Playground

This platform is a specialized encrypted software module that is stored in the resource directory of the host applications. When an Android device’s screen is unlocked, it can display ads coming from a variety of advertising service providers. Dr.Web anti-virus detects apps containing Adware.StrawAd.1.origin as members of the Adware.StrawAd family.

During January, our specialists also discovered a number of malicious fake programs from the Android.FakeApp family. For example, the Android.FakeApp.1579 trojan was concealed in the Pleasant Collection app, which masqueraded as a program that lets users read comics.

However, its only task was to load fraudulent websites, which could include sites through which users could allegedly access certain games, including adult ones. Below is an example of one such site.

In this case, before “starting” the game, the potential victim is asked to answer several questions and then provide their personal data, followed by their bank card data―supposedly to verify the user’s age.

Some of the malicious Android.FakeApp programs discovered were again disguised as games. They were added to the Dr.Web virus database as Android.FakeApp.1573, Android.FakeApp.1574, Android.FakeApp.1575, Android.FakeApp.1577, and Android.FakeApp.32.origin.

Under certain conditions, such fakes could load online casino and bookmaker websites. Examples of how they operate as games:

An example of one of the websites they loaded:

Loading online casino and bookmaker websites was also the task assigned to few other trojans. For instance, Android.FakeApp.1576 malware was concealed in the Contour Casino Glam makeup teaching app and in Fortune Meme Studio―a meme-creation tool. And the Android.FakeApp.1578 trojan was in the Lucky Flash Casino Light flashlight program.

Once installed, they operated as harmless apps, but after a while they could start loading target websites.

In addition, malicious actors distributed different variants of the Android.FakeApp.1564 and Android.FakeApp.1580 trojans, disguising them as financial apps, reference books and teaching aids, programs for participating in surveys, and other software.

These fake apps loaded bogus financial websites where potential victims were offered various services allegedly on behalf of well-known companies. For example, users “could” become investors or improve their financial literacy. To “access” one or another service, users had to take a survey and register an account by providing their personal data.

Examples of websites loaded:

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Doctor Web’s December 2023 review of virus activity on mobile devices

Tue, 30 Jan 2024 03:00:00 GMT

January 30, 2023

According to detection statistics collected by the Dr.Web for Android anti-virus, in December 2023, adware trojans from the Android.HiddenAds family were again the most active malicious programs. However, users encountered them 53.89% less often, compared to the previous month. In addition, the number of banking malware and spyware trojan attacks also decreased—by 0.88% and 10.83%, respectively.

Over the course of the final month of 2023, Doctor Web’s virus analysts discovered other malicious fake apps from the Android.FakeApp family on Google Pay. These were used in a variety of fraudulent schemes. Moreover, our specialists found more websites through which malicious actors were distributing fake crypto-wallet software.

PRINCIPAL TRENDS IN DECEMBER

Adware trojans from the Android.HiddenAds family were detected most often on protected devices
The activity of banking trojans and malicious spyware apps decreased
New malicious programs were discovered on Google Play
Our analysts identified more websites distributing fake crypto-wallet software for devices running the Android and iOS operating systems

According to statistics collected by Dr.Web for Android

Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.HiddenAds.3831
Android.HiddenAds.3851: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.7805: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.Click.1751: This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers. It receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box with the contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in their browser.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps. It allows them to bypass digital signature verification once they have been modified.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.Adpush.21846
Adware.AdPush.39.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.Fictus.1.origin: An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.

Threats on Google Play

In December 2023, Doctor Web’s specialists discovered new trojan apps from the Android.FakeApp family on Google Play. For example, malicious actors disguised Android.FakeApp.1564 as a debt-tracking program. The Android.FakeApp.1563 trojan was hiding in survey software. And cybercriminals passed the Android.FakeApp.1569 trojan off as an instrument that could help users increase their productivity and develop good habits.

All these fake apps loaded fraudulent finance-related websites that copied the design of the genuine websites of banks, news agencies, and other well-known organizations. In addition, the corresponding companies’ names and logos were used in their design to further mislead potential victims. On such fraudulent websites, users were offered the chance to become investors, take financial literacy training, receive financial support, etc. At the same time, they were asked to provide personal data―allegedly to register an account and get access to the corresponding services.

Examples of websites loaded by these trojans:

Other trojans, like Android.FakeApp.1566, Android.FakeApp.1567, and Android.FakeApp.1568, were distributed as games:

Instead of launching the actual games, they could load bookmaker and online casino websites, as shown in the example below.

One of these trojans operating in gaming mode:

One of the websites it loaded:

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Doctor Web’s November 2023 review of virus activity on mobile devices

Thu, 21 Dec 2023 13:06:22 GMT

December 21, 2023

According to the detection statistics collected by Dr.Web for Android, in November 2023, users were less likely to encounter adware trojans from the Android.HiddenAds and Android.MobiDash families. The activity of the former decreased by a quarter (25.03%) and the latter—by more than a third (35.87%). Moreover, banking trojans and malicious spyware apps were detected less often—by 3.53% and 17.10%, respectively.

At the same time, malicious actors again distributed malware via Google Play. Our specialists uncovered over 20 trojan apps from the Android.FakeApp family that are used for fraudulent purposes. In addition, they found a trojan that subscribed Android device users to paid services.

PRINCIPAL TRENDS IN NOVEMBER

A decrease in adware trojan activity
A decrease in banking malware and spyware trojan activity
The distribution of new malicious apps via Google Play

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3831
Android.HiddenAds.3697: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.7805: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.Spy.5864: The Dr.Web anti-virus uses this virus record to detect a trojan hidden in some third-party modifications of the WhatsApp messenger. Threat actors use this malware to spy on users. For instance, they can search files on victims’ devices and upload them to a remote server, obtain information from the phonebook, collect data about the infected device, record audio to eavesdrop on the surroundings, etc.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.TrackView.1.origin: The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps. It allows them to bypass digital signature verification once they have been modified.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.AdPush.36.origin
Adware.AdPush.39.origin
Adware.Adpush.21846: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In November, Doctor Web’s virus laboratory discovered more malicious programs from the Android.FakeApp family on Google Play. Some of them were distributed under the guise of financial apps, like home accounting solutions, reference books, directories and teaching aids, programs for accessing investment services, etc. Among these were Android.FakeApp.1497, Android.FakeApp.1498, Android.FakeApp.1499, Android.FakeApp.1526, Android.FakeApp.1527, and Android.FakeApp.1536. Their main task is to load fraudulent websites where users are invited to become investors. For this, they need to provide their personal information.

Another fake app, Android.FakeApp.1496, was hiding in a directory program for accessing legal information. It could load a website that allegedly could help victims of investment scammers get back their lost money.

The website this trojan loaded is shown below. The visitor must answer several questions and then fill out a form to “get a free consultation with a lawyer”.

Malicious actors passed off other fake apps as games. For example, Android.FakeApp.1494, Android.FakeApp.1503, Android.FakeApp.1504, Android.FakeApp.1533, and Android.FakeApp.1534. In some cases, these actually can work as games, but their primary task is to load online casino and bookmaker websites.

Examples of how these trojans operate as games:

An example of a bookmaker site that one of these trojans loaded:

In addition, our specialists discovered another malicious program that subscribes users to paid services. Malicious actors distributed it under the guise of the Air Swipes, an app for controlling Android devices using gestures.

Upon launching, this trojan loads the website of an affiliate service through which the subscription is made:

If the victim launches the app when their Internet connection is disabled or if the target site is not available for loading, the trojan pretends to be the promised application. However, reporting that an error has occurred, it does not provide any useful functionality. The Dr.Web anti-virus detects this trojan application as Android.Subscription.21.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Doctor Web’s October 2023 review of virus activity on mobile devices

Wed, 22 Nov 2023 10:32:06 GMT

November 22, 2023

According to detection statistics collected by Dr.Web for Android, in October 2023, adware trojans from the Android.HiddenAds family were most often detected. Their activity increased by 46.16%, compared to the previous month. The second most widespread adware trojans, which belong to the Android.MobiDash family, also increased in number—by 7.07%. In addition, users encountered spyware trojans and banking malware more often—by 18.27% and 10.73%, respectively.

Over the course of October, Doctor Web’s specialists discovered more threats on Google Play. Among them were dozens of various fake apps from the Android.FakeApp family, which cybercriminals use for fraudulent purposes. Also uncovered were Android.Proxy.4gproxy trojans, which turn Android devices into proxy servers.

PRINCIPAL TRENDS IN OCTOBER

An increase in adware trojan activity
An increase in spyware trojan and banking malware activity
The emergence of many new malicious apps on Google Play

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3831
Android.HiddenAds.3697: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.4498
Android.Spy.5106: The detection name for different variants of a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.MobiDash.7804: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.WAppBomber.1.origin: An Android utility for sending mass messages in the WhatsApp online messenger. To operate, it requires access to the contact list from the user’s phonebook.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.MagicPush.1: An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
Adware.AdPush.39.origin
Adware.AdPush.36.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In October, Doctor Web’s virus analysts discovered over 50 malicious apps on Google Play. Among them were the Android.Proxy.4gproxy.1, Android.Proxy.4gproxy.2, Android.Proxy.4gproxy.3, and Android.Proxy.4gproxy.4 trojans, which turned infected devices into proxy servers and covertly transmitted third-party traffic through them. Various modifications of the first trojan were disguised as a Photo Puzzle game, a Sleepify program designed to help users with insomnia, and a tool called Rizzo The AI chatbot, which provided the functionality needed to work with a chat bot. The second trojan was hidden in the Premium Weather Pro weather forecast app. The third trojan was built into the Turbo Notes notepad app. And the last one was distributed by malicious actors as a Draw E program for creating images with the help of a neural network.

A special utility called 4gproxy (Dr.Web detects it as Tool.4gproxy) was built into these apps. This tool allows Android devices to be used as proxy servers. It is not malicious in itself and can be used for legitimate purposes. However, in the case of these newly discovered trojans, the proxy server functionality operates without users’ involvement and their explicit consent.

At the same time, our specialists uncovered dozens of new trojan apps from the Android.FakeApp family. Some of them again were distributed as financial apps (for example, trojans like Android.FakeApp.1459, Android.FakeApp.1460, Android.FakeApp.1461, Android.FakeApp.1462, Android.FakeApp.1472, Android.FakeApp.1474, and Android.FakeApp.1485). Their main task is to load fraudulent websites that invite potential victims to become investors. Malicious actors ask users to provide their personal information and invite them to invest their money in supposedly profitable financial projects or instruments.

Other fake programs (like Android.FakeApp.1433, Android.FakeApp.1444, Android.FakeApp.1450, Android.FakeApp.1451, Android.FakeApp.1455, Android.FakeApp.1457, Android.FakeApp.1476, and others) were again disguised as various games. Under certain conditions, instead of launching games, these loaded online casino or bookmaker websites.

Examples of how these trojan apps work as games:

Examples of the online casino and bookmaker sites they load:

Similar functionality was found in the Android.FakeApp.1478 trojan, which was hiding in an app for accessing sports news and publications. It could load bookmaker sites.

In addition, new trojan apps were found that allegedly could help Android device owners search for a job. One was called Rixx (Android.FakeApp.1468), and the other—Catalogue (Android.FakeApp.1471). Upon launching, these malicious apps show a fake vacancy listing. When potential victims try to respond to one of the job offers, they are asked to enter their personal data into a special form, or to contact the “employer” via instant messengers, like WhatsApp or Telegram.

Below is an example of how one of these malicious apps works. The trojan displays a phishing form, disguised as a window for creating a resume, or asks the user to contact the “employer” via the messenger.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Doctor Web’s September 2023 review of virus activity on mobile devices

Thu, 26 Oct 2023 01:00:00 GMT

October 26, 2023

In early September, Doctor Web published a study of Android.Pandora.2, a backdoor that creates a botnet of infected devices and can carry out DDoS attacks at the command of threat actors. In the middle of the month, our specialists informed users about malicious programs from the Android.Spy.Lydia family. These multi-functional spyware trojans target Iranian users. Members of this family are camouflaged as a financial platform for online trading; they can perform various malicious actions at the command of attackers. This includes intercepting and sending SMS, collecting information about user phonebook contacts, hijacking clipboard contents, loading phishing websites, and so on. The Android.Spy.Lydia trojans can be used in a variety of fraudulent schemes and to steal personal data. Moreover, with their help, threat actors can steal their victims’ money.

According to detection statistics collected by Dr.Web for Android, in September 2023, Android malware was less active, compared to the previous month. For instance, Android.HiddenAds and Android.MobiDash adware trojans were detected 11.73% and 26.30% less often, respectively. The number of spyware trojan attacks decreased by 25.11%, Android.Locker attacks by 10.52%, and banking malware by 4.51%. At the same time, Android device owners encountered unwanted adware programs 14.32% more often.

Many new threats were uncovered on Google Play over the course of September. Among them were Android.FakeApp trojan apps used in different fraudulent schemes, Android.Joker trojans, which subscribe victims to paid services, and also Android.HiddenAds adware trojans.

PRINCIPAL TRENDS IN SEPTEMBER

A decrease in Android malware activity
The emergence of new malicious apps on Google Play

Mobile threat of the month

In September, Doctor Web presented the details of its Android.Pandora.2 malware analysis; this trojan primarily targets Spanish-speaking users. The first cases of attacks involving it were recorded in March 2023.

This malicious program infects Smart TVs and television boxes with the Android TV operating system via compromised firmware or when users install trojanized versions of software for illegally watching videos online.

The main function of Android.Pandora.2 is to perform various types of DDoS attacks at the command of cybercriminals. In addition, this trojan can perform a number of other actions, like installing its own updates and replacing the system hosts file.

A study performed by Doctor Web’s malware analysts revealed that when creating this trojan, virus writers borrowed from the authors of Linux.Mirai, taking part of its code and using it as the basis for their trojan. Since 2016, Linux.Mirai has been widely used to infect IoT (the “Internet of things”) devices and to perform DDoS attacks on various websites.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3697: A trojan app designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.Packed.57083: The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
Android.Pandora.17: The detection name for malicious programs that download and install the Android.Pandora.2 backdoor trojan. Threat actors often embed such downloaders in Smart TV software oriented toward Spanish-speaking users.
Android.MobiDash.7804: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.

Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Packer.3.origin: The detection name for Android programs whose code is encoded and obfuscated by the NP Manager tool.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.MagicPush.1: An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
Adware.AdPush.39.origin
Adware.AdPush.36.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In September, Doctor Web’s malware analysts uncovered many new malicious apps on Google Play. Among them were trojans that displayed intrusive ads. Threat actors distributed them under the guise of such games as Agent Shooter (Android.HiddenAds.3781), Rainbow Stretch (Android.HiddenAds.3785), Rubber Punch 3D (Android.HiddenAds.3786), and Super Skibydi Killer (Android.HiddenAds.3787). Once these trojans were installed on Android devices, they tried to hide from users. For this, they replaced their icons, located on the home screen menu, with transparent versions and also changed their names so they were left blank. In addition, they could pretend to be a Google Chrome browser by replacing their own icons with the corresponding copy. When users tap on such an icon, these trojans launch the browser and continue to operate in the background. This allows them to become less noticeable and reduces the likelihood of their premature removal. Moreover, if these malicious programs stop working, users will restart them, thinking that they are launching a browser.

Our specialists also discovered other fake apps from the Android.FakeApp family. Some of them (like Android.FakeApp.1429, Android.FakeApp.1430, Android.FakeApp.1432, Android.FakeApp.1434, Android.FakeApp.1435, and others) were distributed as financial software—for example, as apps for stock trading, guides and reference books, home accounting, and others. In reality, their primary objective was to load fraudulent sites where potential victims were encouraged to become “investors”.

Other fake programs (for example, Android.FakeApp.1433, Android.FakeApp.1436, Android.FakeApp.1437, Android.FakeApp.1438, Android.FakeApp.1439, and Android.FakeApp.1440) were passed off by cybercriminals as different gaming apps. In some cases, these could actually operate as games, but their main functionality was to load online casino websites.

Examples of how these operate in game mode:

Examples of the online casino websites they load:

At the same time, other trojan apps from the Android.Joker family were discovered on Google Play. These were subscribing victims to paid services. One of them, dubbed Android.Joker.2216 in accordance with Doctor Web’s classification system, was disguised as an image collection app called Beauty Wallpaper HD. Another one was distributed as Love Emoji Messenger, an online messenger, and was added to the Dr.Web virus database as Android.Joker.2217.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Doctor Web’s August 2023 review of virus activity on mobile devices

Wed, 27 Sep 2023 04:00:00 GMT

September 27, 2023

According to detection statistics collected by Dr.Web for Android, in August 2023, adware trojans from the Android.MobiDash and Android.HiddenAds families were again among the most widespread Android malware. At the same time, the former were detected 72.23% more often, while the activity of the latter decreased by 8.87%, compared to the previous month.

The number of spyware trojans and ransomware malware detected on protected devices decreased by 13.88% and 18.14%, respectively. In addition, users encountered banking trojans 2.13% more often than in July.

In August, yet another malicious program was discovered on Google Play.

PRINCIPAL TRENDS IN AUGUST

A significant increase in Android.MobiDash adware trojan activity
A decrease in Android.HiddenAds adware trojan activity
A decrease in spyware- and ransomware-trojan activity
An increase in the number of banking malware attacks

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3697: A trojan app designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.MobiDash.7802: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.Packed.57083: The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
Android.Pandora.7: The detection name for malicious programs that download and install the Android.Pandora.2 backdoor trojan. Threat actors often embed such downloaders in Smart TV software oriented toward Spanish-speaking users.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.7
Program.FakeMoney.8: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.wSpy.1.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.

Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.AdPush.39.origin
Adware.AdPush.36.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.MagicPush.1: An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In August, the Android.HiddenAds.3766 trojan application was detected on Google Play. It was distributed as image collection software called Exquisite Wallpaper Collection. However, its main functionality is to display unwanted ads. At the same time, Android.HiddenAds.3766 tries to hide from the user. To do so, the trojan replaces its icon located on the home screen with a transparent one and changes its name so that it is blank. In some cases, this malicious program may instead replace the icon with a copy of the Google Chrome browser icon. When the user taps on it, it will launch the browser itself instead of the trojan.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download