All the news

Numerous threats on Google Play and other events in Doctor Web's February 2021 mobile malware activity review

Wed, 17 Mar 2021 11:26:34 GMT

March 17, 2021

Doctor Web presents its February 2021 mobile malware activity overview. Last month, trojans displaying ads and malicious applications capable of executing arbitrary code and downloading other software were among most common threats once again.

Doctor Web specialists also discovered a large number of threats on Google Play. Trojans used in various fraudulent schemes, as well as multifunctional and adware trojans were among them. Read more about these and other events in our February review.

Go to the review

Doctor Web’s February 2021 review of virus activity on mobile devices

Wed, 17 Mar 2021 11:29:44 GMT

March 17, 2021

In February, malicious and unwanted programs displaying ads and trojans executing arbitrary code and downloading various apps without users’ awareness were detected most often by Dr.Web anti-virus products for Android.

Throughout the last month, Doctor Web’s malware analysts uncovered more threats on Google Play. Numerous fraudulent applications from the Android.FakeApp family, multifunctional Android.Joker trojans, Android.HiddenAds adware trojans and other dangerous programs were among them.

PRINCIPAL TRENDS IN FEBRUARY

New malware discovered on Google Play
Malicious Android apps are actively used in various scam schemes

According to statistics collected by Dr.Web for Android

Android.HiddenAds.1994: A trojan designed to display obnoxious ads, distributed as popular applications. In some cases, it can be installed in the system directory by other malware.
Android.RemoteCode.284.origin: A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
Android.Triada.510.origin: A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
Android.Click.348.origin: A malicious application that loads websites, clicks on banner ads, and follows links. It can be distributed as harmless programs without arousing suspicion among users.
Android.MobiDash.5135: A trojan that displays obnoxious ads. It represents a special software module that is incorporated into the applications by the developers.

Program.FreeAndroidSpy.1.origin
Program.Mrecorder.1.origin: Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
Program.FakeAntiVirus.2.origin: The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
Program.CreditSpy.2: The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.
Program.Gemius.1.origin: An application that collects information about Android devices and how their owners are using them. With technical data, it also collects confidential information, such as device location, browser bookmarks, web history, and typed URLs.

Tool.SilentInstaller.6.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.13.origin
Tool.SilentInstaller.14.origin: Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Obfuscapk.1: The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.

Adware.Adpush.36.origin
Adware.Adpush.6547
Adware.Myteam.2.origin
Adware.Overlay.1.origin
Adware.LeadBolt.12.origin

Threats on Google Play

Throughout January, Doctor Web’s specialists observed significant activity among the malicious applications from the Android.FakeApp family. A large number of the apps were used by cyberattackers in various fraudulent schemes. One of the trojan groups was spread as software allegedly designed to provide access to discounts, promotional and bonus cards, as well as to gifts from famous stores and companies. To make it look more appealing, the malware authors used symbols and names of corresponding brands—consumer electronics manufacturers, gas stations and retailers.

Upon their launch, these apps invited potential victims to apply for a paid subscription (starting from 449 to 1499 rubles per week) allegedly to access the complete functionality of the software and to receive promised bonuses. However, they only received useless barcodes and QR codes—the same for all trojans—with the promise of receiving notifications with new codes in the future. At the same time, only a few modifications of these programs had the functionality to work with the notifications, which alone questioned their developer’s integrity.

If users agreed to make an in-app purchase, they were given a 3-day free trial so they could confirm the subscription or cancel it. The logic of the fraudulent scheme was that Android device owners will either forget about trial period or that they even installed these apps in the first place, or due to lack of experience, they would not realize they applied for a premium service with regular charges.

Various modifications of these trojans were added to the Dr.Web virus database as Android.FakeApp.239, Android.FakeApp.240, Android.FakeApp.246, and Android.FakeApp.247. Examples of how some of them operate are shown on the images below:

Messages and code examples they displayed after a user successfully subscribed to the premium service:

The second group of fake programs from the Android.FakeApp family included software spread by scammers as broadly themed, harmless applications including reference software and guides about fashion, animals, nature, and various horoscopes. Their real functionality didn’t match what was indicated. They only loaded different dating and even scam websites. These apps were actively promoted through the YouTube ads network when advertising video clips and banners aggressively used adults-only content with dating and meetings topics as well. Overall, Doctor Web’s specialists uncovered more than 20 of these fake applications.

Examples of these trojans distributed throughout Google Play and the ads leading to them are shown below:

The examples of websites these apps loaded:

The third group of the Android.FakeApp malicious apps included other variations of fraudulent trojans, which were spread under the guise of software with information about various financial compensations, social benefits and payouts. They were none other than the modifications of the well-known Android.FakeApp.219 and Android.FakeApp.227 malware.

Similar to some of the other fake apps within the same family, they were also advertized through YouTube:

Upon their launch, the trojans loaded fraudulent sites where potential victims could allegedly find information about payouts available to them. There, users were misled and asked to provide their personal data and either pay a money “transfer” commission or a “state duty”. In reality, there were not any payouts for users. They only released their personal details and transferred their money to the scammers.

Doctor Web’s malware analysts also uncovered several new multifunctional trojans from the Android.Joker family. As other malware from this family, they were spread as harmless apps, including image editing software, a barcode scanner, software for creating PDF documents, a collection of stickers for messaging apps, animated wallpapers and others. These trojans were dubbed Android.Joker.580, Android.Joker.585, Android.Joker.586, Android.Joker.592, Android.Joker.595, Android.Joker.598, and Android.Joker.604.

Their main functionality was loading and executing an arbitrary, as well as automatically subscribing users to premium mobile services.

Moreover, other adware trojans from the Android.HiddenAds malware family were also discovered on Google Play. They were dubbed Android.HiddenAds.610.origin and Android.HiddenAds.2357. The first one was spread as an image collection app while the second one was spread as picture editing software.

Upon launch, the trojans concealed their icons from the list of installed apps on the main screen menu and began displaying ads. With that, Android.HiddenAds.610.origin received commands through the Firebase cloud service and was able to display notifications with ads and load various sites. They could be websites with ads, as well as dubious and fraudulent sites.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Dr.Web CureIt! updated

Tue, 16 Mar 2021 09:27:13 GMT

March 16, 2021

Russian anti-virus company Doctor Web has updated its curing utility Dr.Web CureIt!

Now Dr.Web CureIt! features the most up-to-date version of Dr.Web Anti-rootkit API (12.6.0.202102260).

Download Dr.Web CureIt!

Long-awaited support for macOS Big Sur in Dr.Web 12.5 beta version for macOS

Tue, 16 Mar 2021 09:26:48 GMT

March 16, 2021

Russian anti-virus company Doctor Web invites all users to participate in the public beta-testing of Dr.Web 12.5 for macOS. The application's modules have been redesigned to ensure Dr.Web's compatibility with macOS Big Sur.

Recall that Apple has made dozens of its services and applications inaccessible to security software. To make Dr.Web fully operational under the new OS version, Doctor Web had to develop traffic-filtering and scanning modules for its anti-virus literally from scratch.

Dr.Web 12.5 software components are installed as system extensions for macOS. As a result, to uninstall the application, each of its modules must be removed individually.

The following issue has been identified and will be resolved shortly: Dr.Web firewall does not work under macOS Big Sur 11.3 beta 3.

Also note that only the x64 architecture is supported for macOS Big Sur. The new Dr.Web version for macOS does not yet support ARM64.

To participate in the beta-testing of Dr.Web 12.5 for macOS, please go to this page.

Dr.Web Mobile Control Center for iOS updated to version 13.0.0

Thu, 11 Mar 2021 09:28:58 GMT

March 11, 2021

Russian anti-virus company Doctor Web has updated its Dr.Web Mobile Control Center for iOS to version 13.0.0. The update ensures the application is compatible with Dr.Web AV-Desk 13.0 and delivers upgrades and fixes for known issues.

Changes made to the Mobile Control Center:

Support for Dr.Web AV-Desk 13.0 has been added;
Also added was a notification instructing administrators that a web version of the application must be used to view information about hosts in system groups;
Some server error messages now provide more information;
Server connection error messages are now more specific (SocketTimeoutException, UnknownHostException);
A notification is now displayed whenever license renewal information cannot be retrieved.

Issues resolved:

The application's main window is now displayed properly;
Errors that made it impossible to configure notifications and disable the option to collect anonymous statistics under iOS 14.4 have been fixed.

The update can be downloaded free of charge from the App Store.

Dr.Web Mobile Control Center for Android updated to version 13.0.1

Thu, 11 Mar 2021 01:00:00 GMT

March 11, 2021

Russian anti-virus company Doctor Web has updated its Dr.Web Mobile Control Center for Android to version 13.0.1. The update makes adjustments to the application in compliance with Google's updated user data-usage requirements and resolves known software issues.

Changes made to the Mobile Control Center:

The application no longer requests permission to access location data;
An issue preventing the Control Center from identifying a host's parental tariff group on the server has been resolved;
Also resolved was a defect preventing a custom message (specified by the administrator) from appearing on a protected device whose system was being restarted.

Go to Google Play to download the Dr.Web Mobile Control Center for Android for free and to learn about its features.

Study of the Spyder modular backdoor for targeted attacks

Thu, 04 Mar 2021 04:00:00 GMT

Download PDF

March 4, 2021

In December 2020, the Doctor Web virus laboratory was contacted by a telecommunications company based in Central Asia after its employees discovered suspicious files on their corporate network. During the examination, our analysts extracted and studied a malicious sample, which turned out to be one of the backdoors used by the hacker group known as Winnti.

We already came across the malware Winnti uses when we studied the ShadowPad backdoor samples that we found in the compromised network of a state institution in Kyrgyzstan. In addition, earlier in the same network, we found another specialized backdoor called PlugX, which has many intersections with ShadowPad in the code and network infrastructure. A separate material was devoted to the comparative analysis of both families.

In this study, we analyze the uncovered malicious module, explore its algorithms and features, and define its connection with other well-known tools of the Winnti APT group.

Main features

On the infected device, the malicious module was located in the system directory C:\Windows\System32 as oci.dll. Thus, the module was prepared for launch by the MSDTC (Microsoft Distributed Transaction Coordinator) system service using the DLL Hijacking method. According to our data, the file got to the computers in May 2020, but the method of initial infection remains unknown. The Event Log contained records of the creation of services designed to start and stop MSDTC, as well as for the backdoor execution.

Log Name:      System
Source:        Service Control Manager
Date:          23.11.2020 5:45:17
Event ID:      7045
Task Category: None
Level:         Information
Keywords:      Classic
User:          <redacted>
Computer:      <redacted>
Description:
A service was installed in the system.
 
Service Name:  IIJVXRUMDIKZTTLAMONQ
Service File Name:  net start msdtc
Service Type:  user mode service
Service Start Type:  demand start
Service Account:  LocalSystem

Log Name:      System
Source:        Service Control Manager
Date:          23.11.2020 5:42:20
Event ID:      7045
Task Category: None
Level:         Information
Keywords:      Classic
User:          <redacted>
Computer:      <redacted>
Description:
A service was installed in the system.
 
Service Name:  AVNUXWSHUNXUGGAUXBRE
Service File Name:  net stop msdtc
Service Type:  user mode service
Service Start Type:  demand start
Service Account:  LocalSystem

We also found traces of other services running that had random names. Their files were located in directories like C:\Windows\Temp\<random1>\<random2>>, where random1 and random2 are strings of random length and random Latin characters. At the time of the study, these services’ executable files were missing.

An interesting find was a service that indicates the use of a smbexec.py utility for remote code execution from the Impacket set. The attackers used this tool to establish remote access to the command shell in a semi-interactive mode.

The studied malicious sample was added to the Dr.Web virus database as BackDoor.Spyder.1. In one of the discovered Spyder samples, the debug logging functions and messages remained. Messages used when communicating with the C&C server contained the string "Spyder".

The backdoor is notable for a number of interesting features. First, oci.dll contains the main PE module, but with missing file signatures. Erasing the header signatures was presumably done to obstruct the backdoor detection in the device's memory. Secondly, the payload itself does not carry malicious functionality, but serves to load and coordinate additional plug-ins received from the С&С server. With these plug-ins, the backdoor performs its main tasks. Therefore, this family has a modular structure, just like the other backdoor families used by Winnti — the previously mentioned ShadowPad and PlugX.

Analysis of Spyder's network infrastructure revealed a link to other Winnti attacks. In particular, the infrastructure used by the Crosswalk and ShadowPad backdoors described in the Positive Technologies study corresponds with some of the Spyder samples. The graph below clearly shows the identified intersections.

For a detailed description of BackDoor.Spyder.1 and how it works, see the PDF-version of the study or the Doctor Web Virus Library.

Conclusion

The analyzed sample of BackDoor.Spyder.1 is notable primarily because its code does not perform direct malicious functions. Its main tasks are to covertly operate within the infected system and establish communication with the control server and then wait for operator commands. At the same time, it has a modular structure that allows the operator to scale its capabilities, providing any functionality depending on the needs of the attackers. The plug-ins make the considered sample similar to ShadowPad and PlugX, which, together with the intersections in their network infrastructures, allows us to conclude that it is used by Winnti.

Indicators of compromise.

Last chance to exchange your Dr.Weblings for discounts before the Dr.Web + Me loyalty programme ends!

Mon, 01 Mar 2021 05:00:00 GMT

March 1, 2021

Russian anti-virus company Doctor Web is discontinuing its loyalty programme Dr.Web + Me for customers outside the Russian Federation. Effective March 1, 2021, users will no longer be able to acquire virtual award points under the programme. Meanwhile, Dr.Web + Me will be replaced by an even more attractive offer for loyal customers. In spite of the programme being shut down, users will still be able to exchange their accrued Dr.Webling points for discounts or gift certificates under the programme's terms until May 31, 2021.

Throughout this spring the opportunity will remain to convert your earned virtual awards into discounts and get a new license for Dr.Web Security Space (PC/Mac), Dr.Web Security Space for Mobile or Dr.Web KATANA — at 20%, 30%, or 50 % off.

We invite all Dr.Web community members who still have some Dr.Weblings to spend to take advantage of this opportunity. Bear in mind that the products on display in our eStore are never sold out! And don't forget: a Dr.Web license can be activated at any moment, no matter how long ago you purchased it.

As an important aside, you can use a standard Dr.Web Security Space license (PC/Mac) to renew your previous license and, by doing so, also have 150 bonus days added to your new license period as soon as you register the license. And, the anti-virus for Android-powered gadgets comes completely free with this license!

However, if for some reason you don't need to renew your license, you can help your loved ones keep their computers safe by gifting them a discount certificate. Let your Dr.Weblings work for those you hold dear.

Important! To exchange your Dr.Webling award points for discounts, you need to sign in under your account on Doctor Web's site. And remember: After May 31, all of your unspent Dr.Weblings will expire.

Thank you for choosing Dr.Web!

Components updated in Dr.Web 12.0 products for Windows

Thu, 25 Feb 2021 09:28:38 GMT

February, 25 2020

Russian anti-virus company Doctor Web has updated Dr.Web Anti-rootkit API (12.5.19.202102150), the component Dr.Web Firewall for Windows driver (12.05.03.01250), and Dr.Web Firewall for Windows (12.05.03.12180) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web Anti-virus 12.0 for Windows Servers. Furthermore, Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0 have had the Dr.Web Net Filtering Service (12.5.6.12190) updated. The update resolves known issues and delivers minor upgrades.

Changes made to Dr.Web Anti-rootkit API:

A compatibility issue involving Valorant's anti-cheat software Vanguard has been resolved;
Also addressed was an issue that might cause errors involving Promise FastTRAK RAID controllers.

Dr.Web Firewall for Windows driver:

A high memory usage issue involving peer-to-peer applications has been addressed;
A defect that might cause errors if Logitech G Hub software was being used in the system has been resolved.

Changes made to Dr.Web Firewall for Windows and to Dr.Web Net filtering Service:

Application security has been improved.

The update will be performed automatically; however, a system reboot will be required.

Doctor Web’s January 2021 review of virus activity on mobile devices

Wed, 24 Feb 2021 15:39:34 GMT

February 24, 2021

In January, Dr.Web anti-virus products for Android detected 11.32% less threats on protected devices compared to December, 2020. The number of observed malware decreased by 11.5% and adware by 15.93%. At the same time, the number of detected unwanted apps and riskware increased by 11.66% and 7.26% respectively. According to gathered statistics, the most common threats for users were adware trojans and malware designed to download other software and execute arbitrary code.

Throughout January, Doctor Web malware analysts uncovered a large number of threats on Google Play. Numerous modifications of the Adware.NewDich adware modules built into various apps were among them. Moreover, new trojans from the Android.FakeApp family designed to load fraudulent websites, as well as malicious apps from the Android.Joker family subscribing users to premium mobile services and executing arbitrary code were also discovered.

With that, our specialists have observed new attacks involving banking trojans. One of them was found in a fake banking app available on Google Play while others were spread through malicious websites created by cybercriminals.

PRINCIPAL TRENDS IN JANUARY

A decreased number of threats detected on Android devices
The discovery of a large number of malware and unwanted apps on Google Play

Threat of the month

At the beginning of January, Doctor Web malware analysts found a number of apps with built-in Adware.NewDich adware modules that load various websites upon C&C server command. For instance, they can load both harmless sites and sites that contain ads, as well as bogus or fraudulent sites used for phishing. Because they are loaded when users are not interacting with apps containing Adware.NewDich modules, it is troublesome for Android device owners to figure out why their gadgets are behaving strangely.

Examples of software that were found to contain these adware modules are shown below:

Examples of websites they load:

Web pages of various referral programs that redirect users to the apps hosted on Google Play are often loaded by Adware.NewDich modules. The app called “YBT Exchange”, supposedly designed to work with one of the crypto exchanges was one of them. Doctor Web malware analysts, however, found that this software is nothing but a new banking trojan, which was added to the virus base as Android.Banker.3684. Its functionality included the hijacking of logins, passwords and confirmation codes. It was also able to intercept contents of incoming notifications, for which the trojan requested specific system permissions. After our report to Google, this banker was removed from the Android app store.

Doctor Web malware analysts found that at least 21 apps had these adware modules built into them. The conducted research indicated that owners of these apps and the developers of Adware.NewDich are likely directly related. Soon after this adware network attracted significant attention of the IT community and security specialists, its administrators panicked and began rolling out software updates, trying to implement mechanisms to avoid the anti-virus software from detecting this adware or simply removing the modules from the apps. One of the affected programs was later removed from Google Play completely. With that, nothing prevents the actors behind Adware.NewDich from updating the remaining software at any time and reintroducing modules, which our specialists have already observed several times.

The list of the apps containing the Adware.NewDich modules:

Name of the packet	Presence of the Adware.NewDich module	The app was removed from Google Play
com.qrcodescanner.barcodescanner	Was present in last relevant 1.75 version	Yes
com.speak.better.correctspelling	Present in relevant 679.0 version	No
com.correct.spelling.learn.english	Present in relevant 50.0 version	No
com.bluetooth.autoconnect.anybtdevices	Present in relevant 2.5 version	No
com.bluetooth.share.app	Present in relevant 1.8 version	No
org.strong.booster.cleaner.fixer	Absent in relevant 5.9 version	No
com.smartwatch.bluetooth.sync.notifications	Absent in relevant 85.0 version	No
com.blogspot.bidatop.nigeriacurrentaffairs2018	Present in relevant 3.2 version	No
com.theantivirus.cleanerandbooster	Absent in relevant 9.3 version	Нет
com.clean.booster.optimizer	Absent in relevant 9.1 version	No
flashlight.free.light.bright.torch	Absent in relevant 66.0 version	No
com.meow.animal.translator	Absent in relevant 1.9 version	No
com.gogamegone.superfileexplorer	Absent in relevant 2.0 version	No
com.super.battery.full.alarm	Absent in relevant 2.2 version	No
com.apps.best.notepad.writing	Absent in relevant 7.7 version	No
ksmart.watch.connecting	Absent in relevant 32.0 version	No
com.average.heart.rate	Absent in relevant 7.0 version	No
com.apps.best.alam.clocks	Absent in relevant 4.7 version	No
com.booster.game.accelerator.top	Absent in relevant 2.1 version	No
org.booster.accelerator.optimizer.colorful	Absent in relevant 61.0 version	No
com.color.game.booster	Absent in relevant 2.1 version	No

Features of Adware.NewDich:

It is built into full-featured software to hide from users and not arouse any suspicion.
The activity develops with a delay (up to several days) after the hosting applications are installed and launched.
Promoted websites loading is performed when the apps containing these modules are closed and users are not interacting with or using them for some time.
The malicious actors constantly monitor if anti-virus software detects the modules and promptly make changes to them to release new versions to counter the detection.

According to statistics collected by Dr.Web for Android

Android.RemoteCode.284.origin: A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
Android.HiddenAds.1994
Android.HiddenAds.518.origin: Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.
Android.Triada.510.origin: A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.
Android.Click.348.origin: A malicious application that loads websites, clicks on banner ads, and follows links. It can be distributed as harmless programs without arousing suspicion among users.

Program.FreeAndroidSpy.1.origin
Program.NeoSpy.1.origin
Program.Mrecorder.1.origin
Program.Reptilicus.7.origin: Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
Program.FakeAntiVirus.2.origin: The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
Program.CreditSpy.2: The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.

Tool.SilentInstaller.6.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.13.origin
Tool.SilentInstaller.14.origin: Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Obfuscapk.1: The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Adware.Adpush.36.origin
Adware.Adpush.6547
Adware.Adpush.16896
Adware.Myteam.2.origin
Adware.Overlay.1.origin

Threats on Google Play

In addition to apps with built-in Adware.NewDich adware modules, Doctor Web specialists discovered a large number of trojans from the Android.FakeApp family, which were spread as reference software and handbooks with information about tax refunds and the availability of welfare payouts and other social compensations. There were also other modifications of these trojans disguised, for instance, as programs designed to search information about lotteries and receiving gifts from popular bloggers.

Similar to other trojans of this type, which were discovered earlier, current modifications loaded fraudulent websites where potential victims were informed about the supposed payouts from the government. To “receive” the money, users were asked to provide their personal information, as well as to pay for the lawyers’ time, document preparation, and tax or fees for transferring the money to the bank account. In fact, victims didn’t receive any funds, but cybercriminals did steal their confidential information and money.

In addition, some modifications of these malicious apps periodically displayed notifications where users were also informed about available “payouts” and “compensations”. In this way, malicious actors tried to attract additional attention from potential victims so they would visit the fraudulent websites more often.

Examples of websites various modifications of the Android.FakeApp trojans load:

The examples of fraudulent notifications with the information about “payouts” and “compensations” displayed by these malicious apps:

Moreover, other multifunctional trojans from the Android.Joker family were also found—they were dubbed Android.Joker.496, Android.Joker.534, and Android.Joker.535. These trojans were spread under the guise of harmless apps, such as translation software and multimedia editing software designed to create gif animations. Their real functionality, however, was to download and execute arbitrary code, as well as to intercept the contents of incoming notifications and subscribe users to premium services.

A new banking trojan dubbed Android.Banker.3679 was also among the uncovered threats. It was spread as an application designed to work with Santander bank’s Esfera rebate and bonus program for Brazilian users. Android.Banker.3679’s main functions were phishing and confidential data stealing, while its primary target was the Santander Empresas banking application.

Upon installation and launch, the trojan requested access to the Accessibility Service function of the Android OS—allegedly to continue working with the app. In fact, it needed the requested functionality to automatically perform malicious actions. If a victim agreed to provide the necessary system privileges, the banker received control over the infected device and could click on various menu elements, buttons, read the contents of other apps’ windows, etc.

Banking trojans

Alongside banking trojans found on Google Play, Android device owners were targeted by bankers that spread through the malicious websites. For example, Doctor Web specialists observed other attacks on Japanese users where trojans from various banking malware families were involved. The Android.BankBot.3954, Android.SmsSpy.833.origin, Android.SmsSpy.10809, and Android.Spy.679.origin trojans were among them. They were downloaded from fake postal and delivery service websites under the guise of updates for Chrome, Play Market and other legitimate software.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download

Doctor Web’s January 2021 virus activity review

Wed, 24 Feb 2021 16:28:44 GMT

February 24, 2021

Our January analysis of Dr.Web’s statistics revealed a 4.92% increase in the total number of threats compared to the previous month. The number of unique threats also increased by 13.11%. Adware and malware browser extensions still occupy the top spot for detected threats. Various modifications of the AgentTesla stealers, a backdoor written in VB.NET and malicious programs exploiting vulnerabilities in Microsoft Office utilities were the most frequently detected malicious software in email traffic.

In January, the number of user requests to decrypt files affected by encoders increased by 29.27% compared with December. Trojan.Encoder.26996 was the most active, accounting for 24.11% of all incidents.

Principal trends in January

Growth in malware spreading activity
Adware remain among the most active threats
An increase in the number of requests to decrypt files affected by encoders

According to Doctor Web’s statistics service

The most common threats in January:

Adware.Elemental.17: Adware that spreads through file sharing services as a result of link spoofing. Instead of normal files, victims receive applications that display advertisements and install unwanted software.
Trojan.BPlug.3867: A malicious browser extension designed to perform web injections into viewed webpages and block third-party advertisements.
Adware.SweetLabs.4: An alternative app store and add-on for Windows GUI from the creators of Adware.Opencandy.
Adware.Softobase.15: Installation adware that spreads outdated software and changes the browser settings.
Adware.Downware.19629: Adware that often serves as an intermediary installer of pirate software.

Statistics for malware discovered in email traffic

Trojan.Siggen11.57608: A modification of the stealer malware, known as AgentTesla. It can be used as a keylogger and is designed to steal confidential data.
Trojan.Packed2.42809: One of the many modifications of the AgentTesla stealer, obfuscated by a packer tool.
W97M.DownLoader.2938: A family of downloader trojans that exploits vulnerabilities in Microsoft Office documents and can download other malicious programs onto a compromised computer.
BackDoor.SpyBotNET.25: A backdoor written in VB.NET and designed to operate with a file system (to copy, create, delete catalogs, etc.), terminate processes, and take screenshots.
Trojan.SpyBot.699: A multi-module banking trojan that allows cybercriminals to download and launch various applications on an infected device and run arbitrary code.

Encryption ransomware

In January, Doctor Web’s virus laboratory registered 29.27% more requests to decode files encoded by trojan ransomware than in December.

Trojan.Encoder.26996 — 24.11%
Trojan.Encoder.567 — 13.10%
Trojan.Encoder.29750 — 7.44%
Trojan.Encoder.11549 — 2.08%
Trojan.Encoder.30356 — 1.49%

Dr.Web Security Space for Windows protects against encryption ransomware

Configure Dr.Web to protect your computer from encryption ransomware

Training course

Free data recovery

Dr.Web Rescue Pack

Dangerous websites

During January 2021, Doctor Web Internet analysts uncovered many fraudulent and phishing websites used by the cybercriminals to steal users’ money and personal data. The victims were most often propositioned to receive some nonexistent payment from the state or a remittance from a private individual. In all cases, a commission was required to receive the payments.

This is a snapshot of the fraudulent webpage. It invites a victim to receive a fake payment and claims that the amount has been transferred to an “internal” account. The trick is that the user has to pay a fee first in order to complete the transfer.

Also in January, analysts discovered several fake banking websites. The fraudsters registered the websites in the “.рф” domain and used the same template to create the same type of webpages that differ only in the fictitious names of the banks. These bogus resources were used to steal funds from the accounts of gullible users.

This is a snapshot of nonexistent bank’s website. A user can browse the clickable sections and read the contents.

In January, Doctor Web specialists also detected numerous fake online payment services that were used in conjunction with fraudulent marketplaces and allowed cybercrooks to steal not only money, but also users ' bank card data.

Find out more about Dr.Web non-recommended sites

Malicious and unwanted programs for mobile devices

The total number of January threats on Android devices decreased by 11.32% compared to the previous month. With that, the malicious applications that can download other software and execute arbitrary code, as well as trojans that showed ads were among the most common mobile threats.

During the month, Doctor Web’s virus analysts identified many malicious apps of the Android.FakeApp family, designed to load fraudulent websites in the Google Play catalog. In addition, other modifications of the Android.Joker multi-functional trojan family were uncovered. One of their features is to subscribe users to expensive mobile services. The malware creators also distributed applications with built-in unwanted advertising modules called Adware.NewDich.

These modules loaded various websites in the browser, which could include both harmless and malicious resources, as well as webpages with ads.

The banking trojans were also active. One of them was discovered in Google Play and the others were distributed via malicious websites.

The following January events related to mobile malware are the most noteworthy:

A decline in malware activity on protected devices
The emergence of many new malicious and unwanted programs in the Google Play catalog.

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

«The Anti-virus Times»

Training course

Educational projects

Booklets

New versions now available: Dr.Web Security Space for Android 12.6.8 and Dr.Web Anti-virus Light for Android 11.5.4

Wed, 24 Feb 2021 02:00:00 GMT

February 24, 2021

Russian anti-virus company Doctor Web has updated Dr.Web Security Space for Android to version 12.6.8 and Dr.Web Anti-virus Light for Android to version 11.5.4. The update delivers feature upgrades and resolves known software issues.

Changes affecting both products:

Adjustments have been made to ensure that the applications work properly on devices running Android 11;
An issue that could cause the applications to terminate abnormally while files were being downloaded has been resolved;
The maximum allowed file size for the files that users can submit for examination in the anti-virus laboratory has increased;
Other minor adjustments and tweaks have also been made.

Changes affecting Dr.Web Security Space for Android:

An Anti-theft issue involving status updates for buddies requests has been resolved;
Adjustments have been made to ensure that the application works properly in centralised protection mode;
Also eliminated was an issue causing the Anti-theft to lock some device models whenever a system clean-up was initiated;
A defect causing the Anti-theft to lock devices on the system settings screen has been eliminated;
The update also changes the way the Anti-theft uses location data.

If you downloaded the Dr.Web application from Google Play, the updates will be downloaded and installed automatically. If you’ve disabled automatic updating on your device, go to Google Play, select Dr.Web Security Space, Dr.Web Security Space Life or Dr.Web Anti-virus Light on the application list, and click "Update”.

To update via the Doctor Web site, you need to download a new distribution file. If you’ve enabled the “New app version” option in the settings, a notification will be displayed whenever the virus databases are updated. You can start the download directly from this dialogue box. Important! Under Android 11, updating cannot be initiated from a dialogue box. To apply the update, you will need to download the latest application version manually.

An increase in malware activity and other events of January 2021

Wed, 24 Feb 2021 15:55:21 GMT

February 24, 2021

Doctor Web presents its January 2021 overview of malware activity. In the first month of the year, the total number of detected threats increased by almost 5% compared to December. According to statistics, users primarily faced adware and malicious browser extensions. The most common threats in email traffic were various stealers and other malicious programs written in VB.NET. The number of user requests to decrypt files affected by encoders increased by almost a third. Read more about these and other events in our January review.

Go to the review

Threats on Google Play, banking trojans and other events in Dr.Web’s January 2021 mobile malware activity review

Wed, 24 Feb 2021 15:35:25 GMT

February 24, 2020

Doctor Web presents its January 2021 mobile malware activity overview. Last month, the number of threats detected on Android devices decreased by 11.32% compared to December. Adware trojans, as well as malicious downloaders and trojans capable of executing arbitrary code remained most common threats.

Throughout January, Doctor Web’s specialists uncovered new trojans and unwanted software spread on Google Play. Multifunctional trojans subscribing users to premium services, trojans designed to load scam websites, and apps with built-in adware modules were among them. Moreover, various banking trojans also attacked Android devices. Read more about these and other events in our January review.

Go to the review

Total security week: Get Dr.Web at up to 40% off!

Mon, 22 Feb 2021 05:00:00 GMT

February 22, 2021

Doctor Web has great news for everyone seeking to protect their ever-increasing pool of devices from malware: from February 22-28, buy Dr.Web Security Space to protect 3 PCs/Macs for 1 year and pay just the 1 PC price—a 20 EUR saving.

This is a golden opportunity to ensure that all the desktops, laptops and mobile devices in your family can operate safely. Or, if you are in the habit of using multiple devices, you can cash in on this offer too. But it doesn't end there! Because Dr.Web is also a great gift!

The standard one-year license price for 3 PCs is EUR 53.90, but only during this week, you can get all of Dr.Web’s state-of-the-art security features at up to 40% off.

In addition to the 3 personal computers, 3 Android-powered devices will also enjoy reliable protection from all kinds of Internet threats, and 2 of the 3 PCs and all the gadgets will be protected free of charge. And if you choose to take advantage of this favourable moment to renew a Dr.Web license you already have (provided that its duration is three months or longer), you will also get an extra 150 days of protection completely for free.

Please note that you can only purchase Dr.Web Security Space on these favourable terms on the special promo page on Doctor Web's site. Don't miss this special offer:

Buy Dr.Web promo license

Join forces with Doctor Web to beta test new version of Dr.Web for business

Fri, 19 Feb 2021 12:24:54 GMT

February 19, 2021

Russian anti-virus company Doctor Web is starting beta testing for version 13 of its Dr.Web Enterprise Security Suite—a corporate-grade anti-virus solution providing all-round end-point security and remote administration in networks of all sizes. In response to customer requests, version 13 incorporates features that allow for even better integration with process control systems, including critical infrastructures, which require a somewhat special approach to anti-virus security.

That being said, Doctor Web still strives to make its solutions as user-friendly as possible. With that in mind, public beta testing is now underway. Join the ranks of beta testers and grab this unique opportunity to interact directly with Dr.Web developers. See for yourself how the anti-virus is made and make a sizable contribution towards the creation of this flagship anti-virus solution for business.

As customers eagerly await the upcoming release of Dr.Web Enterprise Security Suite 13.0, Doctor Web welcomes inquisitive beta testers and is already preparing gifts for the biggest contributors.

Let's take a quick look at how Dr.Web Enterprise Security Suite 13.0 improves on its predecessors.

In response to customer requests, version 13 incorporates features that allow for even better integration with process control systems, including critical infrastructures:

The ability to allocate precisely the CPU and memory usage for the anti-virus scanner;
The option to lower the priority for tasks related to collecting additional information on protected hosts;
The ability to lower the bandwidth for connections between a proxy server and the centralised administration server.

All these features are particularly important for systems involved in various technological processes for which it is critical that a fast response time be maintained and CPU usage and the anti-virus’s memory footprint be kept to a minimum.

Easy to use. Dr.Web Enterprise Security Suite is packed with cutting-edge technologies, and all these state-of-the art features are actually easy to control—thanks to the Control Center. Your vast network may connect computers in multiple branch offices (as is the case with Russia’s country-wide election infrastructure, which Dr.Web has been protecting for years). Version 13 also incorporates innovations that will benefit system administrators. Thanks to the new layout in the Control Center's anti-virus network view, managing a large number of objects has gotten easier.

Available across multiple platforms. Compatibility with various versions of Windows and Linux, as well as with macOS, is another major advantage of Dr.Web. A protected infrastructure may connect all sorts of computers running different operating systems. And, whereas previously Dr.Web was only easy and quick to deploy under Windows, version 13 boasts easy deployment options for Linux as well. Installing and managing the anti-virus software on protected hosts is now much easier. Dr.Web Agent can be installed on Linux machines via the Control Center or using a special utility.

Flexible settings. With the Dr.Web Control Center, protected hosts can be organised in groups matching the actual structure of your company. And then the anti-virus software can be fine-tuned for each of these groups. The system administrator can also take advantage of Office Control and determine which sites and network resources should be available to the employees in each specific group. In version 13, Office Control lets you manage settings for each user group and control which removable media are accessible on user computers. You can also take advantage of an extended list of unwanted site categories to prevent employees from visiting certain sites.

All in all, the new Dr.Web Enterprise Security Suite version is packed with new features, tweaks, and upgrades. You can find more information about version 13 here: And all these innovations are highly anticipated by users and make this solution even more appealing to prospective customers. With this in mind, Doctor Web is committed to ensuring that before the official release date, all the features work exactly as expected, the user experience is completely trouble-free, and any shortcomings are discovered and corrected. Therefore, we invite all users to test this innovative solution, and we look forward to hearing what you like and don't like about the new version and what you think Doctor Web can do to make it even better. And, as is customary, the most active contributors are in for a reward. This time around the five most active beta testers will receive Dr.Web-branded hoodies!

To beta test Dr.Web Enterprise Security Suite 13.0, follow this link:https://beta.drweb.com/?lng=en. Please note that registration is required to access the beta section of our website.

More information on Dr.Web Enterprise Security

Components updated in Dr.Web 12.0 products for Windows

Wed, 17 Feb 2021 09:41:47 GMT

17 February 2021

Russian anti-virus company Doctor Web has updated Lua-script for updater (12.5.0.01280 and 12.10.0.01290) in Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0 and Dr.Web Anti-virus for Windows Servers. Furthermore, Dr.Web Security Space setup (12.10.4.01281) has been updated in Dr.Web Security Space 12.0; and Anti-virus for Windows setup (12.10.4.01281) and Anti-virus for Windows servers setup (12.10.4.01281) have been made current in Dr.Web Anti-virus 12.0 and Dr.Web 12.0 for Windows Servers, respectively. The update delivers fixes for identified issues, as well as the latest versions of the product documentation, and ensures that Dr.Web software cannot be installed on Windows PCs that do not support SHA-256.

Changes made to Lua-script for updater:

On Windows Vista, Windows 7, and Windows Server 2008/2008R2 computers, Dr.Web software components, except the virus databases, can no longer be updated (even via an update mirror) if OS system updates ensuring SHA-256 support have not been installed on them.

Changes made to Dr.Web Security Space setup, Anti-virus for Windows setup and Anti-virus for Windows servers setup:

Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0 can no longer be installed under Windows Vista and Windows 7, and Dr.Web Anti-virus 12.0 for Windows Servers cannot be installed under Windows Server 2008/2008R2 if an operating system update providing SHA-256 support has not been installed;
An issue that might prevent the applications from being installed from a network drive has been fixed;
Also resolved was a defect causing the Modify and Remove setup dialogue to use a different language (other than the current application language).

The user guides for Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0, as well as the administrator manual for Dr.Web Anti-virus 12.0 for Windows Servers, have also been updated.

The update will be downloaded and installed automatically. The changes, which resolve the network drive installation issue and make it impossible to install the software in systems lacking SHA-256 support, will take affect after the respective software distributions are updated.

Important: to ensure that the Dr.Web software operates correctly under Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2, Microsoft security updates providing SHA-256 support must be installed in the systems. For additional information, please refer to this guide.

Dr.Web CureIt! updated

Wed, 17 Feb 2021 01:00:00 GMT

February 17, 2021

Russian anti-virus company Doctor Web has updated its curing utility Dr.Web CureIt!

The utility now uses the latest versions of Dr.Web Scanning Engine (12.6.2.202011180) and Dr.Web Anti-rootkit API (12.5.18.202101211).

Download Dr.Web CureIt!

Components updated in Dr.Web 11.1 products for Unix-like systems

Fri, 12 Feb 2021 02:00:00 GMT

February 16, 2021

Russian anti-virus company Doctor Web has updated a number of modules in Dr.Web 11.1 products for Unix-like systems. The updated modules include drweb-cloudd (11.1.5-2012181751), drweb-configd (11.1.11-2102021643), drweb-ctl (11.1.8-2101211803), drweb-documentation (11.1.3-2102021301), drweb-engine (11.1.3-2101221231), drweb-filecheck (11.1.6-2012181657), drweb-libs (11.1.4-2012291813), drweb-meshd (11.1.3-2012181751), drweb-netcheck (11.1.4-2012181657), drweb-clamd (11.1.2-2012181751), drweb-rpm (11.1.4-2101152052), drweb-rpm-libs7 (11.1.4-2101152052), drweb-se (11.1.4-2012301926), drweb-statd (11.1.5-2012181751), drweb-update (11.1.6-2012181656), drweb-zypper (11.1.3-2010281214), drweb-httpd (11.1.6-2012181514), drweb-httpd-bin (11.1.6-2012181514), drweb-firewall (11.1.5-2012181514), drweb-gated (11.1.5-2012181514), drweb-configure (11.1.2-2010051243), drweb-spider (11.1.2-2012181751), drweb-spider-kmod (11.1.2-2012161527), drweb-lookupd (11.1.3-2012181751), drweb-maild (11.1.10-2101211331), drweb-gui (11.1.8-2012181751), drweb-qt (11.1.4-2012291813), drweb-session (11.1.5-2101121525), drweb-uninst (11.1.2-2101272149), drweb-icapd (11.1.6-2012181514) and drweb-smbspider-daemon (11.1.2-2012181751). The update introduces new features, resolves known issues, and delivers minor upgrades.

Changes affecting Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Linux, Dr.Web Anti-virus 11.1 for Unix Server and Dr.Web Anti-virus 11.1 for Internet gateways Unix

drweb-cloudd and drweb-update:

The modules' manual has been updated.

drweb-configd:

An issue affecting the formation of drweb-linuxfirewall rules when external data sources were used has been resolved
Component integrity validation routines have been optimised.
The modules drweb-gated and drweb-maild can now be used more efficiently while the virus databases are being updated;
The software now runs more efficiently in ES-mode in systems using the ARM64 architecture;
Routines determining the certificate store location have been optimised;
An issue causing the "" value for time and size parameters to be interpreted as zero has been resolved;
Command line help information is now more concise;
Also resolved was a defect causing incorrect drweb-httpd status information to appear under certain circumstances;
An issue that might cause drweb-configd to terminate abnormally has been addressed.

drweb-ctl:

Now the drweb-ctl rawscan command can be used in centralised protection mode;
The MaxSizeToExtract option is available for scanning commands;
The drweb-ctl output now includes additional information;
A command enabling users to check drweb-lookupd parameters has been added;
The software now checks whether a password has been specified whenever a server connection is being established or a new group member is being added;
Also addressed was an issue that might prevent users from logging in under Linux Solus after Dr.Web for Linux had been installed.

drweb-engine:

The anti-virus engine version has been updated.

drweb-filecheck:

The MaxSizeToExtract option is available for scanning commands.

drweb-meshd:

The UDP broadcast method can now be used to look for a MeshD server;
The IPv6 protocol is now supported.

drweb-netcheck:

Now only basic information is logged at the INFO level.

Changes affecting Dr.Web 11.1 for Unix Mail Servers, Dr.Web 11.1 for Unix Server, and Dr.Web Anti-virus 11.1 for Internet gateways Unix

drweb-clamd:

The module’s manual has been updated.

drweb-httpd and drweb-httpd-bin:

The web-console now works properly while the virus databases are being updated.

Changes affecting Dr.Web 11.1 for Unix Mail Servers, Dr.Web 11.1 for Linux, and Dr.Web Anti-virus 11.1 for Internet gateways Unix

drweb-gated:

An issue that might prevent malicious code from being detected in a message body has been resolved;
Routines facilitating communication with drweb-maild have been optimised;
The component can now interact with drweb-urlcheck.

Changes affecting Dr.Web 11.1 for Unix Mail Servers and Dr.Web Anti-virus 11.1 for Linux

drweb-maild:

SPF (Server Policy Framework) verification is now available;
Support has been added for a new cryptographic signature method (RFC 8463) for DomainKeys Identified Mail;
Recompression routines have been optimised for emails containing threats;
The application logs now provide more detailed information;
Now lua api can be used to facilitate SPF (Server Policy Framework) verification.

Changes made to Dr.Web Anti-virus for Linux and Dr.Web for UNIX Server

drweb-spider:

The module’s manual has been updated.

drweb-spider-kmod:

Adjustments have been made to make the software compatible with Astra Linux SE.

Changes affecting Dr.Web 11.1 for Unix Mail Servers and Dr.Web Anti-virus 11.1 for Internet gateways Unix

drweb-lookupd:

The module’s manual has been updated.

Changes affecting Dr.Web Anti-virus 11.1 for Linux

drweb-session:

An issue preventing Linux SpIDer from detecting threats on PCs running Astra Linux SE if the user was logged into the system using the lowest security clearance.

Changes affecting Dr.Web 11.1 for Internet gateways Unix:

drweb-icapd:

The module’s manual has been updated.

Changes affecting Dr.Web Anti-virus 11.1 for Unix Server

drweb-smbspider-daemon:

The module’s manual has been updated.

The update is performed via the Dr.Web repository. If you encounter any problems when updating, please use the instructions from our previous news post to specify the additional repository for the Dr.Web software you’re using.

Dr.Web Mobile Control Center for Android updated to version 13.0.0

Thu, 11 Feb 2021 01:00:00 GMT

February 11, 2021

Russian anti-virus company Doctor Web has updated its Dr.Web Mobile Control Center for Android to version 13.0.0. The update provides support for the latest Android and Dr.Web AV-Desk versions, delivers new features and resolves known software issues.

Changes made to the Mobile Control Center:

Android 11 is now supported;
Support for Dr.Web AV-Desk 13.0 has been added;
Dr.Web AV-Desk documentation in PDF format can now be viewed on the server;
The server drop-down list now also displays information about the connection protocols being used (HTTP or HTTPS) and the current user login;
A Network window display issue has been resolved;
Corrections have been made to the Mobile Control Center's message texts.

Go to Google Play to download the Dr.Web Mobile Control Center for Android for free and to learn about its features.