September 17, 2019

Russian anti-virus company Doctor Web has updated a number of modules in its Dr.Web 11.1 products for Unix-like systems. The updated modules include drweb-esagent (11.1.2-1909031741), drweb-mimetic (11.1.2-1907301551), drweb-maild (11.1.3-1908220946), drweb-netcheck (11.1.1-1908271619), drweb-rpm (11.1.2-1907191359), drweb-libzypp (11.1.2-1907191422), drweb-uninst (11.1.1-1908092037), drweb-httpd (11.1.2-1908211705) and drweb-gui (11.1.4-1908211700). The update resolves known issues and delivers minor upgrades.

Changes affecting drweb-esagent in Dr.Web Anti-virus 11.1 for Unix Mail Servers, Dr.Web Anti-virus 11.1 for Unix File Servers, Dr.Web Anti-virus 11.1 for Internet gateways Unix, and Dr.Web Anti-virus 11.1 for Linux:

• an issue preventing users from changing the settings of some components when there was no connection with the ES server has been resolved;
• an error concerning the implementation of task processing for weekly scanning has been fixed;
• an error that occurred while the checkbox "Run the task according to UTC" (scheduler) was being processed has been resolved;
• Also fixed was a defect that prevented the sending of statistics to the ES server from being blocked.

Changes affecting drweb-mimetic and drweb-maild in Dr.Web Anti-virus 11.1 for Unix Mail Servers:

• a new option to scan by categories was added to the Url table.

The update is performed via the Dr.Web repository. If you encounter any problems during updating, please use the instructions from our previous news post to specify an additional repository for the Dr.Web software you are using.

September 12, 2019

Russian anti-virus company Doctor Web has released version 12.0.5 of Dr.Web for Microsoft Exchange Server. The update delivers a fix for an identified problem.

An issue involving the scanner's abnormal termination when processing large volumes of messages has been resolved.

More information about the update process, as well as about the system requirements for Dr.Web 12.0.5 for Microsoft Exchange Server, can be found in the product documentation (https://download.drweb.com/doc/).

September 12, 2019

Russian anti-virus company Doctor Web has released a new distribution of Dr.Web for macOS version 11.1.4. The distribution’s release delivers a fix for an identified problem.

The distribution resolves an issue that could result in the abnormal termination of Dr.Web's graphical interface on workstations running macOS 10.14.5 and later versions.

Please note that this version and newer versions of the distribution will not work for macOS 10.7—a separate distribution will be available for this OS.

Distributions can be downloaded from Doctor Web's site (https://download.drweb.com/).

September 9, 2019

In the last month of summer, Doctor Web virus analysts detected the clicker trojan Android.Click.312.origin on Google Play built into harmless applications. We also detected additional malicious software, including the Android.DownLoader.915.origin downloader trojan and trojan adware of the Android.HiddenAds family, distributed under the guise of useful software, as well as the Android.Banker.346.origin banker.

Mobile threat of the month

In early August, Doctor Web reported the Android.Click.312.origin trojan detected in 34 applications on Google Play. It was a malicious module that developers built into their software. A total of 101.7 million users downloaded the software with this trojan.

Android.Click.312.origin opened links via invisible WebView at the direction of the command and control server. It could also load websites in a browser and advertise applications on Google Play. Features of the trojan are as follows:

• it began operating 8 hours after startup;
• some features were implemented using reflection;
• it could subscribe users to premium mobile services using WAP-Click.

For more information on Android.Click.312.origin, refer to the news article on our website.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.455.origin

A trojan designed to display unwanted ads on mobile devices.

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.Triada.467.origin

A multi-functional trojan that performs various malicious actions.

Android.RemoteCode.197.origin

Android.RemoteCode.5564

Malicious applications designed to download and execute arbitrary code.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

• Adware.Gexin.3.origin
• Adware.Patacore.253
• Adware.Zeus.1
• Adware.Altamob.1.origin
• Adware.Myteam.2.origin (a new threat)

Threats on Google Play

Along with the Android.Click.312.origin clicker, we detected the downloader trojan Android.DownLoader.915.origin among the malware on Google Play. It spread as a VPN client. It downloaded and attempted to install applications, as well as opened Instagram, Telegram, and Google Play web pages and other services specified by attackers.

Virus analysts also identified new trojan adware of the Android.HiddenAds family; for example, Android.HiddenAds.1598 and Android.HiddenAds.467.origin. Like other malicious programs of this family, they hid the software icons where they were embedded and displayed obnoxious ads.

At the end of August, Doctor Web experts discovered another banking trojan that attacked Brazilian Android users. This malware was dubbed Android.Banker.346.origin. Like similar trojans reported by our company earlier (for example, at the end of 2018), Android.Banker.346.origin uses the Android Accessibility Service to steal information from text messages, which could contain transaction confirmation codes and other confidential data. The banker also opens phishing pages at the command of cybercriminals.

To protect your Android device from malware and unwanted programs, we recommend that you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian Anti-virus for Android
• More than 140 million downloads on Google Play alone
• Free for users of Dr.Web home products

Free download

September 9, 2019

Doctor Web presents its August 2019 overview of malware for mobile devices. This month, users were still targeted by malware on Google Play, including a clicker trojan, trojan adware and other threats. Read more about these events in our review.

Go to the review

September 9, 2019

In August, Dr.Web server statistics detected a 21.28% decrease in the total number of threats compared to July. The number of unique threats dropped only slightly by 2.82%. The most common threat in email traffic is malware that exploits vulnerabilities in Microsoft Office documents, as well as trojan downloaders. Similarly to the previous month, the majority of detected malware and unwanted software is adware.

Threat of the month

In August, researchers at Doctor Web’s virus lab discovered a dangerous banking trojan spread by cybercriminals via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software websites.

More about this threat

According to Doctor Web’s statistics servers

Threats of the month:

Adware.Softobase.15

Installation adware that spreads outdated software and changes the browser’s settings.

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Trojan.Winlock.14244

A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.

Trojan.InstallCore.3553

Another well-known adware installer. It displays ads and installs new software without a user’s permission.

Statistics for malware discovered in email traffic

Exploit.Rtf.CVE2012-0158

Modified Microsoft Office document. Exploits the CVE2012-0158 vulnerability in order to run malicious code.

W97M.DownLoader.2938

A family of trojan downloaders that exploit vulnerabilities in Microsoft Office applications and can download other malware to a compromised device.

Exploit.ShellCode.69

Another malicious Microsoft Office Word document, which uses the CVE-2017-11882 vulnerability.

Trojan.PWS.Stealer.19347

A family of trojans designed to steal passwords and other confidential information stored on an infected computer.

Encoders

In August, cases involving the following ransomware were most often registered by Doctor Web’s technical support service:

• Trojan.Encoder.858—17.73%
• Trojan.Encoder.11464—7.09%
• Trojan.Encoder.18000—4.96%
• Trojan.Encoder.28004—4.26%
• Trojan.Encoder.11539—2.60%
• Trojan.Encoder.25574—1.18%
• Trojan.Encoder.567—1.65%

Dangerous websites

In August 2019, Doctor Web added 204,551 URLs to the Dr.Web database of non-recommended websites.

Malicious and unwanted programs for mobile devices

In August, Doctor Web experts discovered several new malware on Google Play. In early August, the Dr.Web virus database was updated to detect the Android.Click.312.origin trojan, which could open links and various websites following the command of the server. Virus analysts also detected new adware Android.HiddenAds, as well as the Android.DownLoader.915.origin downloader that was able to download other malicious applications.

At the end of the month, Doctor Web experts discovered another banking trojan that attacked users from Brazil. The malware, dubbed Android.Banker.346.origin, exploited the Android OS Accessibility Service and could hook text messages.

The following events are among the most notable regarding mobile security in August:

• Distribution of malware on Google Play;
• New unwanted adware modules.

Learn more about malicious and unwanted programs for mobile devices in our August overview.

September 9, 2019

Doctor Web presents its August 2019 overview of malware activity. The number of requests to technical support for file decryption has increased. The activity of malware has dropped, while the number of dangerous and non-recommended websites has grown. Read about these and other events in our review.

Go to the review

September 5, 2019

Russian anti-virus company Doctor Web has launched public beta testing for its Dr.Web Enterprise Security Suite 12.0. The new version incorporates new utilities, yet another protection component, and tweaks and upgrades for the agent and the server software. The most active beta testers will receive gifts from Doctor Web!

The following utilities are now accessible via the Dr.Web Control Center:

• Dr.Web for Windows removal utility—removes corrupted/broken Dr.Web agent installations under Windows if standard removal routines are inaccessible or will not work (this should not be used as the default way to uninstall Dr.Web);
• The Dr.Web system information utility—compiles reports containing information about the current status of the system and all the applications (including Dr.Web) installed on machines running the Dr.Web anti-virus and server software. Administrators can now use report archives to assess the current state of their anti-virus networks and compile reports for the Doctor Web technical support service.

New component:

• With the application control component, administrators can establish which applications can be started and which ones on their network computers running Dr.Web Agent for Windows should be blocked. The component settings are only accessible on the Dr.Web server end.

Changes made to the Dr.Web Server:

• SMBv2 is now available under all supported operating systems and can be used to install the agents remotely;
• Windows Server 2019 is now supported by both Dr.Web Server and Dr.Web Agent for Windows.
• New repository products:
  • Corporate Dr.Web products whose product and component installers were previously only available in the Dr.Web extra distribution;
  • Dr.Web administration utilities and utility installers, which are accessible via the Control Center's Administration section ? Utilities;
• Dr.Web server and web server configuration files now contain a new option that can be used to set up Lua virtual machines for the corresponding components;
• A new Dr.Web server parameter has been added; it can be used to create missing accounts for hosts automatically when the agent software is being installed from a group installer.
• The new server plugin—Dr.Web SNMP-agent—facilitates the exchange of data with network monitoring software via SNMP;
• A new agent protocol extension has been added; it can be used to transmit data to the server via SFTP;
• A default administrator password (admin) can now be specified in the reply configuration file for server installations under Unix-like operating systems;
• Situations where a product from the current server repository cannot be found on the updating servers when all the products are being updated are now handled independently of other events;
• The Web API that facilitates interaction with the Dr.Web Server has been updated (version 4.3.0).

Changes made to the Control Center:

• The addition of Polish language support for the Dr.Web server software;
• New repository parameters in the advanced settings:
  • The ability to disable the exchange of updates for neighbouring servers, which prevents updates from being forwarded using inter-server links;
  • The ability to disable updating via neighbouring servers, which prevents updates from being downloaded using inter-server links;
• Additional parameters are now available for the Dr.Web ICAPD and SpIDer Gate components for PCs running Unix-like operating systems;
• Protection components can now be started and stopped remotely via the Control Center on hosts running Unix-like operating systems;
• Statistics are now available about devices that are being blocked by Dr.Web on protected hosts;
• New notification sorting options have been added for events involving the Dr.Web Preventing Protection and Application Control components, malware outbreaks, and abnormally terminated client connections;
• A log has been added that contains information about abnormally terminated client connections;
• The license usage report is no longer associated with inter-server links, and the parameters that need to be specified to create such reports have changed;
• The audit log now contains information about the following events: Purge database, Analyse database and Purge Active Directory database;
• INI files for host protection components under Unix-like systems can now be imported and exported;
• A new Dr.Web Agent for Windows option is used to transmit host location information to the server;
• MAC addresses can now be used to look for hosts in the anti-virus network layout window;
• The Modules statistics section now displays information about protected hosts running Unix-like systems;
• Maximum message length has been set for messages that administrators can send to protected hosts via the anti-virus network;
• A maximum message length has been set for messages that administrators can send to protected hosts via the anti-virus network;
• Documentation in the Dr.Web Control Center’s Support section has been updated and expanded.

Changes made to the Dr.Web Agent:

• The Dr.Web Agent for Windows featuring the revamped design is now supported;
• A new device class—Multimedia devices—is now available in the Office Control settings under Windows for more reliable access control.

No longer supported:

• Dr.Web Server is no longer compatible with Windows versions older than Windows 7 (?32) and Windows Server 2008R2 (?64);
• The extra Dr.Web distribution is no longer available;
• Dr.Web server software cannot be installed on disk partitions with file systems that do not support symbolic links (such as FAT);
• The installer can't be used to change the set of installed Dr.Web server components;
• The suite will never attempt to connect to external databases that cannot work with Dr.Web Server;
• A key that has been blocked in the License Manager will never be relayed to the protected hosts in the anti-virus network;
• The option to accept SMS commands without a password has been removed from Android’s protection settings;
• The option to use hardware neutralisation has been removed from the host configuration for Windows;
• Administrator permissions cannot be changed in the Control Center's Settings section.
• The EULA has been removed from the Active Directory object management utility.

Doctor Web welcomes all users to take part in the beta testing for Dr.Web Enterprise Security Suite 12.0 (https://beta.drweb.com/). Please note that registration is required to access the beta section of our website.

September 4, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Net Filtering Service (11.1.16.08231) in the Windows agent software of its Internet service Dr.Web AV-Desk 10.1. The update delivers a fix for an identified problem.

Specifically, problems with downloading Windows updates and accessing the Microsoft Store, which occurred when the option to scan encrypted traffic was enabled, have been resolved;

The update will be performed automatically; however, a system reboot will be required.

September 3, 2019

Doctor Web has updated the Dr.Web Net filtering Service (12.0.5.07080) in the products Dr.Web Security Space 12.0 and Dr.Web Anti-virus 12.0. The update resolves known software issues.

Changes made to the Dr.Web Net Filtering Service:

• Issues impeding the operation of networking applications on Windowscomputers have been resolved.
• Also resolved was a problem related to downloading Windows updates and accessing the Microsoft Store, which occurred when the option to scan encrypted traffic was enabled;
• Defects that could block access to the Mikrotik routers' web interface have been eliminated.

The update will be performed automatically; however, a system reboot will be required.

September 2, 2019

Russian anti-virus company Doctor Web has updated the ES Service module (11.5.18.07120) and the Dr.Web Anti-rootkit API module (11.5.8.201908130) in Dr.Web Enterprise Security Suite 11.0. The update resolves known software issues.

Changes made to the ES Service:

• Update error issues, which could arise if the downloaded update files got corrupted, have been resolved.

Changes made to Dr.Web Anti-rootkit API:

• An error causing systems to freeze during terminal sessions has been fixed.

Furthermore, the suite's documentation in various supported languages has been brought up to date.

The update will be downloaded and installed automatically.

August 27, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Link Checker browser plugin to version 3.9.17. The update resolves known software issues.

Changes made to Dr.Web LinkChecker:

• An issue preventing plugin settings from displaying properly in older versions of Google Chrome (49.0.2623.112) has been resolved.
• Also resolved were issues that made the option to block page elements manually unavailable in Google Chrome and Opera.

To use the latest Dr.Web Link Checker, download it from the extensions catalogue that corresponds to your browser (Google Chrome or Mozilla Firefox). Please note that you can also visit the Google Chrome Web Store to download Dr.Web LinkChecker for the latest versions of Opera and Yandex.Browser. If you already use Dr.Web Link Checker, it will be updated automatically.

August 26, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Updater module (11.5.12.08150) in Dr.Web Security Space 11.5, Dr.Web Anti-virus 11.5, and Dr.Web 11.5 for Windows Servers. The update delivers minor tweaks upgrades.

Specifically, the routines for interacting with Dr.Web’s servers have been optimised.

The update will be downloaded and installed automatically.

August 22, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Scanner SE (12.0.6.08190) in its products Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, and Dr.Web Anti-virus 12.0 for Windows Servers. The update delivers new features and resolves known issues.

Changes made to the scanner:

• An issue preventing the scanner from being launched in safe mode has been resolved.
• Now, if an administrator account is used to start the scanner, the UAC prompt to elevate privileges is not displayed.
• Furthermore, environmental variables can now be used to specify scanning exceptions.
• Minor scanner UI display issues have been resolved. UI elements now display properly on high-resolution screens.

The update will be downloaded and installed automatically.

August 19, 2019

Researchers at Doctor Web’s virus lab discovered a dangerous banking trojan, Win32.Bolik.2, being spread by hackers via fake websites of popular software. One of these resources is copied from a well-known VPN service, while others are disguised as corporate office software sites.

A copy of the NordVPN official website, which is a famous VPN service, was recently found by our researchers at nord-vpn[.]club. As with the original, it prompts users to download a program for using the VPN; but apart from the program itself, the fake authors distribute a dangerous banking trojan - Win32.Bolik.2.

It has the same design, a similar domain name, and a valid SSL certificate.

According to our data, the malware campaign that uses those fake websites is primarily targeted at English-speaking audiences and was launched on August 8, 2019. However, at the time this news was released, the malicious fake NordVPN website already had thousands of visits.

On top of that, at the end of June this year, the same hacker group copied websites of office programs: invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com) and clipoffice[.]xyz (the original is crystaloffice[.]com), where the Win32.Bolik.2 trojan was distributed together with Trojan.PWS.Stealer.26645 malware.

The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.

Earlier this year, we reported another malware campaign from the same hacker group in which they distributed Win32.Bolik.2 through a hacked video editing software website.

Both of these trojans are successfully detected and removed by Dr. Web products and pose no threat to our users.

Indicators of compromise

#banker #banking_trojan #stealer

August 8, 2019

Clicker trojans are widespread malicious programs, designed to increase website visit rates and earn money on online traffic. They simulate user actions on web pages by clicking on links and other interactive elements. Doctor Web virus analysts have detected another such trojan on Google Play.

The trojan is a malicious module, which, according to Dr.Web classification, was dubbed Android.Click.312.origin. It is built into ordinary applications, such as dictionaries, online maps, audio players, barcode scanners, and other software. All these programs are operable and look harmless to Android users. Additionally, Android.Click.312.origin only starts its malicious activity after 8 hours after launch, so as not to raise suspicion.

Once launched, the trojan sends the following information about the infected device to the C&C server:

• manufacturer and model;
• operating system version;
• user’s country of residence and default system language;
• User-Agent ID;
• mobile carrier;
• internet connection type;
• display parameters;
• time zone;
• data on application containing trojan.

In response, the server sends the necessary settings. Some functions of the malware are using reflection, and the settings contain the names of methods and classes along with the parameters for them. They are used, for example, to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications.

Upon installation of a new application or download of an apk file by the Play Market client, the trojan sends information about this software along with some technical data about the device to the command and control server. In response, Android.Click.312.origin receives website addresses to open in an invisible WebView, as well as links to load in a browser or on Google Play.

Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content. For example, after installing applications with the built-in trojan, users complained about being automatically subscribed to expensive content provider services.

Doctor Web specialists were unable to recreate the conditions for the trojan to open such websites. However, in the case of Android.Click.312.origin, this fraudulent scheme can potentially be implemented quite simply. Since the trojan informs the command and control server about the current Internet connection type, the server can send a command to open a website of a partner service that supports the WAP-Click technology if the device is connected to the Internet via a mobile carrier. This technology simplifies the subscription to various premium services, but it is often used illegally. Our company covered this problem in 2017 and 2018. In some cases, no confirmation from the user is required to subscribe to an unnecessary service: it can be done by a script on the same page, or even the trojan than can “click” the confirmation button. Since Android.Click.312.origin opens pages in an invisible WebView, the whole procedure can be done without the victim’s knowledge.

Doctor Web virus analysts have identified 34 applications with the embedded Android.Click.312.origin. They were installed by over 51.7 million users. Additionally, the trojan’s modification, dubbed Android.Click.313.origin, was downloaded by at least 50 million people. Thus, the total number of mobile device owners threatened by this trojan, exceeded 101.7 million. See below the list of programs, where this clicker was found:

Doctor Web informed Google about this trojan, and some applications we had detected were quickly removed from Google Play. Additionally, several applications have been updated, removing the malicious component. However, at the time of this publication, most applications still contained a malicious module and remained available for download.

Virus analysts recommend that developers responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software. Dr.Web for Android successfully detects and removes applications that have the known modifications of Android.Click.312.origin embedded into them, so it poses no threat to our users.

Read more about Android.Click.312.origin

#Android, #Google_Play, #clicker

August 8, 2019

Russian anti-virus company Doctor Web has updated the Dr.Web Updater module (12.0.12.08020) in its products Dr.Web Security Space 12.0, Dr.Web Anti-virus 12.0, and Dr.Web 12.0 for Windows Servers.

The update optimizes routines incorporated into the module.

The update will be downloaded and installed automatically.

August 5, 2019

Doctor Web presents its July 2019 virus activity review. Over the last month, email traffic was dominated by threats that exploit Microsoft Office Documents vulnerabilities. The number of unique threats detected on users' devices has increased; and Doctor Web’s technical support has received less data decryption requests than in June. For more information about these and other events, have a look at our review.

Go to the review

August 5, 2019

In July Dr.Web’s statistics showed a 54.21% decrease in the number of detected threats compared to June. While the unique threats almost doubled. E-mail traffic was dominated by malware that uses Microsoft Office programs’ vulnerabilities. Adware and unwanted programs still occupy the top of all detected threats. The lead ransomware in July, Trojan.Encoder.858, accounted for 21.15% of all requests for data decryption received in support of Doctor Web.

Doctor Web’s researchers have prepared a study that describes trends in the most common threats for smart devices and the Internet of Things (IoT) as a whole. This review is based on statistical data that has been gathered from our honeypots since 2016 and intends to draw attention to the security problem in the field of IoT.

Read the research

According to Doctor Web’s statistics servers

Threats of the month:

Adware.Ubar.13

A torrent client designed to install unwanted programs on a user’s device.

Adware.Softobase.15

Installation adware that spreads outdated software and changes the browser’s settings.

Trojan.Packed.20771

This program installs malicious browser extensions that redirect search results to different websites.

Trojan.Winlock.14244

A ransomware trojan that blocks or limits a user’s access to the Windows operating system and its functionalities. In order to unlock the system, a user must transfer money to the cybercriminals.

Trojan.DownLoader29.14148

Downloads and runs malicious software without the user’s permission.

Statistics for malware discovered in email traffic

Exploit.Rtf.CVE2012-0158

A modified Microsoft Office document. It exploits the CVE2012-0158 vulnerability in order to run malicious code.

W97M.DownLoader.2938

A family of downloader trojans that exploit vulnerabilities in Microsoft Office applications. Designed to download other malware onto a compromised computer.

Exploit.ShellCode.69

Another malicious Microsoft Office Word document that uses the CVE-2017-11882 vulnerability.

JS.DownLoader.1225

A family of malicious JavaScripts. They download and install malicious software on a computer.

Encryption ransomware

In July, the most common cases involving the following ransomware were registered by Doctor Web’s technical support service:

• Trojan.Encoder.858 — 21.15%
• Trojan.Encoder.567 — 9.45%
• Trojan.Encoder.11464 — 8.01%
• Trojan.Encoder.25574 — 4.93%
• Trojan.Encoder.18000 — 3.90%
• Trojan.Encoder.11539 — 3.08%
• Trojan.Encoder.28004 — 1.85%

Dangerous websites

During July 2019, Doctor Web added 123,251 URLs to the Dr.Web database of non-recommended sites.

Malicious and unwanted programs for mobile devices

In mid-July, Doctor Web researchers detected a new dangerous trojan Android.Backdoor.736.origin on Google Play, through which attackers remotely controlled infected Android devices. This backdoor was able to install apps, steal sensitive data and perform other malicious actions at the developer’s command.

Among other detected threats were new trojans of the Android.HiddenAds family, which hid their icons from the main screen and displayed ads. Additionally, Doctor Web analysts discovered several programs with embedded the advertising module Adware.HiddenAds.9.origin. They displayed banners even while being closed.

New entries for detecting trojans of the Android.Spy family, which were used for cyber espionage, were added to the Dr.Web’s virus database.

Among the most notable July events related to mobile malware:

• detection of a dangerous backdoor that executes malicious commands;
• detection of new malicious programs on Google Play;
• the spread of trojans designed for cyber espionage.

Find out more about malicious and unwanted programs for mobile devices in our monthly review.

August 5, 2019

Doctor Web has updated its curing utility Dr.Web CureIt! to incorporate the latest versions of the anti-virus components.

It now features the most up-to-date version of Dr.Web Virus-Finding Engine (7.00.41.07240).

Download Dr.Web CureIt!

August 5, 2019

Doctor Web presents its July 2019 overview of malware for mobile devices. Last month, malware analysts discovered a dangerous backdoor that executed commands from cybercriminals. Cybercriminals also continue distributing adware trojans. We then identified other malicious and unwanted applications. Read more about these threats in our review.

Go to the review

August 5, 2019

Last month Doctor Web reported the dangerous Android.Backdoor.736.origin trojan that executed malicious commands, stole confidential data and displayed fraudulent windows and messages. In July, malware analysts discovered many new adware trojans of the Android.HiddenAds family on Google Play. The Dr.Web virus database has also been updated to detect the unwanted adware Adware.HiddenAds.9.origin, as well as the spyware trojans Android.Spy.567.origin and Android.Spy.568.origin.

Mobile threat of the month

In mid-July, Doctor Web virus analysts investigated the Android.Backdoor.736.origin trojan, spreading under the guise of OpenGL Plugin software. It allegedly checked the version of the OpenGL ES interface and installed its updates.

This backdoor spied on users, sending information about their contacts, phone calls, and their device location to the attackers. It also uploaded files from devices to a remote server, as well as download and installed software. Features of Android.Backdoor.736.origin:

• the main malicious component of the trojan was hiding in an auxiliary module, encrypted and stored in the application’s resource directory;
• with root privileges, it could automatically install software;
• could execute shell commands, received from the C&C server.

For more information regarding Android.Backdoor.736.origin, refer to the news article on our website.

According to statistics collected by Dr.Web for Android

Android.Backdoor.682.origin

A trojan that executes cybercriminals’ commands and helps them control infected mobile devices.

Android.HiddenAds.1424

A trojan designed to display obnoxious ads. It is distributed under the guise of popular applications.

Android.RemoteCode.197.origin

Android.RemoteCode.5564

Android.RemoteCode.216.origin

Malicious applications designed to download and execute arbitrary code.

Program modules that incorporate themselves into Android applications and display obnoxious ads on mobile devices:

Adware.Zeus.1

Adware.Gexin.3.origin

Adware.Patacore.253

Adware.Altamob.1.origin

A riskware platform that allows applications to launch APK files without installing them:

Tool.VirtualApk.1.origin

Threats on Google Play

Since the beginning of July, Doctor Web malware analysts have detected many new adware trojans of the Android.HiddenAds family on Google Play, installed by over 8.2 million users. These malware spread under the guise of harmless games and useful applications, such as camera filters, system utilities, alarm clocks, etc. After launching, the trojans hid their icons from the software list on the main screen and started displaying banners that interfered with device operation.

In addition, a new unwanted advertising module named Adware.HiddenAds.9.origin was uncovered. It was embedded into the compass software and a collection of wallpapers for the desktop. It displayed ads even when these applications were closed.

Cyberespionage

Last month, the Dr.Web virus database was also updated to detect the spyware trojans Android.Spy.567.origin and Android.Spy.568.origin. The first one transferred the data from text messages, phone calls, calendar, and phone book entries to a remote server, as well as information about files stored on the device.

The second one displayed a fraudulent message, prompting a potential victim to update a Google Play component. If the user agreed, the trojan displayed a phishing window that simulated a Google account login page.

Virus writers made a spelling mistake in the phrase “Sign in”, which could indicate a fake. If the victim did not notice this and logged into the account, Android.Spy.568.origin stole the data of the current session, and the attackers gained access to confidential information, such as calendar entries, verification codes, phone numbers, and email addresses to restore access to the account.

To protect your Android device from malware and unwanted programs, we recommend you install Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download

August 1, 2019

Russian anti-virus company Doctor Web has updated Dr.Web Virus-Finding Engine (7.00.41.07240) in several Dr.Web products. The update resolves known issues of the component.

Specifically, it eliminates an engine issue causing Dr.Web to terminate abnormally under Linux.

Dr.Web Virus-Finding Engine has been updated in the following products:

• Dr.Web 9.0/11.0/11.1 for macOS
• Dr.Web 6/11.0/11.1 for Unix Server
• Dr.Web 6/11.0/11.1 for Unix Mail Servers
• Dr.Web Anti-virus 6/11.0/11.1 for Internet gateways Unix
• Dr.Web Anti-virus 6/11.0/11.1 for Linux
• Dr.Web Security Space 7/8/9/10/11.0/11.5/12
• Dr.Web Anti-virus 7/8/9/10/11.0/11.5/12 for Windows
• Dr.Web 7/8/10/11.0/11.5/12 for Windows Servers
• Dr.Web 10/11/11.5/12 for MS Exchange
• Dr.Web 10/11.0/11.5/12 for M Lotus Domino (version for Windows)
• Dr.Web 6.0 for IBM Lotus Domino (Linux-version)
• Dr.Web AV-Desk 10.0/10.1
• Dr.Web ATM Shield 6
• Dr.Web Enterprise Security Suite 10.0.0/10.00.1/10.01.0/11.00 (Windows)
• Dr.Web for MIMEsweeper 6
• Dr.Web LiveCD 9
• Dr.Web 7.0 for Novell NetWare 7
• Dr.Web 6.0 for Qbik WinGate
• Dr.Web 6.0 for for Trafficinspector
• Dr.Web CureNet! 10/11
• Dr.Web 11.0 for Microsoft ISA Server and Forefront TMG
• Dr.Web 6.0 for Kerio mail servers (Windows)
• Dr.Web 11.1 for Kerio mail servers (Linux)
• Dr.Web 6.0 for Internet gateways Kerio (Windows)
• Dr.Web 11.0/11.1 for Internet gateways Kerio (Linux)

The update will be downloaded and installed automatically.

July 31, 2019

Russian anti-virus company Doctor Web has released Dr.Web Light 11.3.2 for Android. The new version incorporates fixes for known defects.

Fixes:

• An issue causing the application to terminate abnormally when working with some of its components;
• An issue involving increased memory usage by the application.

If you downloaded your Dr.Web application from Google Play, the update will be downloaded and installed automatically. If automatic updates are disabled on your device, you need to go to Google Play, choose Dr.Web Light on the application list, and tap "Update".

July 31, 2019

Russian anti-virus company Doctor Web has updated Dr.Web for Outlook Plugin (11.5.2.201907190), the Dr.Web Protection for Windows module (11.05.08.06260) as well as the Dr.Web Control Service (11.5.17.07023) in Dr.Web Enterprise Security Suite 11.0. The update resolves known issues and delivers minor upgrades.

Changes made to Dr.Web for Outlook Plugin:

• An issue causing anti-spam false positives has been eliminated.

Changes made to Dr.Web Control Service:

• An issue preventing devices with similar IDs from being blocked has been resolved.

The update will be performed automatically; however, a system reboot will be required.