According to detection statistics collected by Dr.Web for Android, in August 2023, adware trojans from the Android.MobiDash and Android.HiddenAds families were again among the most widespread Android malware. At the same time, the former were detected 72.23% more often, while the activity of the latter decreased by 8.87%, compared to the previous month.

The number of spyware trojans and ransomware malware detected on protected devices decreased by 13.88% and 18.14%, respectively. In addition, users encountered banking trojans 2.13% more often than in July.

In August, yet another malicious program was discovered on Google Play.

PRINCIPAL TRENDS IN AUGUST

A significant increase in Android.MobiDash adware trojan activity
A decrease in Android.HiddenAds adware trojan activity
A decrease in spyware- and ransomware-trojan activity
An increase in the number of banking malware attacks

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3697: A trojan app designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.MobiDash.7802: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.Packed.57083: The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
Android.Pandora.7: The detection name for malicious programs that download and install the Android.Pandora.2 backdoor trojan. Threat actors often embed such downloaders in Smart TV software oriented toward Spanish-speaking users.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.7
Program.FakeMoney.8: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.wSpy.1.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.

Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.AdPush.39.origin
Adware.AdPush.36.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.MagicPush.1: An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In August, the Android.HiddenAds.3766 trojan application was detected on Google Play. It was distributed as image collection software called Exquisite Wallpaper Collection. However, its main functionality is to display unwanted ads. At the same time, Android.HiddenAds.3766 tries to hide from the user. To do so, the trojan replaces its icon located on the home screen with a transparent one and changes its name so that it is blank. In some cases, this malicious program may instead replace the icon with a copy of the Google Chrome browser icon. When the user taps on it, it will launch the browser itself instead of the trojan.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download