Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Back to the news list

Doctor Web warns: Cybercriminals spread Android Trojans via Instagram

February 19, 2019

Doctor Web's experts detect more and more Trojans of the Android.HiddenAds family, displaying obnoxious ads, on Google Play. Since the beginning of February, about 40 new modifications of such malicious apps have been found and downloaded by some 10,000,000 users. Some of these Trojans have been spread via Instagram and YouTube. Thanks to advertising in popular social media and online services with a huge audience, the number of potential victims who can install dangerous software is significantly increasing.

During February, malware analysts revealed 39 new modifications of the Android.HiddenAds Trojan family on Google Play. They were hidden in useful and seemingly safe programs: photography applications, image and video editors, collections of desktop wallpapers, system utilities, games, and other software. Overall, they were installed by at least 9,940,305 users. Doctor Web has notified Google of the detected Trojans, but as of the publishing date of this news, some of them were still available for downloading.

screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb

The main function of Android.HiddenAds malware is to display ads. They constantly show windows with banners and video ads that overlap other programs and the system interface, making it difficult to work with infected devices. See below an example of such an ad:

screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb

screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb

Since Trojans display banners almost continuously, cybercriminals quickly cover their expenses for promoting their software via popular online services.

To stay on smartphones and tablets for as long as possible, the Android.HiddenAds Trojans hide their icons from the list of applications on the home screen. After that, they can no longer be launched manually and also become harder to find and remove. Besides, over time, some users may forget which programs they have installed, and it also helps the Trojans ‘survive’.

Almost all malware of the Android.HiddenAds family detected in February hide their icons, too, but also create shortcuts instead. Most likely, the Trojan makers tried to divert suspicion, reducing the risk of removal for their software. Unlike icons on the home screen, shortcuts do not allow you to remove applications from the context menu. So if an inexperienced user suspects something and tries to remove the Trojan by deleting its icon, only a shortcut will be removed, while the Trojan will remain on the device and continue to work covertly and bring money to the attackers.

Android users installed many of these malicious applications after viewing ads on Instagram and YouTube, where the cybercriminals promised functional and powerful photo and video processing tools. At first glance, the Trojans match the description and do not arouse suspicion among potential victims. However, apart from one or several basic functions, they contain nothing of what was declared. Here is what users complain about in the reviews:

screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb

An active promotional campaign set up by the cybercriminals attracts a large number of mobile device users and increases the number of downloads. Some of these Trojans even get featured in Google Play sections promoting new products and applications gaining popularity, which also increases the number of users that download the malware.

screenshot Android.HiddenAds #drweb screenshot Android.HiddenAds #drweb

Information about all Trojans that our experts have found as of the publication date of this material is in the summary spreadsheet. However, since cybercriminals constantly create new Android.HiddenAds malware and actively advertise it, other modifications may soon be detected.

Application package nameNumber of downloads
com.funshionstyle.ledcaller1 000 000+
com.uniokan.pipphotoframer50 000+
com.flextool.scanner.play100 000+
com.flextool.superfastscanner100 000+
com.piano.tiles.songs.black.white.game10 000+
com.pop.stars.pop.cube10 000+
com.mp3audio.musicplayer.fly.fun100 000+
com.picsart.photo.editor50 000+
com.loopshapes.infinite.puzzle100+
com.cdtushudw.brand.logo.expert10 000+
com.aardingw.chess.queen50 000+
com.particle.sand.box100+
checkers.online.classic.board.tactics500 000+
com.wind.pics.blur.editor1 000 000+
com.draughts.checkersnew50 000+
com.watermark.zooms.camera10 000+
com.photo.cut.out.studio1 000 000+
com.camera.easy.photo.beauty100 000+
com.camera.easy.photo.beauty.Pro10 000+
com.soon.ygy.photograph.camera500 000+
com.music.play.hi.cloud500 000+
com.scanfactory.smartscan100 000+
com.personalife.hdwallpaper 10 000+
com.smartmob.minicleaner100 000+
com.beautylife.livepipcamera100 000+
com.callcolorshow.callflash10 000+
com.mobwontools.pixel.blur.cam 1 000 000+
com.video.nin.cut.face100 000+
com.magicvcam.meet.photograph100 000+
com.best.blur.editor.photo100,000+
com.autocleaner.supercleaner10 000+
com.wallpapers.project.hd.hd3d.best.live10 000+
com.camera.selfie.beauty.candy.cam5+
com.wallpaper.hd3d.hd.lock.screen.best3d.best50 000+
com.selfie.beauty.candy.camera.pro1 000 000+
com.cam.air.crush1 000 000+
com.fancy.photo.blur.editor1 000 000+
com.photoeditor.background.change100 000+
com.eraser.ygycamera.background100 000+

Users are advised to perform a full scan of mobile devices with Dr.Web for Android and remove the Trojans that are detected.

Users of smartphones and tablets should be wary of ads on the Internet and avoid downloading all advertised software, even if it is distributed via Google Play. Only install applications from trusted developers and pay attention to the reviews from other users.

#Android, #fraud, #Google_Play, #Trojan

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.


Other comments