According to detection statistics collected by Dr.Web for Android, in June 2023, the activity of Android.HiddenAds adware trojans increased by 10.93%. At the same time, adware trojans from the Android.MobiDash family were detected 15.94% less often on protected devices. Compared to May, the number of spyware trojan and banking malware attacks decreased by 47.15% and 12.23%, respectively. In addition, users encountered ransomware malware from the Android.Locker family 46.30% more often.

In June, new threats were spotted on Google Play. Among them were malicious fake apps from the Android.FakeApp family and Android.Joker trojans that subscribe victims to paid services.

PRINCIPAL TRENDS IN JUNE

An increase in Android.HiddenAds adware trojan activity
A decrease in Android.MobiDash adware trojan activity
A decrease in spyware trojan and banking malware activity
New threats found on Google Play

According to statistics collected by Dr.Web for Android

Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.HiddenAds.3697: A trojan app designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Packed.57083: The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
Android.MobiDash.7795: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.Pandora.7: The detection name for malicious programs that download and install the Android.Pandora.2 backdoor trojan. Threat actors often plug such downloaders into Smart TV software oriented toward Spanish-speaking users.

Program.FakeMoney.7
Program.FakeMoney.8: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.Reptilicus.8.origin: An application that allows Android device users to be monitored. It can track device location, collect information from SMS and social media messages, intercept phone calls and record the surroundings, take screenshots, act as a keylogger, copy files from a target device and perform other actions.

Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.6.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.MagicPush.3
Adware.MagicPush.1: Adware modules embedded into Android applications. They display pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
Adware.AdPush.39.origin: An adware module that can be built into Android apps. It displays notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, this module collects a variety of confidential data and is able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In June, Doctor Web’s specialists again discovered trojan applications from the Android.FakeApp family on Google Play. Some of them, like Android.FakeApp.1382, Android.FakeApp.1383, Android.FakeApp.1384, Android.FakeApp.1385, Android.FakeApp.1386, Android.FakeApp.1387, were distributed under the guise of financial apps. These included guides and reference books, home bookkeeping, software for accessing exchange information, and others. In reality, their main functionality was to load fraudulent, supposedly investment-related websites.

Other such programs, like Android.FakeApp.1390, Android.FakeApp.1396, Android.FakeApp.1400, and Android.FakeApp.1401, were distributed as games. Under certain conditions, they could load online casino websites.

Below is an example of how one of these fake apps operates as a game and also loads a target website:

In addition, in June, other trojan apps from the Android.Joker family that subscribe victims to paid services were uncovered. Dubbed Android.Joker.2143, Android.Joker.2152, and Android.Joker.2154, in accordance with Dr.Web anti-virus classification, they were hidden in apps called Funny Prank Sounds, Beauty 4K Wallpaper, and Chat SMS, respectively.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download