In early September, Doctor Web published a study of Android.Pandora.2, a backdoor that creates a botnet of infected devices and can carry out DDoS attacks at the command of threat actors. In the middle of the month, our specialists informed users about malicious programs from the Android.Spy.Lydia family. These multi-functional spyware trojans target Iranian users. Members of this family are camouflaged as a financial platform for online trading; they can perform various malicious actions at the command of attackers. This includes intercepting and sending SMS, collecting information about user phonebook contacts, hijacking clipboard contents, loading phishing websites, and so on. The Android.Spy.Lydia trojans can be used in a variety of fraudulent schemes and to steal personal data. Moreover, with their help, threat actors can steal their victims’ money.

According to detection statistics collected by Dr.Web for Android, in September 2023, Android malware was less active, compared to the previous month. For instance, Android.HiddenAds and Android.MobiDash adware trojans were detected 11.73% and 26.30% less often, respectively. The number of spyware trojan attacks decreased by 25.11%, Android.Locker attacks by 10.52%, and banking malware by 4.51%. At the same time, Android device owners encountered unwanted adware programs 14.32% more often.

Many new threats were uncovered on Google Play over the course of September. Among them were Android.FakeApp trojan apps used in different fraudulent schemes, Android.Joker trojans, which subscribe victims to paid services, and also Android.HiddenAds adware trojans.

PRINCIPAL TRENDS IN SEPTEMBER

A decrease in Android malware activity
The emergence of new malicious apps on Google Play

Mobile threat of the month

In September, Doctor Web presented the details of its Android.Pandora.2 malware analysis; this trojan primarily targets Spanish-speaking users. The first cases of attacks involving it were recorded in March 2023.

This malicious program infects Smart TVs and television boxes with the Android TV operating system via compromised firmware or when users install trojanized versions of software for illegally watching videos online.

The main function of Android.Pandora.2 is to perform various types of DDoS attacks at the command of cybercriminals. In addition, this trojan can perform a number of other actions, like installing its own updates and replacing the system hosts file.

A study performed by Doctor Web’s malware analysts revealed that when creating this trojan, virus writers borrowed from the authors of Linux.Mirai, taking part of its code and using it as the basis for their trojan. Since 2016, Linux.Mirai has been widely used to infect IoT (the “Internet of things”) devices and to perform DDoS attacks on various websites.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3697: A trojan app designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.Packed.57083: The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
Android.Pandora.17: The detection name for malicious programs that download and install the Android.Pandora.2 backdoor trojan. Threat actors often embed such downloaders in Smart TV software oriented toward Spanish-speaking users.
Android.MobiDash.7804: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.

Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.Packer.3.origin: The detection name for Android programs whose code is encoded and obfuscated by the NP Manager tool.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.MagicPush.1: An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
Adware.AdPush.39.origin
Adware.AdPush.36.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In September, Doctor Web’s malware analysts uncovered many new malicious apps on Google Play. Among them were trojans that displayed intrusive ads. Threat actors distributed them under the guise of such games as Agent Shooter (Android.HiddenAds.3781), Rainbow Stretch (Android.HiddenAds.3785), Rubber Punch 3D (Android.HiddenAds.3786), and Super Skibydi Killer (Android.HiddenAds.3787). Once these trojans were installed on Android devices, they tried to hide from users. For this, they replaced their icons, located on the home screen menu, with transparent versions and also changed their names so they were left blank. In addition, they could pretend to be a Google Chrome browser by replacing their own icons with the corresponding copy. When users tap on such an icon, these trojans launch the browser and continue to operate in the background. This allows them to become less noticeable and reduces the likelihood of their premature removal. Moreover, if these malicious programs stop working, users will restart them, thinking that they are launching a browser.

Our specialists also discovered other fake apps from the Android.FakeApp family. Some of them (like Android.FakeApp.1429, Android.FakeApp.1430, Android.FakeApp.1432, Android.FakeApp.1434, Android.FakeApp.1435, and others) were distributed as financial software—for example, as apps for stock trading, guides and reference books, home accounting, and others. In reality, their primary objective was to load fraudulent sites where potential victims were encouraged to become “investors”.

Other fake programs (for example, Android.FakeApp.1433, Android.FakeApp.1436, Android.FakeApp.1437, Android.FakeApp.1438, Android.FakeApp.1439, and Android.FakeApp.1440) were passed off by cybercriminals as different gaming apps. In some cases, these could actually operate as games, but their main functionality was to load online casino websites.

Examples of how these operate in game mode:

Examples of the online casino websites they load:

At the same time, other trojan apps from the Android.Joker family were discovered on Google Play. These were subscribing victims to paid services. One of them, dubbed Android.Joker.2216 in accordance with Doctor Web’s classification system, was disguised as an image collection app called Beauty Wallpaper HD. Another one was distributed as Love Emoji Messenger, an online messenger, and was added to the Dr.Web virus database as Android.Joker.2217.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download