Doctor Web’s October 2023 review of virus activity on mobile devices

According to detection statistics collected by Dr.Web for Android, in October 2023, adware trojans from the Android.HiddenAds family were most often detected. Their activity increased by 46.16%, compared to the previous month. The second most widespread adware trojans, which belong to the Android.MobiDash family, also increased in number—by 7.07%. In addition, users encountered spyware trojans and banking malware more often—by 18.27% and 10.73%, respectively.

Over the course of October, Doctor Web’s specialists discovered more threats on Google Play. Among them were dozens of various fake apps from the Android.FakeApp family, which cybercriminals use for fraudulent purposes. Also uncovered were Android.Proxy.4gproxy trojans, which turn Android devices into proxy servers.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.3831

Android.HiddenAds.3697

Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.

Android.Spy.4498

Android.Spy.5106

The detection name for different variants of a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.

Android.MobiDash.7804

A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.

Program.CloudInject.1

The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.

Program.FakeAntiVirus.1

The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.

Program.FakeMoney.7

The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.

Program.wSpy.3.origin

A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. In addition, it has keylogger functionality.

Program.SecretVideoRecorder.1.origin

The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.LuckyPatcher.1.origin

A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.

Tool.SilentInstaller.14.origin

Tool.SilentInstaller.7.origin

Tool.SilentInstaller.6.origin

Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.

Tool.WAppBomber.1.origin

An Android utility for sending mass messages in the WhatsApp online messenger. To operate, it requires access to the contact list from the user’s phonebook.

Adware.ShareInstall.1.origin

An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.

Adware.MagicPush.1

An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.

Adware.AdPush.39.origin

Adware.AdPush.36.origin

Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.

Adware.Airpush.7.origin

A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In October, Doctor Web’s virus analysts discovered over 50 malicious apps on Google Play. Among them were the Android.Proxy.4gproxy.1, Android.Proxy.4gproxy.2, Android.Proxy.4gproxy.3, and Android.Proxy.4gproxy.4 trojans, which turned infected devices into proxy servers and covertly transmitted third-party traffic through them. Various modifications of the first trojan were disguised as a Photo Puzzle game, a Sleepify program designed to help users with insomnia, and a tool called Rizzo The AI chatbot, which provided the functionality needed to work with a chat bot. The second trojan was hidden in the Premium Weather Pro weather forecast app. The third trojan was built into the Turbo Notes notepad app. And the last one was distributed by malicious actors as a Draw E program for creating images with the help of a neural network.

A special utility called 4gproxy (Dr.Web detects it as Tool.4gproxy) was built into these apps. This tool allows Android devices to be used as proxy servers. It is not malicious in itself and can be used for legitimate purposes. However, in the case of these newly discovered trojans, the proxy server functionality operates without users’ involvement and their explicit consent.

At the same time, our specialists uncovered dozens of new trojan apps from the Android.FakeApp family. Some of them again were distributed as financial apps (for example, trojans like Android.FakeApp.1459, Android.FakeApp.1460, Android.FakeApp.1461, Android.FakeApp.1462, Android.FakeApp.1472, Android.FakeApp.1474, and Android.FakeApp.1485). Their main task is to load fraudulent websites that invite potential victims to become investors. Malicious actors ask users to provide their personal information and invite them to invest their money in supposedly profitable financial projects or instruments.

Other fake programs (like Android.FakeApp.1433, Android.FakeApp.1444, Android.FakeApp.1450, Android.FakeApp.1451, Android.FakeApp.1455, Android.FakeApp.1457, Android.FakeApp.1476, and others) were again disguised as various games. Under certain conditions, instead of launching games, these loaded online casino or bookmaker websites.

Examples of how these trojan apps work as games:

Examples of the online casino and bookmaker sites they load:

Similar functionality was found in the Android.FakeApp.1478 trojan, which was hiding in an app for accessing sports news and publications. It could load bookmaker sites.

In addition, new trojan apps were found that allegedly could help Android device owners search for a job. One was called Rixx (Android.FakeApp.1468), and the other—Catalogue (Android.FakeApp.1471). Upon launching, these malicious apps show a fake vacancy listing. When potential victims try to respond to one of the job offers, they are asked to enter their personal data into a special form, or to contact the “employer” via instant messengers, like WhatsApp or Telegram.

Below is an example of how one of these malicious apps works. The trojan displays a phishing form, disguised as a window for creating a resume, or asks the user to contact the “employer” via the messenger.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Your Android needs protection.

Use Dr.Web

• The first Russian anti-virus for Android
• Over 140 million downloads—just from Google Play
• Available free of charge for users of Dr.Web home products

Free download