Dr.Web — Doctor Web’s December 2023 review of virus activity on mobile devices

January 30, 2023

According to detection statistics collected by the Dr.Web for Android anti-virus, in December 2023, adware trojans from the Android.HiddenAds family were again the most active malicious programs. However, users encountered them 53.89% less often, compared to the previous month. In addition, the number of banking malware and spyware trojan attacks also decreased—by 0.88% and 10.83%, respectively.

Over the course of the final month of 2023, Doctor Web’s virus analysts discovered other malicious fake apps from the Android.FakeApp family on Google Pay. These were used in a variety of fraudulent schemes. Moreover, our specialists found more websites through which malicious actors were distributing fake crypto-wallet software.

PRINCIPAL TRENDS IN DECEMBER

Adware trojans from the Android.HiddenAds family were detected most often on protected devices
The activity of banking trojans and malicious spyware apps decreased
New malicious programs were discovered on Google Play
Our analysts identified more websites distributing fake crypto-wallet software for devices running the Android and iOS operating systems

According to statistics collected by Dr.Web for Android

Android.Spy.5106: The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
Android.HiddenAds.3831
Android.HiddenAds.3851: Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.7805: A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications.
Android.Click.1751: This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers. It receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box with the contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in their browser.

Program.CloudInject.1: The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
Program.wSpy.3.origin: A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality.
Program.FakeMoney.7: The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
Program.SecretVideoRecorder.1.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.NPMod.1: The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps. It allows them to bypass digital signature verification once they have been modified.
Tool.LuckyPatcher.1.origin: A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
Tool.SilentInstaller.14.origin
Tool.SilentInstaller.7.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
Tool.ApkProtector.16.origin: The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.

Adware.ShareInstall.1.origin: An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
Adware.Adpush.21846
Adware.AdPush.39.origin: Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Adware.Airpush.7.origin: A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
Adware.Fictus.1.origin: An adware module that malicious actors embed into cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.

Threats on Google Play

In December 2023, Doctor Web’s specialists discovered new trojan apps from the Android.FakeApp family on Google Play. For example, malicious actors disguised Android.FakeApp.1564 as a debt-tracking program. The Android.FakeApp.1563 trojan was hiding in survey software. And cybercriminals passed the Android.FakeApp.1569 trojan off as an instrument that could help users increase their productivity and develop good habits.

All these fake apps loaded fraudulent finance-related websites that copied the design of the genuine websites of banks, news agencies, and other well-known organizations. In addition, the corresponding companies’ names and logos were used in their design to further mislead potential victims. On such fraudulent websites, users were offered the chance to become investors, take financial literacy training, receive financial support, etc. At the same time, they were asked to provide personal data―allegedly to register an account and get access to the corresponding services.

Examples of websites loaded by these trojans: