Doctor Web’s Q2 2024 review of virus activity on mobile devices

According to detection statistics collected by the Dr.Web for Android anti-virus, in the second quarter of 2024, Android.HiddenAds adware-displaying trojans were most commonly detected on protected devices. The second most common malicious programs were trojans from the Android.FakeApp family. Cybercriminals use these to execute various fraudulent schemes. The most frequently detected representative of this family was Android.FakeApp.1600, a trojan that our experts discovered in late May. It is distributed via malicious sites from which it is downloaded as a gaming app. However, when launched, this fake app loads the website specified in its settings. Known modifications of the program load an online casino site. Its visitors are offered the chance to play a “wheel of fortune” type of game, but when they try to do so, they are redirected to a registration page. The high detection rates of this malicious program can be explained by the fact that the people behind it are promoting it via in-app ads in other software, for example. When users tap on such an ad, they end up on a corresponding malicious website from which the trojan is downloaded. The third most widespread malicious programs were Android.Spy trojans, which possess spyware functionality.

At the same time, Doctor Web’s virus laboratory uncovered more threats on Google Play. Among them were various fake apps from the Android.FakeApp family and the unwanted Program.FakeMoney.11 app, which supposedly allows virtual rewards to be converted into real money that can then be withdrawn. Moreover, threat actors again used Google Play to distribute a trojan that subscribes victims to paid services.

According to statistics collected by Dr.Web for Android

Android.FakeApp.1600

A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.

Android.HiddenAds.3956

Android.HiddenAds.3980

Android.HiddenAds.3989

Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.

Android.Spy.5106

The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.

Program.CloudInject.1

The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.

Program.FakeMoney.11

The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.

Program.FakeAntiVirus.1

The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.

Program.TrackView.1.origin

The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.

Program.SecretVideoRecorder.1.origin

The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.

Tool.SilentInstaller.17.origin

Tool.SilentInstaller.14.origin

Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.

Tool.Packer.1.origin

A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.

Tool.NPMod.1

Tool.NPMod.2

The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.

Adware.ModAd.1

The detection name for some modified versions (mods) of the WhatsApp messenger whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) during the messenger’s operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.

Adware.AdPush.39.origin

Adware.Adpush.21846

Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.

Adware.ShareInstall.1.origin

An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.

Adware.Airpush.7.origin

A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.

Threats on Google Play

In Q2 2024, Doctor Web’s virus laboratory discovered more Android.FakeApp trojans on Google Play. Some of them were being distributed under the guise of finance-themed software and apps for participating in surveys and quizzes:

They could load fraudulent sites on which potential victims, supposedly on behalf of famous credit organizations, as well as oil and gas companies, were offered the chance of getting a finance education or becoming investors. To access one or another “service”, users had to answer several questions and then provide personal data.

Other Android.FakeApp trojans were hiding in different games. Under certain conditions, instead of the declared functionality, they would load bookmaker and online casino websites.

Another trojan from this family, Android.FakeApp.1607, was disguised as an image collection app. It did provide the claimed functionality but could also load online casino websites instead.

Threat actors passed off several Android.FakeApp members as job-search programs:

These trojans (Android.FakeApp.1605 and Android.FakeApp.1606) load fake vacancy lists where users are asked to contact “employers” via messengers (Telegram, for example) or to send out a “resume” by providing personal data. After attracting their potential victims’ attention, fraudsters can lure them to various dubious money-making schemes in an attempt to steal their money.

Our specialists also discovered another unwanted program from the Program.FakeMoney family. Such apps offer users various tasks to complete in order to receive virtual rewards. These rewards supposedly could then be withdrawn as real money. In fact, these programs mislead Android device owners as no real payouts are made. The purpose of such software is to encourage users to keep using it as long as possible so that the displayed ads bring a profit to the developers.

One identified app (Program.FakeMoney.11) is a variation of the win-win “one-arm bandit” game. When users play it and also watch the in-app ads, they receive virtual rewards. When they try to withdraw their “earned” money, the program delays this process, putting more and more conditions on it. If users eventually “successfully” submit a withdrawal request, they will end up in some “under consideration” queue of up to several thousand other “applicants”.

In addition, another trojan from the Android.Harly family (Android.Harly.87) was distributed via Google Play. Malicious programs of this family subscribe victims to paid services.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise