Over the course of Q4, Doctor Web’s malware analysts discovered many threats on Google Play. Among them were numerous Android.FakeApp trojans and malware from the Android.Subscription and Android.Joker families, which subscribe users to paid services. More Android.HiddenAds adware trojans were also detected. In addition, threat actors distributed malicious apps protected with a sophisticated software packer.
December 26, 2024
PRINCIPAL TRENDS OF Q4 2024
- High activity on the part of Android.HiddenAds adware trojans and Android.FakeApp fraudulent apps
- The distribution of many malicious programs through the Google Play catalog
According to statistics collected by Dr.Web Security Space for mobile devices
- Android.FakeApp.1600
- A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site.
- Android.HiddenAds.655.origin
- Android.HiddenAds.657.origin
- Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
- Android.Packed.57083
- The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
- Android.Click.1751
- This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers and receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in the browser.
- Program.FakeMoney.11
- The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps.
- Program.FakeAntiVirus.1
- The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
- Program.CloudInject.1
- The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
- Program.TrackView.1.origin
- The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.
- Program.SecretVideoRecorder.1.origin
- The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
- Tool.NPMod.1
- The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
- Tool.SilentInstaller.14.origin
- A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions.
- Tool.LuckyPatcher.1.origin
- A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
- Tool.Packer.1.origin
- A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software.
- Tool.Androlua.1.origin
- The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions.
- Adware.ModAd.1
- The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
- Adware.Basement.1
- These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications.
- Adware.Fictus.1.origin
- An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
- Adware.AdPush.3.origin
- Adware.Adpush.21846
- Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
Threats on Google Play
In Q4 2024, Doctor Web’s malware analysts discovered over 60 malicious apps on Google Play, most of which were trojans from the Android.FakeApp family. Some of them were distributed as financial programs, teaching aids, reference books, and other software, including diaries, notepads, and so on. Their primary task was to load fraudulent websites.
The “QuntFinanzas” and “Trading News” apps, which, among other numerous Android.FakeApp trojans, loaded fraudulent sites
Malicious actors disguised other Android.FakeApp trojans as games. These could load online casino and bookmaker websites.
“Bowl Water” and “Playful Petal Pursuit” are examples of games with trojan functionality
Our experts also uncovered new variants of the Android.FakeApp.1669 trojan that was hiding behind the mask of various programs and could also load online casino websites. Android.FakeApp.1669 is interesting in that it gets the target website URL from the malicious DNS server’s TXT file. At the same time, it only manifests itself when connected to the Internet through certain providers.
Examples of new Android.FakeApp.1669 trojan modifications. The “WordCount” app was disguised as a text tool, and the “Split it: Checks and Tips” app was supposed to help café- and restaurant-goers pay their bills and calculate tips.
Several new members of the Android.HiddenAds adware trojan family were among the threats detected on Google Play. They conceal their presence on infected devices.
This “Cool Fix Photo Enhancer” photo-editing software was hiding the Android.HiddenAds.4013 ad-displaying trojan
Moreover, trojans protected with a sophisticated software packer were also discovered: Android.Packed.57156, Android.Packed.57157, and Android.Packed.57159, for example.
The “Lie Detector Fun Prank” and “Speaker Dust and Water Cleaner” programs are trojans protected with a software packer
Our specialists also detected Android.Subscription.22, malware designed to subscribe users to paid services.
Instead of editing photos, the “InstaPhoto Editor” program subscribed users to a paid service
At the same time, cybercriminals again distributed trojans from the Android.Joker family, which also subscribed victims to paid services.
The SMS messenger “Smart Messages” and the third-party keyboard “Cool Keyboard” tried to covertly subscribe victims to a paid service
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.
