Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

January 2017 mobile malware review from Doctor Web

January 31, 2017

In the first month of 2017, Doctor Web security researchers detected an Android Trojan that infiltrated the Play Store running process and stealthily downloaded Google Play applications. Later, security researchers examined an Android banker whose source code was published online by cybercriminals. Also in January, another Android banker was detected; it was distributed as the game Super Mario Run which is not yet available for Android devices. In the last month, a new ransomware Trojan was also detected in Google Play; it blocked the displays of Android smartphones and tablets.

Principal trends in January

  • The detection of an Android Trojan that infiltrated the Play Store running process and covertly downloaded applications from Google Play
  • The distribution of new banking Trojans
  • The detection of a ransomware Trojan on Google Play

Mobile threat of the month

Early in January, Doctor Web security researchers detected the Trojan Android.Skyfin.1.origin, which infiltrated the Play Store running process, stole confidential information, and stealthily downloaded Google Play applications artificially increasing their popularity. Android.Skyfin.1.origin has the following characteristics:

For more information regarding this Trojan, refer to the article published by Doctor Web.

According to statistics collected by Dr.Web for Android

The most common unwanted and potentially dangerous programs Dr.Web for Android #drweb

The most common unwanted and potentially dangerous programs Dr.Web for Android #drweb

Banking Trojans for Android

In January, the banking Trojan Android.BankBot.140.origin was detected; it was distributed by the cybercriminals as the game Super Mario Run. It is currently available only for iOS-based devices; therefore, by employing such a scheme, cybercriminals have increased the possibility that users interested in the game will install the malware.

Android.BankBot.140.origin tracked the launch of banking applications and displayed on top of them a phishing input form for entering logins and passwords in order to access user accounts. Furthermore, when Play Store was launched, the Trojan attempted to steal bank card information by displaying the phishing dialog of the Google Play purchase settings.

bankbot140 #drwebbankbot140 #drwebbankbot140 #drweb

In the middle of the month, Doctor Web analysts detected the banking Trojan Android.BankBot.149.origin, which had its source code published online by cybercriminals. This malware tracked the launch of applications used to access remote banking and payment services and displayed on top of them a fraudulent form for entering user account logins and passwords. In addition, Android.BankBot.149.origin attempted to get bank card information by displaying a phishing dialog on top of Play Store.

This Trojan also intercepted incoming SMS messages and tried to hide them, tracked the infected device’s GPS coordinates, stole information from the contact list, and could send messages to all the available numbers. For more information regarding Android.BankBot.149.origin, refer to the news article published by Doctor Web.

bankbot149 #drweb bankbot149 #drweb bankbot149 #drweb bankbot149 #drweb bankbot149 #drweb

Trojans on Google Play

In the past month, the ransomware Android.Locker.387.origin was detected on Google Play; it served to complicate the detection procedure and was protected with a special packer. Nevertheless, Dr.Web for Android successfully detects it as Android.Packed.15893. This Trojan was distributed as the program Energy Rescue which supposedly optimized battery performance. After being launched, Android.Locker.387.origin prompted the user to grant it administrator privileges for the mobile device and blocked the infected smartphone or tablet, demanding a ransom to unlock it. However, the ransomware did not attack the devices of users from Russia, Ukraine, and Belarus.

Locker387 #drweb Locker387 #drweb Locker387 #drweb

Besides blocking Android devices, Android.Locker.387.origin stole contact list information and all the available SMS messages.

Cybercriminals are still interested in Android devices and create numerous malicious programs for this mobile platform. To protect smartphones and tablets, it is recommended that Dr.Web for Android be installed as it successfully detects Android Trojans and other malware.

Protect your Android device with Dr.Web now

Buy online Buy on Google Play Free download