January 31, 2017
In the first month of 2017, Doctor Web security researchers detected an Android Trojan that infiltrated the Play Store running process and stealthily downloaded Google Play applications. Later, security researchers examined an Android banker whose source code was published online by cybercriminals. Also in January, another Android banker was detected; it was distributed as the game Super Mario Run which is not yet available for Android devices. In the last month, a new ransomware Trojan was also detected in Google Play; it blocked the displays of Android smartphones and tablets.
Early in January, Doctor Web security researchers detected the Trojan Android.Skyfin.1.origin, which infiltrated the Play Store running process, stole confidential information, and stealthily downloaded Google Play applications artificially increasing their popularity. Android.Skyfin.1.origin has the following characteristics:
For more information regarding this Trojan, refer to the article published by Doctor Web.
In January, the banking Trojan Android.BankBot.140.origin was detected; it was distributed by the cybercriminals as the game Super Mario Run. It is currently available only for iOS-based devices; therefore, by employing such a scheme, cybercriminals have increased the possibility that users interested in the game will install the malware.
Android.BankBot.140.origin tracked the launch of banking applications and displayed on top of them a phishing input form for entering logins and passwords in order to access user accounts. Furthermore, when Play Store was launched, the Trojan attempted to steal bank card information by displaying the phishing dialog of the Google Play purchase settings.
In the middle of the month, Doctor Web analysts detected the banking Trojan Android.BankBot.149.origin, which had its source code published online by cybercriminals. This malware tracked the launch of applications used to access remote banking and payment services and displayed on top of them a fraudulent form for entering user account logins and passwords. In addition, Android.BankBot.149.origin attempted to get bank card information by displaying a phishing dialog on top of Play Store.
This Trojan also intercepted incoming SMS messages and tried to hide them, tracked the infected device’s GPS coordinates, stole information from the contact list, and could send messages to all the available numbers. For more information regarding Android.BankBot.149.origin, refer to the news article published by Doctor Web.
In the past month, the ransomware Android.Locker.387.origin was detected on Google Play; it served to complicate the detection procedure and was protected with a special packer. Nevertheless, Dr.Web for Android successfully detects it as Android.Packed.15893. This Trojan was distributed as the program Energy Rescue which supposedly optimized battery performance. After being launched, Android.Locker.387.origin prompted the user to grant it administrator privileges for the mobile device and blocked the infected smartphone or tablet, demanding a ransom to unlock it. However, the ransomware did not attack the devices of users from Russia, Ukraine, and Belarus.
Besides blocking Android devices, Android.Locker.387.origin stole contact list information and all the available SMS messages.
Cybercriminals are still interested in Android devices and create numerous malicious programs for this mobile platform. To protect smartphones and tablets, it is recommended that Dr.Web for Android be installed as it successfully detects Android Trojans and other malware.