April 28, 2017
In April an Android Trojan designed to engage in cyber espionage was detected. Also several new banking Trojans that were created to steal confidential information and account funds were detected on Google Play. One Trojan was embedded in programs for watching videos on the Internet; another was a flashlight program.
In April an Android Trojan designed to engage in cyber espionage was detected. Android.Chrysaor.1.origin was detected; cybercriminals used it for spying purposes. This malicious program stole correspondence from a myriad of online communication programs, such as Skype, Viber, WhatsApp and others; it stole the web browser history, SMS messages, and other confidential data. Moreover, it tracked the operation of mobile device keyboards and intercepted all input information, made screenshots and eavesdropped on the environment via covert responses to calls made by cybercriminals.
In April, several new banking Trojans for Android were detected on Google Play. One of them was added to the Dr.Web virus database as Android.BankBot.179.origin. It was hidden in the applications Funny Videos 2017 and HappyTime, which show comic videos. This Trojan is a modified version of another Android banker which was described by Doctor Web in this article. It is based on source codes published by cybercriminals and made openly accessible.
Android.BankBot.179.origin receives from the command and control server a configuration file with a list of banking and other software programs so that it can track their operation. After any of the listed programs is launched, the Trojan displays a fake authorization window for entering login and password information. If a user launches Google Play, Android.BankBot.179.origin displays a fraudulent service payment form and requests bank card details. In addition, this Trojan tracks incoming SMS messages and intercepts incoming confirmation codes.
Features of Android.BankBot.179.origin:
Another Android banker detected in April was dubbed Android.BankBot.180.origin. It was embedded in the flashlight application Flashlight LED Widget. Once launched, this Trojan deletes its icon from the home screen and requests administrator privileges on the mobile device. After that the flashlight’s operation is controlled via the malicious program’s widget.
Android.BankBot.180.origin tracks the launch of banking programs and displays a fake window over them for login and password input. Similar to Android.BankBot.179.origin, this malicious application tries to steal bank card details from the user by displaying a fraudulent form when Google Play is launched.
Android bankers are among the most dangerous malicious programs because they help cybercriminals steal money from accounts. Even greater danger is posed by banking Trojans distributed via Google Play. This catalog is considered to be the most reliable source of software for Android mobile devices so smartphone and tablet owners are less cautious when downloading applications from it. To protect your mobile device from banking Trojans and other malicious programs, we recommend that you install Dr.Web for Android.