Doctor Web’s overview of malware detected on mobile devices in December 2017

December 29, 2017

In the last month of 2017, several new Trojans were detected on Google Play. They were hidden inside benign applications. These malicious programs were bankers that stole confidential information from clients of credit organizations. Another “December” Android Trojan posed a threat to Android device owners and was distributed outside the official software catalog. It also stole login credentials required to access banking account records. Additionally, in the past month, cybercriminals spread a malicious program that spied on Italian users.

Mobile threat of the month

In December, a signature of Android.Spy.410.origin was added to the Dr.Web virus database. This Trojan spied on Italian Android device owners and stole confidential information. It sent the cybercriminals correspondence from popular messaging and social network applications such as Skype, WhatsApp, Telegram, etc. It also intercepted SMS messages and phone calls, and also could steal images stored in the memory of an infected mobile device.

According to statistics collected by Dr.Web for Android

Android.HiddenAds.171.origin

A Trojan designed to display unwanted ads on mobile devices.

Android.RemoteCode.71

A Trojan that downloads and launches various program modules, including malicious ones.

Android.Packed.15893

A Trojan that steals login credentials to access online bank accounts.

Android.DownLoader.653.origin

Android.DownLoader.573.origin

Malicious programs that download other Trojans and also unwanted software.

Adware.Jiubang.2

Adware.Jiubang.1

Adware.Saturn.1.origin

Adware.Adviator.6.origin

Adware.Leadbolt.12.origin

Unwanted program modules incorporated into Android applications and designed to display annoying ads on mobile devices.

Banking Trojans

In December, more banking Trojans were detected on Google Play. According to the Dr.Web classification, they were named Android.BankBot.243.origin and Android.BankBot.255.origin. Cybercriminals injected them into benign programs, so they do not arouse the suspicions of potential victims. These Trojans searched infected smartphones and tablets for banking applications indicated by cybercriminals and displayed fake login forms to access accounts. After that, bankers sent the obtained information to the cybercriminals.

Additionally, in the past month, Android users’ devices were attacked with Android.Packed.15893. It also showed fraudulent windows with a request for login credentials for mobile banking and sent cybercriminals all input data.

Bankers pose a serious threat because cybercriminals use them to steal money from mobile device owners. Cybercriminals spread these malicious programs both via Google Play and third-party application stores, and also via hacked and fraudulent websites. To protect Android smartphones and tablets from these and other threats, it is recommended that users install Dr.Web products for Android.