The page may not load correctly.
January 31, 2018
The beginning of 2018 was marked by the detection of several Android games on Google Play that contained an embedded Trojan. This Trojan downloaded and launched malicious modules on infected devices. Virus analysts also examined several miner Trojans that infected Windows servers. They all used a vulnerability in the software Cleverence Mobile SMARTS Server.
The Cleverence Mobile SMARTS Server is a complex of applications for automizing shops, warehouses, various facilities and productions. Doctor Web analysts detected a 0-day vulnerability in these programs back in July 2017 and informed software developers about it. Soon they released a security update for their product. However, by no means had all administrators installed these updates, which left cybercriminals the possibility to continue hacking vulnerable servers. For this purpose, cybercriminals send a special request to a vulnerable server, which results in executing the command contained in this request. The attackers created a new user with administrator privileges in the system and employed this user account to get unauthorized access to the server via the RDP protocol. In some cases, cybercriminals use the Process Hacker tool to shut down the processes of anti-viruses running on the server. Once they obtain access to the system, they install the Trojan miner on it.
The miner used by the cybercriminals is constantly updated. Initially, they used several Trojan modifications added to the Doctor Web virus database as Trojan.BtcMine.1324, Trojan.BtcMine.1369 and Trojan.BtcMine.1404. Later this list was updated with Trojan.BtcMine.2024, Trojan.BtcMine.2025, Trojan.BtcMine.2033, and the most up-to-date version is Trojan.BtcMine.1978.
The Trojan is launched as a critically important process. If one tries to shut down this process, Windows performs an emergency shutdown and displays the “blue screen of death” (BSOD). After it is launched, the miner attempts to shut down processes and delete the services of several anti-viruses. Cybercriminals use Trojan.BtcMine.1978 to mine cryptocurrencies Monero (XMR) and Aeon. Dr.Web specialists recommend that all security updates for the Cleverence Mobile SMARTS Server released by the developers be installed. For more information about this incident, refer to the review published on our website.
In January, Doctor Web’s technical support was most often contacted by victims of the following modifications of encryption ransomware:
During January 2018, 309,933 URLs of non-recommended websites were added to the Dr.Web database.
|December 2017||January 2018||Dynamics|
|+ 241,274||+ 309,933||+28.4%|
In January, Doctor Web virus analysts found Android.RemoteCode.127.origin embedded in numerous Android games available on Google Play. It covertly downloaded and launched malicious modules that performed various actions. Additionally, over the past month, a banking Trojan Android.BankBot.250.origin posed a threat to users. It stole login credentials to access online banking accounts. In January, security specialists also detected a malicious mining program dubbed Android.CoinMine.8. This Trojan used the computing power of infected smartphones and tablets to mine the Monero cryptocurrency. Also in January, the Dr.Web virus database was updated with several entries for detecting Android spyware. One of them was Android.Spy.422.origin. Other malicious applications were new modifications of Android.Spy.410.origin which was spread back in December 2017.
Among the most notable January events related to mobile malware we can report the following:
Find out more about malicious and unwanted programs for mobile devices in our special overview.
Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.
2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125124