In January 2018, Doctor Web virus analysts found approximately three dozen games containing a Trojan on Google Play. It covertly downloaded and launched malicious modules that performed various malicious actions. In addition, in the past month, owners of smartphones and tablets were under a threat of yet another Android banker designed to steal confidential information and money. Also in January, the Dr.Web virus database was updated with entries for detection of several spyware. Among the distributed malicious programs, was a new miner Trojan that used the computing power of infected mobile devices to mine the Monero cryptocurrency.

PRINCIPAL TRENDS IN JANUARY

The detection of numerous games with an embedded Trojan on Google Play
The spreading of malicious programs that spied on mobile device owners
The detection of a new Android banker that stole money from users
The spreading of a new mining Trojan

Mobile threat of the month

In January, Doctor Web specialists detected almost 30 games with the embedded Android.RemoteCode.127.origin on Google Play. It was part of a special framework for extending an application’s functionality. Android.RemoteCode.127.origin covertly downloaded and launched additional modules that performed various actions. For example, they loaded websites and clicked on their links and ads, simulating user actions. For more information regarding this Trojan, refer to this news article.

According to statistics collected by Dr.Web for Android

Android.DownLoader.573.origin: A malicious program that downloads other Trojans and also unwanted software.
Android.HiddenAds.171.origin
Android.HiddenAds.253
Android.HiddenAds.222.origin: Trojans designed to display unwanted ads on mobile devices. They are distributed under the guise of popular apps by other malicious programs, which sometimes covertly install them in the system directory.
Android.RemoteCode.117.origin: A Trojan that downloads and launches various program modules, including malicious ones.

Adware.Jiubang.2
Adware.Jiubang.1
Adware.Allinone.1.origin
Adware.Adviator.6.origin
Adware.Leadbolt.12.origin: Unwanted program modules incorporated into Android applications and designed to display obnoxious ads on mobile devices.

Banking Trojan

Over the past month, cybercriminals spread a banking Trojan Android.BankBot.250.origin that displayed phishing input windows for login credentials and sent them the input confidential information. It could intercept SMS with verification codes, covertly confirm money transfers to cybercriminals’ accounts, and also perform other operations in online banking systems.

Spyware

In January, the Dr.Web virus database was updated with new entries for detecting several spyware. One of them was the Android.Spy.422.origin, also known as Dark Caracal. Cybercriminals used this malicious program for cyber espionage. Android.Spy.422.origin stole SMS messages, tracked phone calls, stole photos, web browser history and saved bookmarks, recorded the environment using a built-in microphone from an infected mobile device and performed a range of other actions. Other spyware were new modifications of a malicious program Android.Spy.410.origin, which had been known to Doctor Web specialists since December 2017. It tracks correspondence in popular messengers such as Telegram, WhatsApp, Skype and others. It also intercepts SMS messages and phone calls, and steals photos.

Android miner

Among the malicious programs for Android detected in January was a mining Trojan dubbed Android.CoinMine.8. Cybercriminals spread it as games and programs available for free download from a website. Actually, all these applications were the Trojan that used infected devices to mine the Monero cryptocurrency.

Cybercriminals still create new malicious and unwanted Android applications and spread them not only via fraudulent websites, but also via Google Play. Doctor Web recommends that mobile device owners install Dr.Web for Android to protect their mobile devices from these threats.