The page may not load correctly.
June 19, 2020
In May, the number of threats detected on Android devices increased by 3.35% compared to April. The number of identified malicious programs increased by 3.75%, riskware by 8.77%, and adware by 1.62%. With this, the number of unwanted software found on Android devices decreased by 1.77%.
At the end of May Doctor Web warned about the Android.FakeApp.176, trojan, which scammers were spreading as a mobile version of Valorant game. Using this malware, cybercriminals earned money by participating in various online affiliate programs.
New modifications of the Android.Joker trojan family, capable of executing arbitrary code and subscribing Android device users to premium services, have been found on Google Play. In addition, our malware analysts have discovered new modifications of the Android.HiddenAds trojan family, designed to display advertisements. Apps with unwanted adware modules, as well as a new member of the Android.Circle trojan family, have also been found on Google Play. The latter could display ads, was able to run BeanShell scripts and load various websites where it could click on banners and links. Malware authors have spread other mobile threats throughout the month.
In May, Doctor Web reported on the discovery of the fake mobile version of the Valorant game. In reality, it was nothing but a modification of the Android.FakeApp.176 trojan. For a long time, scammers were spreading it as famous applications and using it to illegally profit through various affiliate programs.
To get full access to the game, the trojan invites its target victims to complete several tasks found on the website of one of the affiliate services. For example, the trojan can offer to install and run other games. Scammers receive a financial reward for each successfully finished task, while victims receive nothing.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Last month, Doctor Web malware analysts discovered several new Android.Joker trojan family modifications, such as Android.Joker.174, Android.Joker.182, Android.Joker.186, Android.Joker.138.origin, Android.Joker.190 and Android.Joker.199. They were built into the document management apps, image collections apps, camera apps, system tools, messengers and other software that appeared harmless. However, upon launching these trojan apps were able to load and execute arbitrary code and subscribe victims to premium services.
Our specialists have also discovered the Android.Circle.15 trojan, which was spread as a system performance optimizing tool. Upon launching, it displayed advertisements, loaded various websites and clicked the embedded links and banners. Similar to other members of the Android.Circle malware family, it could also run BeanShell scripts.
Trojans of the Android.HiddenAds family, such as Android.HiddenAds.2134, Android.HiddenAds.2133, Android.HiddenAds.2146, Android.HiddenAds.2147, Android.HiddenAds.2048 and Android.HiddenAds.2150, were among the discovered threats. They were spread under the guise of WhatsApp sticker collections, games, image collections and various tutorial apps. Doctor Web researchers have found more than 30 modifications of these trojans, which have been installed by nearly 160,000 users.
Upon launch, these malicious apps concealed their icon from the apps list on the main screen of the Android operating system and began displaying full screen adware banners that interfere with the normal usage of infected devices.
New adware modules dubbed Adware.AdSpam.4, Adware.AdSpam.5 and Adware.AdSpam.6 have also been spread as harmless apps, such as games and image collections. Similar to the Android.HiddenAds trojan family members, they displayed banners on top of other apps. But, they didn’t conceal their icons, and users were able to locate the source of advertisements more easily to delete the apps that contained the built-in adware modules.
A trojan exploiting the SARS-CoV-2 pandemic, was among the threats spread in May. This malware, dubbed Android.Spy.660.origin, was spread as a tool showing the number of COVD-19 infections. But the true purpose of this this trojan was cyber espionage. Users from Uzbekistan were the main target of Android.Spy.660.origin. The trojan snooped on users’ SMS, phone calls and contacts from their phone books. Upon launching, the trojan requested the required system permissions and displayed the infection statistics so as not to raise suspicions.
Cybercrooks continued to bombard users with various banking malware attacks. For example, Vietnamese users attacked by Android.Banker.388.origin, which was spread through a fake Ministry of Public Security website. At the same time, Japanese users again faced various banking trojan families, which have been spreading through fake postal and courier service websites for a long time.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
© Doctor Web
2003 — 2022
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts