In March, trojans and unwanted applications displaying ads were among the most active threats. Moreover, malware capable of downloading and executing arbitrary code was often found on Android devices.

A large number of the Android.Joker trojans subscribing victims to premium services, as well as another fraudulent apps from the Android.FakeApp malware family were among the threats uncovered on the Google Play app store.

PRINCIPAL TRENDS IN MARCH

New threats spreading through the Google Play app catalog
An activity of the trojans subscribing victims to premium mobile services
Spreading of fraudulent applications

According to statistics collected by Dr.Web for Android

Android.HiddenAds.1994: A trojan designed to display obnoxious ads, distributed as popular applications. In some cases, it can be installed in the system directory by other malware.
Android.RemoteCode.284.origin
Android.RemoteCode.6122: Malicious applications that download and execute an arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
Android.Triada.510.origin: A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
Android.MobiDash.5135: A trojan that displays obnoxious ads. It represents a special software module that is incorporated into the applications by the developers.

Program.FreeAndroidSpy.1.origin
Program.Mrecorder.1.origin
Program.Reptilicus.7.origin: Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
Program.FakeAntiVirus.2.origin: The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
Program.Gemius.1.origin: An application that collects information about Android devices and how their owners are using them. With technical data, it also collects confidential information, such as device location, browser bookmarks, web history, and typed URLs.

Tool.SilentInstaller.6.origin
Tool.SilentInstaller.7.origin
Tool.SilentInstaller.13.origin
Tool.SilentInstaller.14.origin: Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Obfuscapk.1: The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.

Adware.Adpush.36.origin
Adware.Adpush.6547
Adware.Myteam.2.origin
Adware.Fictus.1.origin
Adware.Jiubang.2

Threats on Google Play

Last month, Doctor Web specialists unveiled fraudulent apps from the Android.FakeApp family once again. New modifications of the Android.FakeApp.247 trojan, allegedly granting access to various bonuses and discounts provided by famous companies and retailers were among them. In this case, these bonuses were claimed to be from popular gas stations. To receive the “prize”, potential victims were asked to sign up for a paid subscription, starting from 429 rubles per week. In the end, users never received any discounts or bonuses, and the trojan only displayed a useless barcode.

Other fake apps were spread under the guise of various harmless applications, such as guides and reference software, apps allegedly helping users to verify peoples’ personality compatibility, and some other apps. In reality, these apps did not work as intended, and once launched, only loaded dubious websites. These trojans were added to the Dr.Web virus base as Android.FakeApp.244, Android.FakeApp.249, and Android.FakeApp.250.

Moreover, Doctor Web virus analysts have discovered several new modifications of the Android.Joker trojans throughout March. These trojans are used to spy on users and subscribe them to premium mobile services. They are also capable of downloading and executing arbitrary code. These multifunctional trojans were spread as a translation app, voice recording and editing software, live wallpapers, a launcher app, various image editing software, and a tool allowing control and tuning of Android devices. They were added to the Dr.Web virus base as Android.Joker.613, Android.Joker.614, Android.Joker.617, Android.Joker.618, Android.Joker.620, Android.Joker.622, Android.Joker.624, Android.Joker.630, and Android.Joker.632.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download