The page may not load correctly.
September 8, 2021
Over the past month, Doctor Web specialists uncovered many threats on Google Play. Fake apps from the Android.FakeApp malware family that load fraudulent sites were among them. Moreover, another trojan designed to steal logins and passwords of Facebook accounts was also found. In addition, the attackers have spread trojans from the Android.Joker family that subscribe victims to paid mobile services.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In August, a large number of malware was found on Google Play. Fake apps of the Android.FakeApp family that are used in various scam schemes were among them. For example, some of them were again spread under the guise of official software for popular Russian lotteries “Русское лото” (Russian Lotto) and “Гослото” (Gosloto), as well as their official distributor “Столото” (Stoloto). These fakes were added to the Dr.Web virus base as Android.FakeApp.307, Android.FakeApp.308, Android.FakeApp.309, Android.FakeApp.310, Android.FakeApp.311, Android.FakeApp.312, Android.FakeApp.325, Android.FakeApp.328, Android.FakeApp.329, Android.FakeApp.330, Android.FakeApp.332, Android.FakeApp.333, Android.FakeApp.334, Android.FakeApp.335, and Android.FakeApp.341.
Upon launch, the apps loaded fraudulent sites where potential victims were offered to get allegedly free lottery tickets and to play the game to win prizes. However, it was nothing but a scam. The so-called “game” was scripted and the “winners” were asked to pay a “fee” or a “custom”, and this money then ended up going to the fraudsters' pockets.
An example of how one of these fake applications operates is shown below:
The following are examples of how such apps can be seen on Google Play:
Other fakes were apps that were allegedly designed to help Russian users to search for information about state social benefits and to receive this financial support to their bank accounts and cards. Similar to fake lottery schemes, such apps only loaded fraudulent websites, where, to receive the “funds”, potential victims were asked to pay a “fee”.
The trojans were added to the Dr.Web virus base as Android.FakeApp.306, Android.FakeApp.313, and Android.FakeApp.325.
Moreover, new scam software disguised as investing and trading software was also discovered. Some of these apps were spread under the name of famous companies.
The trojans, dubbed Android.FakeApp.305, Android.FakeApp.314, Android.FakeApp.315, and Android.FakeApp.316, loaded various “financial” decoy sites where users were offered to register to start earning the money. In some cases, the victims were asked to provide their first and last name, their email address, and mobile number. In others, only the mobile number was requested. Next, users could be redirected to other fraudulent sites, received a notification that there is no more room for new clients, or were asked to wait for the “operator” calling back.
The examples of how these apps operate are shown below:
Using such fake investing apps, the malicious actors not only collect victims’ personal information and steal their money but can also drag them into other scam schemes by selling obtained personal data to a third party, for example.
New trojans from the dangerous Android.Joker family were among discovered threats as well. They were added to the Dr.Web virus base as Android.Joker.320.origin, Android.Joker.858, and Android.Joker.910. The first one was spread as an animated wallpaper called 3D Live Wallpaper. The second one was disguised as a music app called New Music Ringtones. And the third one was labeled, Free Text Scanner app, designed to scan texts and create PDF documents. All these apps subscribed Android users to paid mobile services and could also load and execute arbitrary code.
In addition, our malware analysts have found a new trojan designed to steal Facebook accounts’ logins and passwords. It was spread as an application that protects installed apps from unauthorized access. This trojan was added to the Dr.Web virus base as Android.PWS.Facebook.34.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.