In May, the activity of the Android.Spy.4498 trojan, which steals information from other apps’ notifications, decreased by 13.48%. However, this malware is still the most widespread Android threat. Android.HiddenAds adware trojans are also among the most often detected threats on user devices. Their activity increased by 13.57% compared to April.

Over the month, Doctor Web’s virus laboratory tracked new malware being spread through the Google Play app catalog. Among them were Android.Subscription trojans that subscribe victims to paid mobile services, fraudulent Android.FakeApp apps, Android.HiddenAds adware trojans, and Android.PWS.Facebook password-stealing malware targeting Facebook users.

PRINCIPAL TRENDS IN MAY

Decreased activity of the Android.Spy.4498 trojan
Increased activity of adware trojans
The discovery of new malware on Google Play

According to statistics collected by Dr.Web for Android

Android.Spy.4498: A trojan that steals the contents of other apps’ notifications. It can also download apps and prompt users to install them, and it can also display various dialog boxes.
Android.HiddenAds.3018
Android.HiddenAds.3152: Trojans designed to display obnoxious ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these trojans infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.DownLoader.475.origin: A trojan that downloads other malware and unwanted software. It can be hidden inside seemingly harmless apps found on Google Play or malicious websites.
Android.Triada.4567.origin: A multifunctional trojan performing various malicious actions. This malware belongs to a trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand that they purchase the software’s full version.
Program.SecretVideoRecorder.1.origin
Program.SecretVideoRecorder.2.origin: The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
Program.WapSniff.1.origin: An Android program designed to intercept WhatsApp messages.
Program.KeyStroke.3: An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control call history, and record phone calls.

Tool.SilentInstaller.14.origin
Tool.SilentInstaller.6.origin
Tool.SilentInstaller.13.origin
Tool.SilentInstaller.7.origin: Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
Tool.Obfuscapk.1.origin: The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use it tool to protect malicious applications from being detected by anti-virus programs.

Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.

Adware.SspSdk.1.origin
Adware.AdPush.36.origin
Adware.Adpush.6547
Adware.Adpush.2146
Adware.Myteam.2.origin

Threats on Google Play

In May, Doctor Web specialists discovered a large number of threats on Google Play. The adware trojans Android.HiddenAds.3158 and Android.HiddenAds.3161 were among them.

The former was an image-collection app called “Wild & Exotic Animal Wallpaper”. It tried to hide from the user, replacing the app’s icon with a less noticeable one, while also changing its name to ‘SIM Tool Kit”. Moreover, this software requested permission from the user to add it to the battery-saving feature exceptions list. This would allow the trojan to display ads even when the device owner did not use this app for a long time.

The latter was spread under the guise of a “Magnifier Flashlight” flashlight application. It hid its icon from the apps list on the home screen menu and periodically displayed advertisement videos and banners. Examples of such ads are shown below:

Yet other trojans designed to steal data that can be used to hack into Facebook accounts have also been uncovered. They were spread as image-editing software like “PIP Pic Camera Photo Editor” (Android.PWS.Facebook.142), “PIP Camera 2022” (Android.PWS.Facebook.143), “Camera Photo Editor” (Android.PWS.Facebook.144) and “Light Exposure Photo Editor” (Android.PWS.Facebook.145), and also astrology-related software called “ZodiHoroscope - Fortune Finder” (Android.PWS.Facebook.141).

Using a number of pretexts (for example, to allegedly unlock their full functionality or disable in-app ads), these trojans ask potential victims to log into their Facebook account. Then they hijack the entered logins, passwords and other authorization data and send this information to cybercriminals.

New trojans from the Android.Subscription family that subscribe users to paid mobile services were among the discovered malware as well. One of them was added to the Dr.Web virus database as Android.Subscription.9. It was distributed as a data recovery app called “Recovery”. Another one, dubbed Android.Subscription.10, was distributed under the guise of a “Driving Real Race” game. Both loaded websites of various affiliate services through which subscription was made.

In addition, malicious actors once again distributed fake apps. One of them was the «Компенсация НДС» (Android.FakeApp.949) app, allegedly designed to help Russian users search for information on social benefits and monetary compensation and receive this money. In reality, it loaded fraudulent websites which cybercriminals used in an attempt to steal victims’ personal information and money.

Attackers passed off another fake app as an “Only Fans App OnlyFans Android” app that allegedly allowed users to obtain free access to closed (private) profiles and paid content on the OnlyFans service.

First, users were asked to take a short survey. Next, this app loaded the fraudulent site on which the process of gaining access was simulated. Potential victims of this scam scheme were asked to complete various tasks, like installing games or apps, and take online surveys. But users did not receive any access at all. Instead, after the successful completion of the tasks, the fraudsters themselves received a reward from affiliate services. This fake app was added to the Dr.Web virus database as Android.FakeApp.951.

The in-app survey designed to lure potential victim to the fraudulent site:

“Obtaining” access to the content through the fraudulent site:

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download