The page may not load correctly.
January 27, 2023
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on the family and modification involved, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In December, Doctor Web’s specialists discovered many new threats on Google Play. Among them were dozens of trojan apps from the Android.FakeApp malware family. They connected to a remote server and, in accordance with the configuration received from it, instead of providing the expected functionality, they could display the contents of various websites—including phishing ones.
Some of these fake applications were distributed under the guise of investing software, directories, and questionnaires. Through them, users allegedly could improve their financial literacy, invest money in stocks and crypto markets, trade oil and natural gas, and even receive free shares of large companies. Instead, victims were asked to provide their personal data in order to submit an “application” for account registration or to communicate with a so-called “specialist”.
Other fake apps were hidden in numerous games.
Depending on the configuration received from a remote server, these apps could display either websites of various online casinos or a harmless game, as shown in the examples below.
Also discovered was yet another fake app distributed as a job-search tool. In reality, the app, called “SEEKS”, loaded websites with sham vacancies created by fraudsters and lured potential victims into their hands. This fake app was added to the Dr.Web anti-virus database as Android.FakeApp.1133.
Dubbed Android.FakeApp.1141, another trojan was passed off by the attackers as a VPN client called “Safe VPN”. But it was also a fake application.
Upon launching, this app displayed the contents of a website where potential victims were offered the opportunity to obtain access to a VPN service for only 1 ruble. To do so, they were asked to create an account and pay with a bank card. In reality, they were purchasing a 3-day trial version of the service, and upon its expiration, would be charged 140 rubles daily. The information on these terms was present on the website but was placed in such a way that most victims of this scheme could miss it.
With that, this app simulated the ability to connect to a secure network, informing users of a successful connection. It was a scam as the declared functionality was not present in this fake app.
Other fraudulent apps were discovered that allegedly made it possible for users to make money by completing various tasks. One of them, “Wonder Time”, invited users to install, launch, and use other programs and games. By doing so, they received a virtual reward—tokens that could allegedly be converted into real money. However, to withdraw what they “earned”, users had to collect millions of these rewards, while only a small number of tokens was credited when tasks were completed. So even if users managed to collect the required amount, they would spend much more in time, effort, and other resources than the profit they expected to gain. Depending on the version, this app is detected by Dr.Web as Program.FakeMoney.4, Program.FakeMoney.5, and Program.FakeMoney.6.
Several programs with similar operating routines were added to the Dr.Web anti-virus database as Program.FakeMoney.7. For instance, this virus record detects applications like “Lucky Habit: health tracker”, “WalkingJoy”, and some older versions of “Lucky Step-Walking Tracker”. The first was distributed as an app for developing good habits, while the others—as pedometers. Users accrued virtual rewards (“tickets” or “coins”) for various achievements, like the distance that users walked, when they followed a healthy daily routine, and so on. They also accrued additional rewards for watching ads.
Similar to the previous case, in order to initiate the process of withdrawing what they “earned”, users had to collect a significant number of rewards. If they were able to do this, the applications additionally demanded that they watch dozens of advertising videos. They were then offered several dozen more ads to watch in order to “speed up” the withdrawal process. With that, the apps did not verify any of the payment-related data provided by users, so the chances of receiving any of the money promised from these apps are extremely small.
Moreover, earlier versions of the “Lucky Step-Walking Tracker” app, which Dr.Web detects, invited users to convert their rewards into various online store gift cards. However, with the release of the app’s update, the developers removed the functionality for converting rewards into real money by getting rid of the corresponding interface elements. As a result, all previously accumulated rewards became useless numbers. At the same time, all three apps—“Lucky Habit: health tracker”, “Lucky Step-Walking Tracker”, and “WalkingJoy”—share the same [string]richox[.]net[/string] C&C server. This might indicate that they are all connected and that at any moment “Lucky Habit: health tracker” and “WalkingJoy” users may also lose all hope of receiving payments.
Among the threats discovered were also new trojan applications from the Android.Joker family that subscribe victims to paid services. They were hidden in such apps as “Document PDF Scanner” (detected by Dr.Web as Android.Joker.1941), “Smart Screen Mirroring” (detected as Android.Joker.1942), and “Smart Night Clock” (detected as Android.Joker.1949).
In addition, the app “FITSTAR”, disguised as a fitness app, was also distributed through Google Play.
When launched, it loaded websites where users—for the relatively low price of 29 rubles—were offered the opportunity to purchase an individual weight-loss plan. In reality, the displayed cost was not final. For this money, users were only purchasing 1-day trial access to the service. Upon the end of the trial period, an automatic 4-day prolongation would be made for the price of 980 rubles. And the cost of full access to the service could go as high as 7,000 rubles, while further automatic prolongation of the current subscription was also assumed.
As a result, Android device users who have inadvertently installed this app could lose a significant amount of money. This app was added to the Dr.Web anti-virus database as Program.Subscription.1.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.
© Doctor Web
2003 — 2023
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts