The page may not load correctly.
April 6, 2023
Banking trojans and ransomware were detected less often on devices protected by Dr.Web—by 70.57% and 14.63%, respectively. Moreover, users were 33.93% less likely to encounter spyware trojans. The most widespread among these threats were different variants of a piece of malware that attacked users of some unofficial WhatsApp messenger mods.
During the past month, Doctor Web’s virus laboratory uncovered over 70 malicious apps on Google Play. Most of them represented fraudulent apps from the Android.FakeApp family. Trojans that subscribed victims to paid services were also among the discovered threats.
In February, Doctor Web’s virus analysts discovered other malicious apps on Google Play that subscribed Android device users to paid services. For example, trojans from the Android.Subscription family, added to the Dr.Web virus database as Android.Subscription.19 and Android.Subscription.20, were distributed as WPHD - Wallpapers 4K image collection software and a tool for recovering deleted files called Back File.
Upon launching, malicious apps of this type load sites of paid services and try subscribing users either automatically or by asking them to provide a mobile phone number. Below are examples of websites that the discovered trojans load to initiate the subscription process:
Dubbed Android.Joker.2038 and Android.Joker.2039, these new members of the Android.Joker trojan family were hidden in the Photo Safe and Home Security Camera apps. The former was an application designed to protect files from unauthorized access, while the latter allowed security cameras to be controlled via an Android smartphone or the device itself to be used in video-surveillance mode. These malicious programs covertly load the websites of the targeted services and then automatically subscribe victims to paid services.
In addition, our specialists discovered dozens of bogus apps from the Android.FakeApp family that were distributed under the guise of all kinds of software. Malicious actors passed many of them off as different financial apps, like directories and teaching aids, programs for taking polls, trading tools, apps containing information on quotes, housekeeping instruments, and so on. Among them were Android.FakeApp.1219, Android.FakeApp.1220, Android.FakeApp.1221, Android.FakeApp.1226, Android.FakeApp.1228, Android.FakeApp.1229, Android.FakeApp.1231, Android.FakeApp.1232, Android.FakeApp.1241, and other trojans.
If users installed these by following a special link (for instance, from an advertisement), then these apps loaded fraudulent sites when launched. On such sites, potential victims were offered the chance to participate in a small poll and gain access to an “investing platform” by registering an account and providing personal information. However, if the installation was organic (i.e., users searched for and installed these fake apps on their own initiative), some of them provided the expected functionality instead of loading the fraudsters’ websites.
The next images depict examples of the bogus websites these trojans could load:
Cybercriminals passed off a number of fake apps as sports-related software or as bookmakers’ official apps.
Some of them (like Android.FakeApp.1192, Android.FakeApp.1193, Android.FakeApp.1194, Android.FakeApp.22.origin, Android.FakeApp.1195, Android.FakeApp.1196, and others) performed a check on the device on which they were running. If they detected it was a testing device (for example, a device without a SIM card installed on it or a Nexus line device), they activated harmless functionality. For instance, they launched games and quizzes, loaded sports charts and information tables, loaded match information, etc. Otherwise, they loaded sites in WebView or in the browser whose addresses were obtained from a Firebase database. Other such fake apps (Android.FakeApp.1197, Android.FakeApp.1198, Android.FakeApp.1199, Android.FakeApp.1200, Android.FakeApp.1201, Android.FakeApp.1202, Android.FakeApp.1204, Android.FakeApp.1209, Android.FakeApp.1212, and others) connected to a remote server that made the decision to either execute the harmless functionality hidden in these apps or load a targeted site. And the Android.FakeApp.1203 trojan app received website links to load from the Firebase Remote Config cloud service. Below are examples of how these trojan apps operated.
Launching games and loading a table with information on football matches:
Some apps loading bookmakers’ sites:
The Android.FakeApp.1222, Android.FakeApp.1224, Android.FakeApp.1225, and Android.FakeApp.1235 trojans, which were disguised as games, could load online casinos’ websites in a Google Chrome browser instead of providing the actual gaming experience.
An example of how one of them operates in a gaming mode:
Examples of websites they could load:
Among the fake apps discovered was another program that was disguised as a job-search tool and loaded scammers’ websites with a list of forged vacancies. When users selected one of these, they were asked to either provide their contact details by filling out a special form or contact the “employer” directly through a messenger app. This fake software was a modification of a trojan known since late 2022. Dr.Web detects it as Android.FakeApp.1133.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.