Doctor Web’s May 2023 virus activity review
June 28, 2023
The number of user requests to decrypt files affected by encoder trojans decreased by 0.27%, compared to the previous month. Victims of this type of malware were most often attacked by the encoders Trojan.Encoder.26996, Trojan.Encoder.3953, and Trojan.Encoder.35534.
Over the course of May, Doctor Web specialists once again spotted trojans from the Android.FakeApp family on Google Play. Cybercriminals use these in various fraudulent schemes. In addition, more trojans that subscribe victims to paid services were detected.
Principal trends in May
- An increase in the total number of detected threats
- A decrease in the number of user requests to decrypt files affected by encoder trojans
- The emergence of more threats on Google Play
According to Doctor Web’s statistics service
The most common threats in May:
- Adware.Downware.20091
- Adware.Downware.20280
- Adware.Downware.20261
- Adware that often serves as an intermediary installer of pirated software.
- Trojan.BPlug.4087
- Trojan.BPlug.3814
- The detection name for a malicious component of the WinSafe browser extension. This component represents a JavaScript file that displays intrusive ads in browsers.
Statistics for malware discovered in email traffic
- PDF.Phisher.458
- PDF.Phisher.455
- PDF.Phisher.474
- PDF.Phisher.467
- PDF documents used in phishing newsletters.
- JS.Inject
- A family of malicious JavaScripts that inject a malicious script into the HTML code of webpages.
Encryption ransomware
In May, the number of requests to decrypt files damaged by encoder trojans decreased by 0.27%, compared to April.
The most common encoders of May:
- Trojan.Encoder.26996 — 19.37%
- Trojan.Encoder.3953 — 15.71%
- Trojan.Encoder.35534 — 7.21%
- Trojan.Encoder.37400 — 3.60%
- Trojan.Encoder.34027 — 3.15%
Dangerous websites
In May, malicious actors continued distributing unwanted emails with links to various fraudulent sites, such as those related to investments. For instance, Doctor Web Internet analysts discovered more web resources offering users the chance to make money with the help of pseudo-trading automated systems like Quantum System, Quantum UI, and others. To “gain access” to the system, potential victims are asked to register an account by providing their personal data. This information ends up in the scammers’ hands. After that, they can sell it on the black market and also trick users into entrusting their money to “trading algorithms” that allegedly guarantee success and a high yield.
The screenshots above show examples of pages from one of these fraudulent sites. Visitors are asked to register an account and then to provide an email address. The latter is allegedly for receiving further instructions on how to use the “product” in question.
Malicious and unwanted programs for mobile devices
According to detection statistics collected by Dr.Web for Android, in May, users were less likely to encounter adware trojans. In addition, banking trojans and ransomware were less often detected on protected devices. At the same time, the number of spyware trojan attacks significantly increased.
Over the course of last month, more threats were detected on Google Play. Among them were fraudulent apps from the Android.FakeApp family as well as trojans from the Android.Joker and Android.Harly families which subscribe users to paid services.
The following May events involving mobile malware are the most noteworthy:
- A decrease in the activity of ad-displaying trojans, banking trojans, and ransomware.
- An increase in spy trojan activity.
- The emergence of other threats on Google Play.
Find out more about the security threat landscape for mobile devices in May in our special overview.
[% END %]