February 2016 mobile malware review from Doctor Web

February 29, 2016

Mobile threat of the month

In February, Doctor Web specialists examined a group of associated Trojans belonging to the Android.Loki family, whose purpose was to execute a wide range of functions. One of them has been added to the Dr.Web virus database under the name of Android.Loki.3. This Trojan incorporates the liblokih.so library, which is named Android.Loki.6, into an Android system process. As a result, other components of this group are able to operate using the system privileges. The Trojans of this family are mainly designed to

• Download and delete applications.
• Enable and disable applications and their components.
• Kill processes.
• Display notifications.
• Register any application as the Accessibility Service application.
• Update their components and download plug-ins from the server.
• Gather information regarding the infected device.

Also, they send the following data to the command and control server:

• List of installed applications
• Browser history
• List of contacts
• Call history
• Current location

For more information, refer to the news article.

According to statistics collected by Dr.Web for Android

• Adware.WalkFree.1.origin
  An unwanted program module that is incorporated into the Android applications and is responsible for advertising on mobile devices.
• Android.Xiny.26.origin
  A Trojan designed to download and install applications and to display advertisements.
• Adware.Leadbolt.12.origin
  An unwanted program module that is incorporated into the Android applications and is responsible for advertising on mobile devices.
• Adware.Airpush.31.origin
  An unwanted program module that is incorporated into the Android applications and is responsible for advertising on mobile devices.
• Android.Backdoor.326.origin
  A Trojan that performs different malicious functions upon cybercriminals’ command.

Banking Trojans

Virus makers keep distributing various banking Trojans for Android devices. In particular, they are still trying to trick users of popular classified sites by sending bogus SMS messages. At receiving a such-like text message, potential victims, who have previously posted some announcement on the Web, are offered some exchange. At that, the message contains a link that allegedly leads to a photo of the offered product. If the user follows the link, they are redirected to one of fraudulent webpages that is, in fact, the source of infection. For instance, Android.BankBot.97.origin can be mentioned among Trojans distributed this way.

The past month showed that attackers are not going to stop contriving malware for Android mobile devices. Therefore, Doctor Web specialists will be keeping a close watch on Android malware landscape and will timely inform users about new threats.