My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


June 2017 mobile malware review from Doctor Web

July 3, 2017

In June, Doctor Web security researchers detected an Android Trojan that attacked Iranian mobile device users and executed the commands of cybercriminals. Also in the past month, several new malicious applications were detected on Google Play. One of them tried to gain root access, infiltrated system libraries, and could covertly install software. Other applications sent SMS messages to premium numbers and subscribed users to expensive services. Also distributed on Google Play was riskware that, if used, could lead to the leak of confidential information. In addition, a new encryption Trojan for Android was detected in June.


  • The detection of an Android Trojan designed to engage in cyber espionage
  • The detection of threats on Google Play
  • The distribution of an encryption ransomware program for Android

Mobile threat of the month

In June, Doctor Web security researchers detected Android.Spy.377.origin, which was spreading among Iranian mobile device users. This malicious program would steal confidential information and send it to cybercriminals. In addition, it could execute their commands.

screen Android.Spy.377.origin #drweb screen Android.Spy.377.origin #drweb

Features of Android.Spy.377.origin:

For more information regarding this Trojan, refer to this news article.

According to statistics collected by Dr.Web for Android

According to statistics collected by Dr.Web for Android

Trojans designed to display unwanted ads on mobile devices. They are distributed under the guise of popular apps by other malicious programs that sometimes covertly install them in the system directory.
A Trojan designed to download other applications.
A multi-component Trojan that performs different malicious functions.

According to statistics collected by Dr.Web for Android

According to statistics collected by Dr.Web for Android

Unwanted program modules that are incorporated into Android applications and are designed to display annoying ads on mobile devices.

Threats on Google Play

In the past month, Doctor Web specialists detected riskware on Google Play that allowed users to access the social networking sites “VK” and “Odnoklassniki” which have been blocked in Ukraine. These applications, added to the Dr.Web virus database as Program.PWS.1, used an anonymizing server to bypass access restrictions and didn’t encrypt login, password and other confidential user information. For more information about this incident, refer to this news article published by Doctor Web.

screen Program.PWS.1 #drweb screen Program.PWS.1 #drweb screen Program.PWS.1 #drweb

Also in June, Trojans from the Android.Dvmap family were detected on Google Play. Once launched, these malicious programs try to get root privileges on mobile devices. If successful, they infect some system libraries and install additional components. These Trojans can execute commands of cybercriminals and also download and run other applications without any user involvement.

Other Android Trojans distributed via Google Play in June were added to the Dr.Web virus database as Android.SmsSend.1907.origin and Android.SmsSend.1908.origin. Cybercriminals injected them into benign programs. These malicious applications sent SMS messages to premium numbers, thus subscribing service provider customers to chargeable services. After that, the Trojans started deleting all incoming messages so users wouldn’t receive notifications informing them that they had successfully been subscribed to unwanted premium services.

screen Android.SmsSend #drweb screen Android.SmsSend #drweb screen Android.SmsSend #drweb

A ransomware Trojan

In June, the ransomware Trojan Android.Encoder.3.origin was detected. It attacked Chinese Android users and encrypted files on SD cards. The authors of this encoder were inspired by the encryption ransomware WannaCry, which infected hundreds of thousands of computers throughout the world in May 2017. The virus writers created ransom demand messages in a similar style.

screen Android.Encoder.3.origin #drweb

Cybercriminals demanded a ransom of 20 yuan, and every three days the amount doubled. If the cybercriminals didn’t get their ransom within one week after Android.Encoder.3.origin infected a mobile device, the ransomware would delete the encrypted files.

Malicious programs and riskware for Android infect mobile devices not only via downloads from various websites but also via downloads from Google Play. Doctor Web recommends that device owners be cautious when installing unknown applications and install and use Dr.Web for Android.

Your Android needs protection
Use Dr.Web

Free download

  • The first Russian Anti-virus for Android
  • More than 100 million downloads on Google Play alone
  • Free for users of Dr.Web home products