The page may not load correctly.
August 31, 2017
In August, numerous malicious Android applications were detected on Google Play. Among them were Trojans that mounted DDoS attacks. Other malicious programs covertly loaded websites specified by cybercriminals and independently tapped on their banners, bringing profits to the virus writers who created them. Yet another Android Trojan detected on Google Play in August displayed fake input forms over launched programs and stole login credentials and other confidential information. The last summer month was also marked by the detection on Google Play of a dropper Trojan designed to install other malicious applications.
In August, several new Android.Click Trojans were detected on Google Play. Two of them were dubbed Android.Click.268 and Android.Click.274, respectively. Once launched on mobile devices, they imperceptibly mount DDoS (“Denial of service”) attacks on websites specified by cybercriminals by opening multiple copies of them. When commanded, they can also send scores of network packets to targeted servers. As a result, the Android smartphone and tablet users who downloaded these programs and thus infected their devices unintentionally became accomplices to cybercrimes.
Another Trojan, which was added to the Dr.Web database as Android.Click.269, covertly opened websites specified in the commands of cybercriminals and tapped on the banners located on them. Such actions brought profits to the malicious application’s authors. In addition, Android.Click.269 displayed advertisements once the screen of an infected Android device was unlocked.
All the aforementioned Trojans were embedded in software designed to stream YouTube videos.
Features of Android.Click.268 and Android.Click.274:
Features of Android.Click.269:
During the last summer month, a banking Trojan named Android.BankBot.225.origin was added to the Dr.Web virus database. The Trojan was being distributed via Google Play. It was hidden in an application called “Earn Real Money Gift Cards” which garners users money gift certificates for installing advertising programs.
Android.BankBot.225.origin tracks the launch of banking and other applications and displays on top of their windows fake forms for inputting confidential information. In addition, when commanded by cybercriminals, it can download other programs to infected devices and then try to install them.
Yet another Trojan detected on Google Play in August was added to the Dr.Web virus database as Android.MulDrop.1067. It was hidden in a game called “Bubble Shooter Wild Life”. Each time it starts up, this malicious program asks for permission to display interface elements on top of other applications.
Sometime after its launch, it attempts to gain access to the Accessibility Service by displaying the respective notification. If a device owner agrees to grant the Trojan such privileges, Android.MulDrop.1067 can independently install other Android applications by automatically tapping buttons in dialogs and confirming all actions. The Trojan checks whether an APK file is available on a memory card. It must install this file; however, the current version of Android.MulDrop.1067 doesn’t contain any hidden files and cannot download them from the Internet. This could be a sign that the Trojan is still under development.
Cybercriminals are using every possible way to distribute Android Trojans via Google Play. To increase the likelihood of mobile device infection, they embed malicious programs in fully functioning applications and use different mechanisms to bypass security checks so the Trojans go unnoticed for as long as possible. Doctor Web recommends that Android smartphone and tablet users install Dr.Web anti-virus products to protect them from current Android threats.