The page may not load correctly.
October 27, 2017
In October, yet another Android Trojan embedded into benign applications was detected on Google Play. It allowed cybercriminals to use infected mobile devices as proxy servers. In addition, in the past month a ransomware Trojan became widely known. It encrypted files on Android smartphones and tablets, changed the screen lock password, and demanded ransom.
In October, the Trojan Android.SockBot.5 was detected on Google Play. It was added to the Dr.Web virus database back in June 2017. Cybercriminals incorporated it into the following applications:
These programs allowed users to change the external appearance of characters in the mobile version of the popular game Minecraft.
Once launched, the Trojan covertly connected to a remote command center and then, using the SOCKS protocol, established a connection with a network address. As a result, cybercriminals turned smartphones and tablets into proxy servers and could process traffic through them.
In the past month, the mass media published information on the spread of a dangerous Android ransomware Trojan that changed the lock screen PIN codes of smartphones and tablets, encrypted user files, and demanded a ransom to make devices operational again. This malicious program was added to the Dr.Web database as Android.Banker.184.origin back in August 2017, so it poses no threat to our users.
Once launched, the Trojan attempts to gain access to the Accessibility Service, which it uses to independently add itself to the list of device administrators. Then it changes the PIN code that unlocks the screen, encrypts the user’s files (photos, videos, documents, music, etc.) and displays a message containing a ransom demand. In addition, there are versions of the malicious program that avoid encrypting files larger than 10 MB.
Despite the fact that some publications have described Android.Banker.184.origin’s functionality as being unique, other Trojans have made use of similar capabilities in the past. Back in 2014, Doctor Web detected the Android ransomware Trojan Android.Locker.38.origin, which installed its own code to unlock the device screen. That was the same year the first Android encryption Trojan emerged. It was named Android.Locker.2.origin. Performing malicious actions using the Accessibility Service (such as automatically adding a malicious application to the administrator list) has also previously been used in Android Trojans, for example in Android.BankBot.211.origin.
As before, cybercriminals are trying to spread Trojans via Google Play and continue to refine their malicious programs. Doctor Web recommends that device owners install Dr.Web for Android to protect their mobile devices from possible infection.