The page may not load correctly.
April 28, 2018
In early April Doctor Web virus analysts detected a new version of a dangerous banking Trojan, which infected Android mobile devices. In mid-April, distribution of the Windows encryption Trojan was also detected. Due to virus writers’ error, it corrupted files without the possibility of decrypting them.
The encryption Trojan, which was dubbed Trojan.Encoder.25129, is detected by the preventive protection of Dr.Web Anti-virus as DPH:Trojan.Encoder.9. Virus writers designed the malicious program so that it does not encrypt files if the infected device is located in Russia, Belarus and Kazakhstan, or if the Russian language and Russian regional parameters are set in the system preferences. However, the encoder encrypts files regardless of the IP address’s geographical location due to the code error.
Using the AES-256-CBC algorithms, Trojan.Encoder.25129 encrypts the folder contents of the current user’s folders, Windows Desktop, the AppData and LocalAppData system folders. The encrypted files are appended the TRON extension. The ransom amount that cybercriminals demand ranges from 0.007305 to 0.04 Btc.
The Trojan’s creators have made an error in its code, so in most cases they will not be able to decrypt files encrypted by the encoder. For more information on the operation of Trojan.Encoder.25129 and its features, refer to this article published on our website.
In April, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:
During April 2018, Doctor Web added 287,661 URLs to the Dr.Web database of non-recommended sites.
In April, Doctor Web specialists detected a new modification of a dangerous Android Trojan, which was named Android.BankBot.358.origin. It attacked clients of a major bank and infected over 60,000 mobile devices. In the past month, virus analysts also detected numerous malicious programs on Google Play. They all belonged to the Android.Click family. Among them are Android.Click.245.origin, Android.Click.246.origin and Android.Click.458. Once launched, they downloaded websites specified by cybercriminals. These websites were used to trick users into signing up for expensive content services. Later riskware Program.PWS.2 was detected on Google Play. It allowed connection to Telegram that was blocked in Russia. This application did not encrypt the transferred confidential information, which could lead to Android smartphone and tablet owners’ confidential data being leaked. In late April Doctor Web specialists detected Android.RemoteCode.152.origin on Google Play. It downloaded and launched additional modules, and used them to create advertising banners. Then the malicious program tapped on them, generating income for cybercriminals. New spyware that tracked users was also detected in April. According to Doctor Web classification, these malicious programs were named Android.Spy.443.origin and Android.Spy.444.origin.
Among the most noticeable April events related to mobile malware, we can mention:
Find out more about malicious and unwanted programs for mobile devices in our special overview.