The page may not load correctly.
September 28, 2018
September 2018 is marked by the spread of a banking Trojan posing a threat to clients of Brazilian financial institutions. Doctor Web specialists detected over 300 unique samples of this malicious software and over 120 online media sites from which the banking Trojan downloaded its components. Over the past month, virus analysts also detected new dangerous Android applications.
Banking Trojans designed to steal money from financial institutions’ clients are highly spread all over the world. In September, Doctor Web security researchers examined a new Trojan of this kind. It was named Trojan.PWS.Banker1.28321. This banking Trojan targeted Brazilian people. So far, 340 unique Trojan.PWS.Banker1.28321 samples and 129 domains and IP addresses have been detected. These domains and IP addresses belong to cybercriminals, and the Trojan used them to download archives with malicious library.
The Trojan is distributed under the guise of an application designed to view Adobe Reader PDF documents. It infects computers running Microsoft Windows if Portuguese is specified in the language settings as the primary language. All Trojan.PWS.Banker1.28321 malicious functions are located in an encrypted and packed dynamic library that is downloaded by the banking Trojan from cybercriminals’ websites.
When users open the Internet banking websites from various Brazilian financial institutions in the browser window, the Trojan imperceptibly replaces the web page, showing the victim a fake authentication form. In some cases, the Trojan requests an authorization verification code from an SMS message the banks sends users. This information is then transmitted to cybercriminals. For more information regarding this incident, refer to this news article.
In September, cases involving the following ransomware modifications were registered by Doctor Web’s technical support service:
During September 2018, 271,605 URLs of non-recommended websites were added to the Dr.Web database.
|August 2018||September 2018||Dynamics|
|+ 538,480||+ 271,605||- 49.5%|
In the past month, Doctor Web security researchers again detected the distribution Trojans of the Android.Click family on Google Play. Many of them were distributed under the guise of official programs of bookmakers’ offices. Upon cybercriminals’ command, these Trojans open bookmaker offices’ websites; however, at any moment, they can download any website, including fraudulent ones. Moreover, Android.Click.265.origin again penetrates Google Play. This Trojan was distributed under the guise of official software from well-known companies. Android.Click.265.origin downloads websites of premium services and automatically clicks the confirmation button to subscribe to expensive services.
Also, the following malicious programs were detected on Google Play in September: Android.Banker.2855, Android.Banker.2856, and Android.Banker.283.origin. They were hidden in programs that seem to be harmless at the first glance.
In the first autumn month of 2018, cybercriminals also distributed the dangerous Android.Spy.460.origin Trojan. It was designed for cyber espionage. Among other threats detected in September, new versions of commercial spyware were found, such as Program.SpyToMobile.1.origin, Program.Spy.11, Program.GpsSpy.9, Program.StealthGuru.1, Program.QQPlus.4, Program.DroidWatcher.1.origin, Program.NeoSpy.1.origin, Program.MSpy.7.origin, and Program.Spymaster.2.origin. These applications monitor SMS messages, call histories, detect device locations, copy contact lists to a remote server, and are able to steal browser histories and other private user information.
Among the most notable September events related to mobile malware:
Find out more about malicious and unwanted programs for mobile devices in our special overview.