The page may not load correctly.
April 30, 2019
In April Doctor Web reported on the Android.InfectionAds.1 trojan that exploited several critical Android OS vulnerabilities. These vulnerabilities allowed the trojan to infect programs, as well as install and uninstall software independently from users. In addition, virus analysts found new modifications of the banking trojan Android.Banker.180.origin designed to steal money from clients of Japanese credit organizations. Other malicious programs distributed via Google Play were detected. The downloader trojans Android.DownLoader that downloaded banking trojans on mobile devices, clickers from the Android.Click family, the stealers Android.PWS.Instagram that stole Instagram users’ logins and passwords. Aside from that, the Dr.Web virus database was updated with new entries to detect additional malware.
In early April Doctor Web reported on a dangerous trojan, Android.InfectionAds.1. Hackers embed it into initially benign programs and use popular third-party Android stores for its distribution. This trojan exploits critical vulnerabilities of Android OS to infect APK files (the CVE-2017-13156 vulnerability), as well as to install and uninstall programs (the CVE-2017-13315 vulnerability). Android.InfectionAds.1 also shows annoying banner ads, making it difficult to work with infected devices. See detailed information about the trojan in our virus library.
Over the past month, banking trojans threatened users of Android devices. In late April Doctor Web virus analysts detected new modifications of the Android.Banker.180.origin malware. These modifications were distributed under the guise of package tracking apps (for example, an app titled “佐川急便”) targeting Japanese users. Once installed, these trojans delete their own icons and hide themselves from users.
These modifications of Android.Banker.180.origin are controlled via specially created pages in the Russian social network, Vkontakte. On such pages, the encrypted address of one of the trojan command and control servers is specified in the “Activities” field. The malware looks for this field using a regular expression, decrypts the address, and connects to the server.
These trojan modifications are able to intercept and send SMS on hackers’ command, show phishing windows, make calls, and listen to the surrounding environment using the device’s built-in microphone. On top of that, they can control smartphones and tablets; for example, they can turn on Wi-Fi, connect to the Internet via a mobile network, block the screen, and so on.
In addition, new downloaders from the Android.DownLoader family, such as Android.DownLoader.4303, downloaded Android bankers on mobile devices. They were distributed under the guise of financial applications.
Aside from downloaders, other trojans, such as Android.Click.303.origin and Android.Click.304.origin were detected on Google Play. They were distributed under the guise of benign applications such as games and programs for watching TV channels. Doctor Web virus analysts detected 36 of theses trojans. More than 151,000 people installed them.
In late April, new entries were added to the Dr.Web virus database to detect the trojans Android.PWS.Instagram.4 and Android.PWS.Instagram.5. Hackers guised them as useful programs for Instagram users, for instance, those intended to drive up the number of likes or followers, as well as to increase the account security. Once launched, trojans asked victims to enter their login and password and then sent that data to the hackers’ server.
The Android.FakeApp.2.origin trojan was one of the malicious apps that threatened Android smartphone and tablet owners in April. It was hidden in a program that allegedly provided free 25 GB of Internet traffic to Indian users of the Jio service provider.
To distribute itself among a greater number of users, the trojan sent SMS with a link to the download page of its copy to all contacts of the infected device. The main goal of Android.FakeApp.2.origin was showing banner ads.
Users of Android devices are threatened by different trojan applications that are distributed not only via malicious websites, but also via the official Google Play store. To protect smartphones and tablets, we recommend that you install Dr.Web for Android.
© Doctor Web
2003 — 2023
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts