The page may not load correctly.
October 22, 2020
According to the detection statistics of Dr.Web anti-virus products for Android, September has seen 3.75% more threats on protected devices than in August. Compared to the previous month, the number of malware increased by 5.58% and riskware by 4.98%. With that, the number of adware and unwanted software decreased by 6.22% and 8.83% respectively.
During September, Doctor Web’s malware analysts found several new malicious apps on Google Play. The Android.Joker trojan family members capable of executing arbitrary code and subscribing victims to premium services were among them. Moreover, malefactors have spread the Android.Click.978 clicker trojan that displayed ads, as well as the multifunctional Android.Triada.545.origin trojan used in phishing and other types of attacks.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
In September, several new modifications of the Android.Joker trojan family were found on Google Play. One of them, dubbed Android.Joker.341 was spread as picture editing software. Similar to other trojans of this family, it downloaded and executed arbitrary code and could subscribe users to paid services, collecting the confirmation codes from incoming notifications.
Upon launching, depending on the CPU architecture used on the infected device, the trojan loads one of the native libraries hidden inside its apk file into the memory. Dr.Web anti-virus detects them as Android.Joker.339 and Android.Joker.340.
In turn, the loaded library extracts the malicious Android.Joker.177.origin module from its body, which then downloads the Android.Joker.192.origin module from the remote server. Android.Joker.192.origin acquires access to the notification contents and downloads another module, Android.Joker.107.origin. This module contains the primary malicious functionality.
Later on, malware analysts discovered a similar trojan spread as an image collection app. It was added to the virus base as Android.Joker.344.
Part of the Android.Triada.545.origin functionality is phishing. Upon launching, the trojan displays a fake Google services authorization window. In this window, victims are required to enter their confidential information to sign into the account ― allegedly, to continue using the app. To make users even more confused, this window has a fake promotional text about the possibility to win a new phone after logging into the account. However, this is all just a trick and the provided information is sent to the cybercrooks.
On top of that, Android.Triada.545.origin is also able to download and execute arbitrary code, as well as intercept incoming notifications and steal the information, such as PIN codes.
One more Android threat discovered on Google Play in September, was the Android.Click.978 clicker trojan spread as a fortune telling app. Upon launch, it hid its icon from the application list of the main screen menu and started to display ads. These ads were displayed even after the malicious software was closed. The trojan also loaded websites and automatically clicked the links and banners located on them.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
© Doctor Web
2003 — 2023
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts