My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s November 2020 review of virus activity on mobile devices

December 16, 2020

Dr.Web ant-virus products for Android detected 5.14% fewer threats compared to October. According to detection statistics, the number of malware found on protected devices decreased by 8.37%. The number of unwanted apps, riskware and adware, on the contrary, increased by 5.78%, 13.16% and 5.72% respectively.

The Android.Mixi.44.origin trojan was among the threats found on Google Play last month. It loads various websites and displays them on top of other app windows. The trojan also opens URLs and helps cybercriminals generate scam profits by using the app installations users perform.

Our specialists also discovered new modifications of the trojans from the Android.Joker family. They primarily function to download and execute arbitrary code, intercepting incoming notifications and subscribing users to premium mobile services without their knowledge or consent.


  • Threats detected on Android devices decreases
  • New malware discovered on Google Play

Threat of the month

In the middle of the November Doctor Web’s malware analysts uncovered the Android.Mixi.44.origin trojan. It was built into an eye care app and spread though Google Play. On the surface, the app does perform as described, but it also targets users maliciously.

 Threat of the month #drweb

For example, the Android.Mixi.44.origin can load websites and display them on top of the windows of other applications and the operating system UI, disrupting the device’s normal use. The contents of these websites varies from advertising banners and video clips to phishing pages.

This trojan also functions to silently open web links. To do so, malefactors send Android.Mixi.44.origin a list of URLs it needs to visit. This way, the trojan artificially increases the popularity of certain websites while its authors generate a profit.

What’s more, the trojan attempts to monetize recent app installations. For that, it tracks which applications the user installs and uninstalls. If the received commands contain links that lead to the Google Play apps’ pages, Android.Mixi.44.origin checks if these apps were installed earlier. If they were, the trojan sends the packet names of these applications, as well as the malware writers’ referrer ID, to the analytics service. By doing so, it aims to reassign credit to the cybercriminals for performed installations.

If the targeted apps haven’t been installed, the trojan remembers the information related to them and waits for the user to install these apps. Upon their installation, it attempts to trick the analytics service the same way.

Read more about Android.Mixi.44.origin in our news report published on Doctor Web’s website.

According to statistics collected by Dr.Web for Android

According to statistics collected by Dr.Web for Android #drweb

A trojan that automatically loads websites and clicks on links and advertisement banners. It can be spread as a harmless app so users don’t perceive it as threatening.
Multifunctional trojans that perform various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.
A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertisement banners, subscribe users to premium services and perform other actions.
A trojan designed to display obnoxious ads and distributed as popular applications. In some cases, it can be installed in the system directory by other malware.

According to statistics collected by Dr.Web for Android #drweb

Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.

According to statistics collected by Dr.Web for Android #drweb

The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cyber criminals use the tool to protect malicious applications from being detected by anti-virus programs.
Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.

According to statistics collected by Dr.Web for Android #drweb

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.

Threats on Google Play

With Android.Mixi.44.origin, Doctor Web’s virus analysts discovered several new modifications of the trojans from the Android.Joker family, which were added to the virus database as Android.Joker.418, Android.Joker.419, and Android.Joker.452. They were spread as harmless software, such as a translator app, an app with a collection of wallpapers, and as a tool with allegedly rich functionality such as a compass, a flashlight, a level, etc.

#drweb #drweb


These trojans downloaded and executed an arbitrary code and were able to subscribe users to mobile premium services, intercepting confirmation codes from incoming notifications.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Dr.Web Mobile Security

Your Android needs protection.

Use Dr.Web

  • The first Russian anti-virus for Android
  • Over 140 million downloads—just from Google Play
  • Available free of charge for users of Dr.Web home products

Free download