The page may not load correctly.
December 16, 2020
Dr.Web ant-virus products for Android detected 5.14% fewer threats compared to October. According to detection statistics, the number of malware found on protected devices decreased by 8.37%. The number of unwanted apps, riskware and adware, on the contrary, increased by 5.78%, 13.16% and 5.72% respectively.
The Android.Mixi.44.origin trojan was among the threats found on Google Play last month. It loads various websites and displays them on top of other app windows. The trojan also opens URLs and helps cybercriminals generate scam profits by using the app installations users perform.
Our specialists also discovered new modifications of the trojans from the Android.Joker family. They primarily function to download and execute arbitrary code, intercepting incoming notifications and subscribing users to premium mobile services without their knowledge or consent.
In the middle of the November Doctor Web’s malware analysts uncovered the Android.Mixi.44.origin trojan. It was built into an eye care app and spread though Google Play. On the surface, the app does perform as described, but it also targets users maliciously.
For example, the Android.Mixi.44.origin can load websites and display them on top of the windows of other applications and the operating system UI, disrupting the device’s normal use. The contents of these websites varies from advertising banners and video clips to phishing pages.
This trojan also functions to silently open web links. To do so, malefactors send Android.Mixi.44.origin a list of URLs it needs to visit. This way, the trojan artificially increases the popularity of certain websites while its authors generate a profit.
What’s more, the trojan attempts to monetize recent app installations. For that, it tracks which applications the user installs and uninstalls. If the received commands contain links that lead to the Google Play apps’ pages, Android.Mixi.44.origin checks if these apps were installed earlier. If they were, the trojan sends the packet names of these applications, as well as the malware writers’ referrer ID, to the analytics service. By doing so, it aims to reassign credit to the cybercriminals for performed installations.
If the targeted apps haven’t been installed, the trojan remembers the information related to them and waits for the user to install these apps. Upon their installation, it attempts to trick the analytics service the same way.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
With Android.Mixi.44.origin, Doctor Web’s virus analysts discovered several new modifications of the trojans from the Android.Joker family, which were added to the virus database as Android.Joker.418, Android.Joker.419, and Android.Joker.452. They were spread as harmless software, such as a translator app, an app with a collection of wallpapers, and as a tool with allegedly rich functionality such as a compass, a flashlight, a level, etc.
These trojans downloaded and executed an arbitrary code and were able to subscribe users to mobile premium services, intercepting confirmation codes from incoming notifications.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
© Doctor Web
2003 — 2022
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts