December 31, 2020
In December, Dr.Web anti-virus products for Android detected 25.34% less threats than in November. According to detection statistics, the number of malware decreased by 25.35%, unwanted software by 21%, riskware by 68.1%, and adware by 25.01%. Android users most commonly encountered ad trojans, malware capable of executing an arbitrary code, and various downloader trojans.
In the middle of the month, Doctor Web malware analysts uncovered a multifunctional trojan on Google Play. Dubbed Android.Joker.477, this trojan was spread as a pictures collection app. The attacks involving various banking trojans such as Android.BankBot.684.origin and Android.BankBot.687.origin have also been observed. In some cases, cybercriminals disguised them as software that allegedly helps users receive government financial support during the COVID-19 pandemic.
PRINCIPAL TRENDS IN DECEMBER
- A decreased number of threats detected on Android devices
- Advertising and downloader trojans remain among the most active Android threats
- Cybercriminals continue exploiting the COVID-19 pandemic when organizing their attacks
According to statistics collected by Dr.Web for Android
- A malicious application that downloads and executes arbitrary code. Depending on its modification, it can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
- A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other apps’ processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to the protected system files and folders.
- Trojans designed to display obnoxious ads and distributed as popular applications. In some cases, they can be installed in the system directory by other malware.
- A malicious application that loads websites, clicks on banner ads, and follows links. It can be distributed as harmless programs without arousing suspicion among users.
- Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
- The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history and other information to the remote server.
- An Android app that allows recording keystrokes. This program is not malicious itself, but can be used to spy on users and steal their confidential information.
- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.
- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Threats on Google Play
In December, Doctor Web malware analysts uncovered yet another trojan on Google Play. Dubbed Android.Joker.477, it was none other than a new modification of the Android.Joker trojan family. This malware was spread as a stock images collection app. But in actuality, it subscribed users to premium services and downloaded and executed an arbitrary code.
The Android.BankBot.684.origin and Android.BankBot.687.origin bankers were among the threats spread last month. New modifications of these trojans discovered by Doctor Web specialists were targeting users from Turkey. This malware spread through bogus websites where potential victims could allegedly receive government financial support to help with the COVID-19 pandemic. To receive the money, users were asked to download and install special software which, in turn, was malware.
Once installed, bankers requested access to the Accessibility Service functions in order to gain more privileges. They then hid their icons from the apps list in the main screen menu and executed their main malicious routine. The bankers tried to steal confidential information through the phishing windows they displayed on-top of apps’ windows, intercepted SMS, could block the screen, and performed other malicious actions.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
Your Android needs protection.
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products