The page may not load correctly.
March 17, 2021
In February, malicious and unwanted programs displaying ads and trojans executing arbitrary code and downloading various apps without users’ awareness were detected most often by Dr.Web anti-virus products for Android.
Throughout the last month, Doctor Web’s malware analysts uncovered more threats on Google Play. Numerous fraudulent applications from the Android.FakeApp family, multifunctional Android.Joker trojans, Android.HiddenAds adware trojans and other dangerous programs were among them.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.
Throughout January, Doctor Web’s specialists observed significant activity among the malicious applications from the Android.FakeApp family. A large number of the apps were used by cyberattackers in various fraudulent schemes. One of the trojan groups was spread as software allegedly designed to provide access to discounts, promotional and bonus cards, as well as to gifts from famous stores and companies. To make it look more appealing, the malware authors used symbols and names of corresponding brands—consumer electronics manufacturers, gas stations and retailers.
Upon their launch, these apps invited potential victims to apply for a paid subscription (starting from 449 to 1499 rubles per week) allegedly to access the complete functionality of the software and to receive promised bonuses. However, they only received useless barcodes and QR codes—the same for all trojans—with the promise of receiving notifications with new codes in the future. At the same time, only a few modifications of these programs had the functionality to work with the notifications, which alone questioned their developer’s integrity.
If users agreed to make an in-app purchase, they were given a 3-day free trial so they could confirm the subscription or cancel it. The logic of the fraudulent scheme was that Android device owners will either forget about trial period or that they even installed these apps in the first place, or due to lack of experience, they would not realize they applied for a premium service with regular charges.
Various modifications of these trojans were added to the Dr.Web virus database as Android.FakeApp.239, Android.FakeApp.240, Android.FakeApp.246, and Android.FakeApp.247. Examples of how some of them operate are shown on the images below:
Messages and code examples they displayed after a user successfully subscribed to the premium service:
The second group of fake programs from the Android.FakeApp family included software spread by scammers as broadly themed, harmless applications including reference software and guides about fashion, animals, nature, and various horoscopes. Their real functionality didn’t match what was indicated. They only loaded different dating and even scam websites. These apps were actively promoted through the YouTube ads network when advertising video clips and banners aggressively used adults-only content with dating and meetings topics as well. Overall, Doctor Web’s specialists uncovered more than 20 of these fake applications.
Examples of these trojans distributed throughout Google Play and the ads leading to them are shown below:
The examples of websites these apps loaded:
The third group of the Android.FakeApp malicious apps included other variations of fraudulent trojans, which were spread under the guise of software with information about various financial compensations, social benefits and payouts. They were none other than the modifications of the well-known Android.FakeApp.219 and Android.FakeApp.227 malware.
Similar to some of the other fake apps within the same family, they were also advertized through YouTube:
Upon their launch, the trojans loaded fraudulent sites where potential victims could allegedly find information about payouts available to them. There, users were misled and asked to provide their personal data and either pay a money “transfer” commission or a “state duty”. In reality, there were not any payouts for users. They only released their personal details and transferred their money to the scammers.
Doctor Web’s malware analysts also uncovered several new multifunctional trojans from the Android.Joker family. As other malware from this family, they were spread as harmless apps, including image editing software, a barcode scanner, software for creating PDF documents, a collection of stickers for messaging apps, animated wallpapers and others. These trojans were dubbed Android.Joker.580, Android.Joker.585, Android.Joker.586, Android.Joker.592, Android.Joker.595, Android.Joker.598, and Android.Joker.604.
Their main functionality was loading and executing an arbitrary, as well as automatically subscribing users to premium mobile services.
Moreover, other adware trojans from the Android.HiddenAds malware family were also discovered on Google Play. They were dubbed Android.HiddenAds.610.origin and Android.HiddenAds.2357. The first one was spread as an image collection app while the second one was spread as picture editing software.
Upon launch, the trojans concealed their icons from the list of installed apps on the main screen menu and began displaying ads. With that, Android.HiddenAds.610.origin received commands through the Firebase cloud service and was able to display notifications with ads and load various sites. They could be websites with ads, as well as dubious and fraudulent sites.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
© Doctor Web
2003 — 2023
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts