My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s March 2021 review of virus activity on mobile devices

April 13, 2021

In March, trojans and unwanted applications displaying ads were among the most active threats. Moreover, malware capable of downloading and executing arbitrary code was often found on Android devices.

A large number of the Android.Joker trojans subscribing victims to premium services, as well as another fraudulent apps from the Android.FakeApp malware family were among the threats uncovered on the Google Play app store.


  • New threats spreading through the Google Play app catalog
  • An activity of the trojans subscribing victims to premium mobile services
  • Spreading of fraudulent applications

According to statistics collected by Dr.Web for Android

According to statistics collected by Dr.Web for Android #drweb

A trojan designed to display obnoxious ads, distributed as popular applications. In some cases, it can be installed in the system directory by other malware.
Malicious applications that download and execute an arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertising banners, subscribe users to premium services and perform other actions.
A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
A trojan that displays obnoxious ads. It represents a special software module that is incorporated into the applications by the developers.

According to statistics collected by Dr.Web for Android #drweb

Software that monitors Android user activity and may serve as a tool for cyber espionage. These apps can track device locations, collect information from SMS and social media messages, copy documents, photo and video, spy on phone calls, etc.
The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them and demand they purchase the full version of the software.
An application that collects information about Android devices and how their owners are using them. With technical data, it also collects confidential information, such as device location, browser bookmarks, web history, and typed URLs.

According to statistics collected by Dr.Web for Android #drweb

Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.

According to statistics collected by Dr.Web for Android #drweb

Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts and load websites.


Threats on Google Play

Last month, Doctor Web specialists unveiled fraudulent apps from the Android.FakeApp family once again. New modifications of the Android.FakeApp.247 trojan, allegedly granting access to various bonuses and discounts provided by famous companies and retailers were among them. In this case, these bonuses were claimed to be from popular gas stations. To receive the “prize”, potential victims were asked to sign up for a paid subscription, starting from 429 rubles per week. In the end, users never received any discounts or bonuses, and the trojan only displayed a useless barcode.

screen Android.FakeApp.247 screen Android.FakeApp.247

Other fake apps were spread under the guise of various harmless applications, such as guides and reference software, apps allegedly helping users to verify peoples’ personality compatibility, and some other apps. In reality, these apps did not work as intended, and once launched, only loaded dubious websites. These trojans were added to the Dr.Web virus base as Android.FakeApp.244, Android.FakeApp.249, and Android.FakeApp.250.

screen Android.FakeApp.244 screen Android.FakeApp.249

screen Android.FakeApp.250 screen Android.FakeApp.250

Moreover, Doctor Web virus analysts have discovered several new modifications of the Android.Joker trojans throughout March. These trojans are used to spy on users and subscribe them to premium mobile services. They are also capable of downloading and executing arbitrary code. These multifunctional trojans were spread as a translation app, voice recording and editing software, live wallpapers, a launcher app, various image editing software, and a tool allowing control and tuning of Android devices. They were added to the Dr.Web virus base as Android.Joker.613, Android.Joker.614, Android.Joker.617, Android.Joker.618, Android.Joker.620, Android.Joker.622, Android.Joker.624, Android.Joker.630, and Android.Joker.632.

screen Android.Joker.613 screen Android.Joker.614

screen Android.Joker.617 screen Android.Joker.618

screen Android.Joker.622 screen Android.Joker.632

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.

Dr.Web Mobile Security

Your Android needs protection.

Use Dr.Web

  • The first Russian anti-virus for Android
  • Over 140 million downloads—just from Google Play
  • Available free of charge for users of Dr.Web home products

Free download