August 11, 2021
In July, Doctor Web’s malware analysts discovered various threats on Google Play. Trojans from the Android.Joker family subscribing victims to premium mobile services, as well as a phony application from the Android.FakeApp trojan family that offered Russian users to receive government financial support and lured them to fraudulent sites were among them.
Our specialists also discovered a new family of Android banking trojans dubbed Android.BankBot.Coper.
Adware trojans and malware capable of executing arbitrary code and downloading other software were among the most common threats detected on protected Android devices.
PRINCIPAL TRENDS IN JULY
- The discovery of a new family of Android banking trojans
- Several threats spread on Google Play were unveiled
- Adware trojans and trojans designed to execute arbitrary code remain among the most common threats on Android devices
Mobile threat of the month
Last month, Doctor Web’s malware analysts discovered a new family of Android banking trojans dubbed Android.BankBot.Coper. Initially, these malicious applications attacked Colombian users. Later, however, our specialists uncovered modifications targeting European Android users.
These banking trojans have a modular architecture and a number of protective mechanisms allowing them to operate more successfully. Upon receiving the malware authors’ commands, the trojans are able to intercept and send SMS, control push notifications, display phishing windows, and even hijack information entered on the keyboard.
More information on this malware family can be found in this news release.
According to statistics collected by Dr.Web for Android
- Trojans designed to display obnoxious ads. They are distributed as harmless applications and, in some cases, are installed in the system directory by other malware.
- Malicious applications that download and execute arbitrary code. Depending on their modification, they can load various websites, open web links, click on advertising banners, subscribe users to premium services, and perform other actions.
- A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.
- The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand they purchase the full version of the software.
- An Android program designed to intercept messages from WhatsApp.
- An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control calls history, and record phone calls.
- An application that spies on Android users and can be used for cyber espionage. It controls the location of the device, gains access to a phone book and user contact list, and can also copy multimedia files, such as photos and videos.
- The detection name for programs designed to assign credit ratings to users based on their personal data. These applications upload SMS, contact information from phonebooks, call history, and other information to the remote server.
- Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
- The detection name for applications protected by the Obfuscapk obfuscation tool. This tool is used to automatically modify and scramble Android apps’ source code to make reverse engineering more difficult. Cybercriminals use the tool to protect malicious applications from being detected by anti-virus programs.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
Threats on Google Play
In July, Doctor Web’s malware analysts uncovered other threats on Google Play. New trojans from the Android.Joker family that were added to Dr.Web virus database as Android.Joker.803, Android.Joker.837, and Android.Joker.846 were among them. They were hidden in seemingly harmless apps such as Background Changer image editor, Sweet Emoji SMS messenger, and Flashlight LED Pro flashlight software. The trojans did work as users expected, but also covertly subscribed victims to premium mobile services and were able to execute arbitrary code.
Additionally, a new modification of the Android.FakeApp.299 fraudulent app was found. It was spread among Russian-speaking users as a software helping them receive financial support such as allowances and social compensation from the government. The real functionality, however, was to load fraudulent websites that scammers used to steal confidential information and money from Android users.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
Your Android needs protection.
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products