The page may not load correctly.
October 15, 2021
Over the past month, Doctor Web’s malware analysts discovered dozens of new fake apps from the Android.FakeApp family. Cybercriminals used them in various fraudulent schemes.
Program modules incorporated into Android applications and designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In September, Doctor Web’s specialists discovered dozens of new fake apps that helped cyber-attackers perform different fraudulent schemes. The Android.FakeApp.344 trojan was among these threats. Several of its modifications were spread as various apps, including phone launchers, image collection apps, piano-learning app, heart rate monitor software, and others.
Its main function is to load websites upon the attackers’ command. With that, the trojan can be used in many malicious scenarios. It can perform phishing attacks, subscribe victims to paid mobile services, promote websites of interest to cybercriminals, or load sites with ads.
The Android.FakeApp.344 is controlled through one of the GitHub accounts whose repositories contain trojan configuration files. Upon launch, the malware receives the necessary parameters. If there is a corresponding task in the received parameters, the trojan loads the target site. If there is no task or the malware failed to receive the configuration, it operates as a normal app. Users may not even suspect that there is something wrong with the application.
Other uncovered trojans were dubbed Android.FakeApp.347, Android.FakeApp.364, and Android.FakeApp.385. They also were spread under the guise of harmless and useful apps, such as software to make free calls, image editing software, religion-themed app, and an application to protect installed apps from unauthorized access.
However, they didn’t perform any of the declared functionality. They only loaded various websites, including those where users were asked to provide their mobile phone numbers. If they have done so, they were then redirected to the search engine main page, and the apps didn’t do anything else after that.
The trojans dubbed Android.FakeApp.354, Android.FakeApp.355, Android.FakeApp.356, Android.FakeApp.357, Android.FakeApp.358, Android.FakeApp.366, Android.FakeApp.377, Android.FakeApp.378, Android.FakeApp.380, Android.FakeApp.383, and Android.FakeApp.388 were allegedly designed to help Russian users search for information about government social support and receive social benefits and payouts, as well as to get VAT refunds. In reality, these fake apps only lured Android device owners to fraudulent sites where thousands of rubles were promised to absolutely any visitor. To “receive” the money, users were asked to pay a “bank commission” or “state fee” from few hundred to few thousand rubles. Victims of this scam didn’t receive any payments and transferred their own money to the fraudsters instead.
The malicious actors have also spread other fake apps which they passed off as official investing software from Gazprom company. They were added to the Dr.Web' virus base as Android.FakeApp.348, Android.FakeApp.349, Android.FakeApp.350, Android.FakeApp.351, Android.FakeApp.352, Android.FakeApp.353, Android.FakeApp.365, Android.FakeApp.367, Android.FakeApp.368, Android.FakeApp.369, Android.FakeApp.370, Android.FakeApp.382, Android.FakeApp.384, Android.FakeApp.387, and Android.FakeApp.389. With their help, Android users allegedly could receive significant passive income from investments without any economic knowledge or experience. All the work for them supposedly would have been done by a personal manager or special trading algorithm.
The examples of these apps’ pages on Google Play:
In reality, these trojan apps had nothing to do with famous companies and investments. They loaded fraudulent sites where Android users were asked to register an account by providing personal information and waiting for the “operator” to call them back. The information that victims provide to the fraudsters, including first and last names, mobile phone numbers, and emails, can be used to further trick them into scam schemes or sold on the black market.
Moreover, to attract more victims and increase the installations of such fake apps, scammers are actively advertizing them on popular platforms, such as YouTube. The examples of such ads are shown below:
Other fakes disguised as official apps of popular Russian lotteries were also uncovered. They were added to the Dr.Web virus base as Android.FakeApp.359, Android.FakeApp.360, Android.FakeApp.361, Android.FakeApp.362, Android.FakeApp.363, Android.FakeApp.371, Android.FakeApp.372, Android.FakeApp.373, Android.FakeApp.374, Android.FakeApp.379, and Android.FakeApp.381. With the help of these apps, users allegedly could receive free lottery tickets and play lotto. But again, the only thing these apps did was that they loaded fraudulent sites where victims were asked to pay a “fee” to receive free tickets and money they “won”.
Also, our specialists discovered several modifications of the new Android.FakeApp.386 trojan that was spread as a reference software and guides with information about health and possible disease treatments. In reality, these were fakes that only loaded fraudulent sites that imitated popular online information resources. There, various drugs and pills of questionable quality and efficacy were advertized on behalf of famous doctors and media persons. Potential “clients” also had offers to allegedly get the medicine free of charge or with a significant discount. For that, users were asked to provide their names and mobile phone number and to wait for the “manager” to call them back.
An example of one of these apps:
An example of how it operates:
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
Doctor Web is a Russian cybersecurity company focused on threat detection, prevention and response technologies.
Doctor Web in social networksLink accounts