The page may not load correctly.
March 15, 2022
In January, Dr.Web anti-virus products for Android traced a high activity of an Android.Spy.4498 trojan. The trojan is designed to steal information from notifications. According to collected statistics, this malware was detected on users’ devices more often than others with the share of 24.86% of all detections in the last month. What’s more, adware trojans were widespread again. As in the previous month, the Android.HiddenAds.3018 stayed in the lead. This trojan replaced the older modification Android.HiddenAds.1994. That said, the number of attacks from the trojans capable of downloading other software and executing arbitrary code has decreased.
During the month, our specialists discovered more threats on Google Play. Numerous fake apps from the Android.FakeApp family were among them. Malicious actors use these in various scam schemes. Moreover, a new trojan from the Android.PWS.Facebook family has been found. It is designed to steal information required to hack into Facebook accounts. In addition, Doctor Web’s malware analysts uncovered new trojans from the Android.Subscription family. These subscribe users to paid mobile services.
In January, Doctor Web malware analysts traced the spread of a new Android trojan dubbed Android.Spy.4498. Threat actors built it into some versions of unofficial modifications (mods) of WhatsApp messenger, including GBWhatsApp, OBWhatsApp, and WhatsApp Plus. Then, they distributed them through malicious websites.
The main functionality of the Android.Spy.4498 is to hijack the contents from other apps’ notifications. Yet, it also can download apps and offer users to install them and display dialog boxes with the contents it receives from the attackers.
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In January, Doctor Web’s specialists discovered many threats on Google Play. A large number of trojan apps from the Android.FakeApp family were among them. Malicious actors used these in various scam schemes. For example, Android.FakeApp.777 and Android.FakeApp.778 trojans spread under the guise of software that claimed it helped users search and receive social benefits and monetary aids. These were targeting Russian users. In fact, these trojans only loaded fraudulent sites. There, potential victims had to provide their personal information, only to have their money stolen by deception.
Other fake software was distributed as investing apps. These apps claimed to help users allegedly become investors and receive passive income without any financial knowledge. They claimed that all the work would be done for them by a certain trading algorithm or a personal manager. For example, Android.FakeApp.771, Android.FakeApp.772, Android.FakeApp.773, Android.FakeApp.774, Android.FakeApp.775, Android.FakeApp.776, Android.FakeApp.779, and Android.FakeApp.780 trojans spread as “Газпром Инвест”, “Gaz Investor”, “Инвестиции АктивГаз”, and other apps. These allegedly related to the Gazprom company and oil and natural gas market. What’s more, some modifications of the Android.FakeApp.780 allegedly allowed making money on the stock market and cryptocurrencies. These were hiding in the apps called “ТОН” and “Chain Reaction”.
However, all these trojans were also only loading fraudulent websites where potential victims were prompted to create an account. Next, they had to wait for a call from an “operator” or a “personal broker”, and place money into their account so that the “unique algorithm” could proceed with trading and making money.
What’s more, another trojan targeting confidential data required to hack into Facebook accounts was uncovered. Dubbed Android.PWS.Facebook.123, this malicious app was distributed as “Adorn Photo Pro” image editing software.
Our malware analysts also discovered new trojans from the Android.Subscription family that subscribe users to paid mobile services. One of them, dubbed Android.Subscription.5, was hiding in various apps. These apps included image editing software, navigation app, multimedia player, and others. Another one, dubbed Android.Subscription.6, spread under the guise of a launcher that followed the design of Apple’s mobile operating system.
These malicious programs loaded websites of affiliate services that enabled paid subscriptions through the Wap Click technology. On these websites, potential victims are asked to enter their mobile phone number. When they do that, an attempt to automatically activate the service is made.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web for Android.
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts