In March, the activity of the Android.Spy.4498 trojan that steals information from other apps’ notifications has slightly decreased. However, this malware remains the most widespread Android threat. According to the Dr.Web anti-virus products for Android detection statistics, its share was 46.98% of the total number of threats detected on protected devices. Adware trojans also remain a relevant threat with Android.HiddenAds family being one of the most notable among them.

In mid-March, Doctor Web reported on the discovery of malicious apps designed to steal cryptocurrencies from Android and iOS-based device users. In addition, new trojans have been uncovered on Google Play throughout the month.

PRINCIPAL TRENDS IN MARCH

The Android.Spy.4498 trojan activity decrease
Adware trojans remain highly active
The discovery of malicious apps designed to steal cryptocurrency from Android and iOS device users

Threat of the month

In March, Doctor Web notified users about the discovery of the CoinSteal trojans. These are targeting both Android and iOS-powered device owners and designed to steal their cryptocurrencies. The malicious actors behind the trojans have modified some versions of popular cryptowallet software, including MetaMask, imToken, Bitpie, TokenPocket, and others. They then spread malicious modifications as genuine and harmless versions.

Below are the examples of the original MetaMask application and its malicious variant operation:

Unbeknownst to users, the trojans stole secret seed phrases provided by victims and sent them to a remote server. The seed phrases are used to access cryptocurrencies stored in the cryptowallets. Our specialists discovered dozens of such trojans. Read more about this threat in our news report.

According to statistics collected by Dr.Web for Android

Android.Spy.4498: A trojan that steals the contents of other apps’ notifications. It can also download apps and offer users to install them, and can also display various dialog boxes.
Android.HiddenAds.3018
Android.HiddenAds.1994: Trojans designed to display obnoxious ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these trojans infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
Android.MobiDash.6932: A trojan that displays obnoxious ads. It is a special software module that the developers incorporate into applications.
Android.Triada.4567: A multifunctional trojan performing various malicious actions. This malware belongs to the trojan family that infects other app processes. Some modifications of this family were found in the firmware of Android devices, which attackers implanted during manufacturing. Some of them can also exploit various vulnerabilities to gain access to protected system files and folders.

Program.FakeAntiVirus.1: The detection name for adware programs that imitate anti-virus software. These apps inform users of non-existing threats, mislead them, and demand they purchase the software’s full version.
Program.WapSniff.1.origin: An Android program designed to intercept WhatsApp messages.
Program.SecretVideoRecorder.1.origin
Program.SecretVideoRecorder.2.origin: The detection name for various modifications of an application designed to record videos and take photos in the background using Android devices’ built-in cameras. It can operate covertly, allowing disabling notifications about ongoing recordings. It also allows replacing the app’s icon and name with fake ones. This functionality makes this software potentially dangerous.
Program.KeyStroke.3: An Android application capable of intercepting keystrokes. Some modifications of this software can also track incoming SMS, control call history, and record phone calls.

Tool.SilentInstaller.14.origin
Tool.SilentInstaller.6.origin
Tool.SilentInstaller.13.origin
Tool.SilentInstaller.7.origin: Riskware platforms that allow applications to launch APK files without installation. They create a virtual runtime environment that does not affect the main operating system.
Tool.Packer.1.origin: A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious by itself, but it can be used to protect both harmless and malicious software.

Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on their family and modifications, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.

Adware.SspSdk.1.origin
Adware.AdPush.36.origin
Adware.Adpush.6547
Adware.Adpush.16510
Adware.Myteam.2.origin

Threats on Google Play

In March, Doctor Web’s malware analysts discovered yet another fake apps from the Android.FakeApp family on Google Play. They were targeting Russian users and distributed under the guise of software designed to search the information about monetary compensations and allegedly could help receiving government payouts. But the trojans only loaded fraudulent websites to deceive potential victims and help scammers to steal their personal information and money. The malicious apps were added to the Dr.Web virus base as Android.FakeApp.907 (“Компенсация НДС”), Android.FakeApp.908 (“Возврат НДС на карту”), and Android.FakeApp.909 (“Поиск начислений 2022”).

In addition, our specialists revealed the Android.PWS.Facebook.134 trojan targeting Facebook users. This malware was hiding in the Photo PIP and Collager Photo Maker image editing software and stole the data necessary to access users’ Facebook accounts.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus for Android.

Your Android needs protection.

Use Dr.Web

The first Russian anti-virus for Android
Over 140 million downloads—just from Google Play
Available free of charge for users of Dr.Web home products

Free download