The page may not load correctly.
October 31, 2022
Malicious actors once again widely deployed specialized software tools that allow apps to be launched with no installation required. In addition, users continued to encounter various spying and monitoring software.
The Android.Spy.4498 trojan, which steals information from other apps’ notifications, was detected 32.72% less frequently compared to August. Last month, it accounted for just over a quarter of all malware detections.
During September, Doctor Web's specialists discovered other threats on Google Play. Among them were fake apps used in various fraudulent schemes, and adware.
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on the family and modification involved, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In September, new fake applications were uncovered on Google Play. The functionality of these apps did not match the declared one. With the help of these fakes, malicious actors executed various fraudulent schemes and targeted users from different countries. For instance, the Android.FakeApp.1005, Android.FakeApp.1007, Android.FakeApp.1011, and Android.FakeApp.1012 trojan apps were distributed under the guise of software that could allegedly help users improve their financial literacy, invest in oil and gas projects, and gain access to special automatic trading systems and online income-generating services. Among them were apps called “QuantumAI | income from 3000”, “QuantumAI - Earning System”, “Quantum AI - auto earning tool”, “КазГаз - инвест кабинет” (KazGaz - invest cabinet), “ГосОпросы” (GosOprosy), “ГазОнлайн: Платформа” (GazOnlain: Platforma), “Газ Профи” (Gaz Profi), and “Gift cards and coupons 2022”.
Some of them targeted Russian users, while others targeted Russian-speaking users in Kazakhstan and European Union countries. The trojans loaded fraudulent websites where potential victims were offered the opportunity to create an account to “access” a particular service. To do so, users had to provide their personal data: their first and last names, email address, and mobile phone number. In some cases, they were also asked to enter a one-time code sent to their phone via SMS. When “registration” was complete, users either were redirected to another dubious website or saw a message stating that the operation was completed successfully and that a “manager” or an “expert” would contact them soon. With that, the information provided by victims was sent to an unknown third-party which could then use it at their own discretion. This could include executing future phishing attacks, or selling it to advertising and marketing agencies or on the black market.
Below are examples of such fake applications:
At the same time, to attract users’ attention, some of these trojans would periodically display notifications with fake messages. For example, messages with promises of substantial earnings as well as bonuses and gifts for customers; or with warnings about the allegedly limited number of available spots for users to register.
In order to reach a larger audience, cybercriminals advertised these trojans in third-party apps through the advertising systems built into them. With that, such an advertisement in the form of full-screen banners and videos could in some cases be targeted. For example, it could target Russian-speaking users in European Union countries with a proposal to install an app that would allegedly allow them to obtain free shares of a large Russian company from the oil and gas sector.
Below are examples of ads that helped scammers spread the fake apps:
The Android.FakeApp.1006, Android.FakeApp.1008, Android.FakeApp.1009, Android.FakeApp.1010, Android.FakeApp.1019 trojans, as well as some modifications of the Android.FakeApp.1007 trojan, were distributed among Russian and Ukrainian Android users. With the help of these apps, users could allegedly receive free lottery tickets to take part in draws, or find information on government financial support and apply for it.
In reality, the trojans loaded fraudulent websites containing false information. They simulated both lottery draws and the process of searching and applying for social benefits. To “receive” the prizes and the government support, potential victims had to provide their personal data. Moreover, they were also asked to pay a commission or a fee for the money “transfer” or for courier “delivery”. Information provided by users, including bank card details, and the payment fell into the hand of the attackers, while the victims themselves did not receive any of the promised government support or the lottery prizes.
Examples of how these trojan applications operate are provided below:
Our specialists also discovered new unwanted adware modules. Dubbed Adware.AdNoty.1 and Adware.AdNoty.2 in accordance with Doctor Web classification, these modules can be integrated into a variety of software. They periodically display notifications with ads, for example, that promote games and apps. When the user taps such notifications, various websites are loaded in the browser of Android devices. These websites are loaded in accordance with a list of advertising URLs, which is defined by the modules’ configuration.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.