The page may not load correctly.
December 2, 2022
Banking trojans and apps that facilitate spying on users were noticeably active. For example, Android device users again encountered the Android.Spy.4498 trojan and its various modifications. This malicious program is capable of hijacking the contents of other apps’ notifications, which can cause leaks of confidential and sensitive data.
In addition, Doctor Web’s malware analysts discovered many new threats on Google Play, including malware, adware, and unwanted software.
Program modules incorporated into Android applications. These are designed to display obnoxious ads on Android devices. Depending on the family and modification involved, they can display full-screen ads and block other apps’ windows, show various notifications, create shortcuts, and load websites.
In the beginning of October, Doctor Web’s malware analysts discovered the Fast Cleaner & Cooling Master trojan application on Google Play. Malicious actors passed it off as an OS optimization tool. This trojan is controlled with commands that are received through Firebase Cloud Messaging or AppMetrica Push SDK. Depending on the command involved, this app displays ads or launches a proxy server on an affected device. Third parties can use this proxy to channel traffic through it. Various modifications of this malware are detected by Dr.Web as Android.Proxy.35, Android.Proxy.36, and Android.Proxy.37.
Later, apps containing a new adware module were identified. Dubbed Adware.FireAd, this module receives commands through Firebase Cloud Messaging and loads the websites specified in them. The module was built into some versions of such apps as Volume, Music Equalizer (versions 2.9-3.5 are affected and detected by Dr.Web as Adware.FireAd.1), Bluetooth device auto connect (found in versions 46-58 and detected as Adware.FireAd.2) and Bluetooth & Wi-Fi & USB driver (found in versions 15-19 and detected as Adware.FireAd.2).
At the end of the month, the Program.FakeMoney.3 virus record for detecting an unwanted application called TubeBox was added to the Dr.Web anti-virus database. With the help of this app, users allegedly could make money by watching videos and ads.
For each view, they allegedly had a reward—coins and coupons—allocated to their internal account. It was claimed that this reward could be converted into real money and easily withdrawn in a convenient way—for example, by bank transfer or through payment systems. And to withdraw the money, they had to accumulate the minimum allowable amount. Even if they collected the required sum over time, users could not receive payments due to certain problems reported by the program. The creators of this app tried to string their victims along for as long as possible so that they would continue watching videos and ads, earning money not for themselves but for the fraudsters.
Also, many new fake apps from the Android.FakeApp, trojan family were found during the past month. Cybercriminals used these in various fraudulent schemes. The trojans were disguised as investing applications that allegedly had a direct relationship with Russian banks and commodity companies. They were also distributed as directories and survey programs. Scammers claimed—including through advertisements—that uses could learn how to invest so that they would be able to make profitable investments and trade natural gas themselves, and that they would even receive free stocks of the affiliated companies that allegedly back up all these services. In reality, such fake apps loaded specially crafted sites that were designed to get users to participate in dodgy surveys, register accounts, and submit applications in order to collect their personal information.
Below are examples of ads where potential victims are offered trojan apps to install. The attackers use images of famous personas and companies, and also make loud statements. In particular, they promise high income and accompany their ads with Russian phrases like “Против санкций всей страной” (Protiv sankciy vsei stranoy—“The entire country against sanctions”), “Дарим 10 акций бесплатно” (Darim 10 akciy besplatno—“We grand 10 free shares”), “Заработайте уже во время обучения” (Zarabotayte uzhe vo vremya obucheniya—“Earn while you still learning”), “Я дам вам 100 000 USD, если вы не станете миллионером за 6 месяцев” (Ya dam vam 100 000 USD, yesli vy ne stanete millionerom za 6 mesyacev—"I will give you 100 000 USD if you are not a millionaire in 6 months"), etc.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.
© Doctor Web
2003 — 2023
Doctor Web is a cybersecurity company focused on threat detection, prevention and response technologies
Doctor Web in social networksLink accounts