My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Doctor Web’s February 2024 review of virus activity on mobile devices

April 1, 2024

According to detection statistics collected by the Dr.Web for Android anti-virus, February 2024 saw a significant increase in Android.HiddenAds trojan family activity―it was up 73.26% from January. At the same time, users were 58.85% less likely to encounter the adware trojan family Android.MobiDash.

The activity of banking trojans from various families decreased by 18.77%, while Android.Spy spyware trojan activity decreased by 27.33%. In contrast, the number of Android.Locker ransomware trojan detections increased by 29.85%.

According to statistics collected by Dr.Web for Android

Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
These are the trojan apps that conceal their presence on Android devices and display intrusive ads. They have a number of characteristics that differentiate them from other members of the Android.HiddenAds family. For example, these trojans can run automatically after they are installed. Moreover, they implement a mechanism that allows their services to remain constantly running. And, in some cases, they can also use hidden Android operating system functions.
The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc.
The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality.
The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc.
The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified.
Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions.
A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
The detection name for some modified versions (mods) of the WhatsApp messenger whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) during the messenger’s operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites.
Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation.
A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.

To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.

Indicators of compromise

Dr.Web Mobile Security

Your Android needs protection.

Use Dr.Web

  • The first Russian anti-virus for Android
  • Over 140 million downloads—just from Google Play
  • Available free of charge for users of Dr.Web home products

Free download