My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


February 2016 virus activity review from Doctor Web

February 29, 2016

February was quite eventful in terms of information security. At the beginning of the month, Doctor Web specialists detected a dangerous Trojan for Android that was capable to inject itself into system processes. In addition, a number of malicious programs for Windows were discovered at the end of February.


  • Emergence of a Trojan for Android capable to perform injections into system processes
  • Distribution of a banking Trojan targeting Russian bank customers
  • New backdoor for Windows that has geographical restrictions

Threat of the month

A group of three associated Trojans for Android named Android.Loki.1.origin, Android.Loki.2.origin and Android.Loki.3 is considered to be the most sophisticated threat detected during the past month. To perform their malicious activity, they use the library, which Dr.Web detects as Android.Loki.6. This library is incorporated into system processes by Android.Loki.3. Thus, Android.Loki.1.origin—the Trojan’s main module—gains the system privileges.

It is noteworthy that security researchers have not previously encountered Android malware that could perform injections into system processes, which makes this Trojan really noticeable. Android.Loki.1.origin can execute a wide range of functions. For instance, it is able to

The next element of the Trojan—Android.Loki.2.origin—is designed to display advertisements and install different software on the infected device upon receiving cybercriminals’ instructions. Yet, it can also act as a spyware program by sending detailed information about the machine to the server. To read more about this incident, refer to the news article.

According to statistics collected by Dr.Web CureIt!

По данным статистики лечащей утилиты Dr.Web CureIt! #drweb

According to Doctor Web statistics servers

По данным серверов статистики «Доктор Веб» #drweb

Statistics concerning malicious programs discovered in email traffic

Статистика вредоносных программ в почтовом трафике #drweb

Encryption ransomware

Троянцы-шифровальщики #drweb

The most common ransomware programs in February 2016:

It should be noted that almost half of the requests for decryption received by the Doctor Web technical support service were from foreign users.

Dr.Web Security Space 11.0 for Windows
protects against encryption ransomware

This feature is not available in Dr.Web Anti-virus for Windows.

Data Loss Prevention
Превентивная защитаЗащита данных от потери

Other malicious applications

Trojans belonging to the Trojan.Dyre family were first spotted in the middle of 2014. Since then, mass media has regularly published materials about new attacks involving this Trojan. To distribute different variants of Trojan.Dyre, attackers used affiliate programs, implementing the CaaS (crime-as-a-service) model. The “clients of this service” received a builder that was used to generate samples of the Trojan. In addition, attackers provided “users” with a special bot control panel. To learn more about how Doctor Web specialists fight against virus makers responsible for creation and distribution of Trojan.Dyre, read the article published by Doctor Web.

In mid-February, security researchers registered a new malware program—Trojan.Proxy2.102—that threatened customers of several Russian banks by stealing money from victims’ bank accounts. Once launched, it installed a root digital certificate and changed the Internet connection settings specifying a proxy server that belonged to virus makers.

screen Trojan.Proxy2.102 #drweb

This server was also applied to inject arbitrary content into websites once a user opened them on the infected computer. Therefore, a victim was tricked into transferring money from their accounts to cybercriminals’. For more information about Trojan.Proxy2.102, refer to the news article.

At the end of February, Doctor Web reported on detection of a backdoor Trojan named BackDoor.Andromeda.1407. Its key feature lay in the fact that this Trojan deleted itself from computers that used Russian, Ukrainian, Belorussian, or Kazakh keyboard layouts. The backdoor is currently known to distribute several malicious applications.

Dangerous websites

During February 2016, 453,623 URLs of non-recommended websites were added to the Dr.Web database.

January 2016February 2016Dynamics
Non-recommended websites

Malicious and unwanted programs for mobile devices

The past month was marked by several incidents involving Trojans for Android. At the beginning of the month, Doctor Web security researchers examined a group of Trojans belonging to the Android.Loki family. Its representatives were designed to download and install software, display advertising, and collect confidential information. In addition, attackers continued distributing banking Trojans among Android devices users in February.

Among the most noticeable February events related to mobile malware, we can mention

Find out more about malicious and unwanted programs for mobile devices in our special overview.

Learn more with Dr.Web

Virus statistics Virus descriptions Virus monthly reviews