The page may not load correctly.
February 29, 2016
February was quite eventful in terms of information security. At the beginning of the month, Doctor Web specialists detected a dangerous Trojan for Android that was capable to inject itself into system processes. In addition, a number of malicious programs for Windows were discovered at the end of February.
A group of three associated Trojans for Android named Android.Loki.1.origin, Android.Loki.2.origin and Android.Loki.3 is considered to be the most sophisticated threat detected during the past month. To perform their malicious activity, they use the liblokih.so library, which Dr.Web detects as Android.Loki.6. This library is incorporated into system processes by Android.Loki.3. Thus, Android.Loki.1.origin—the Trojan’s main module—gains the system privileges.
It is noteworthy that security researchers have not previously encountered Android malware that could perform injections into system processes, which makes this Trojan really noticeable. Android.Loki.1.origin can execute a wide range of functions. For instance, it is able to
The next element of the Trojan—Android.Loki.2.origin—is designed to display advertisements and install different software on the infected device upon receiving cybercriminals’ instructions. Yet, it can also act as a spyware program by sending detailed information about the machine to the server. To read more about this incident, refer to the news article.
It should be noted that almost half of the requests for decryption received by the Doctor Web technical support service were from foreign users.
This feature is not available in Dr.Web Anti-virus for Windows.
|Data Loss Prevention|
Trojans belonging to the Trojan.Dyre family were first spotted in the middle of 2014. Since then, mass media has regularly published materials about new attacks involving this Trojan. To distribute different variants of Trojan.Dyre, attackers used affiliate programs, implementing the CaaS (crime-as-a-service) model. The “clients of this service” received a builder that was used to generate samples of the Trojan. In addition, attackers provided “users” with a special bot control panel. To learn more about how Doctor Web specialists fight against virus makers responsible for creation and distribution of Trojan.Dyre, read the article published by Doctor Web.
In mid-February, security researchers registered a new malware program—Trojan.Proxy2.102—that threatened customers of several Russian banks by stealing money from victims’ bank accounts. Once launched, it installed a root digital certificate and changed the Internet connection settings specifying a proxy server that belonged to virus makers.
This server was also applied to inject arbitrary content into websites once a user opened them on the infected computer. Therefore, a victim was tricked into transferring money from their accounts to cybercriminals’. For more information about Trojan.Proxy2.102, refer to the news article.
At the end of February, Doctor Web reported on detection of a backdoor Trojan named BackDoor.Andromeda.1407. Its key feature lay in the fact that this Trojan deleted itself from computers that used Russian, Ukrainian, Belorussian, or Kazakh keyboard layouts. The backdoor is currently known to distribute several malicious applications.
During February 2016, 453,623 URLs of non-recommended websites were added to the Dr.Web database.
|January 2016||February 2016||Dynamics|
The past month was marked by several incidents involving Trojans for Android. At the beginning of the month, Doctor Web security researchers examined a group of Trojans belonging to the Android.Loki family. Its representatives were designed to download and install software, display advertising, and collect confidential information. In addition, attackers continued distributing banking Trojans among Android devices users in February.
Among the most noticeable February events related to mobile malware, we can mention
Find out more about malicious and unwanted programs for mobile devices in our special overview.