September 15, 2023
According to detection statistics collected by Dr.Web for Android, in July 2023, users encountered Android.HiddenAds adware trojans 33.48% more often, compared to June. At the same time, adware trojans from the Android.MobiDash were detected 24.11% less often. The number of spyware trojan attacks decreased by 2.81%, compared to the previous month. In contrast, the activity of banking trojans increased by 2.31%, while the activity of ransomware from the Android.Locker family increased by 8.53%.
New threats were detected on Google Play. Among them were other malicious applications that subscribed victims to paid services and a trojan app through which cybercriminals tried to steal cryptocurrency from Android device users.
PRINCIPAL TRENDS IN JULY
- An increase in Android.HiddenAds adware trojan activity
- A decrease in Android.MobiDash adware trojan activity
- An increase in banking malware and ransomware trojan activity
- New threats detected on Google Play
According to statistics collected by Dr.Web for Android
- Android.HiddenAds.3697
- A trojan app designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu.
- Android.Spy.5106
- The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content.
- Android.Packed.57083
- The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software.
- Android.Pandora.7
- Android.Pandora.5
- The detection name for malicious programs that download and install the Android.Pandora.2 backdoor trojan. Threat actors often plug such downloaders into Smart TV software oriented toward Spanish-speaking users.
- Program.FakeMoney.7
- Program.FakeMoney.8
- The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments.
- Program.FakeAntiVirus.1
- The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version.
- Program.SecretVideoRecorder.1.origin
- The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous.
- Program.SnoopPhone.1.origin
- An application designed to monitor the activity of Android device owners. It allows snoops to read SMS, collect call information, track device location, and record the surroundings.
- Tool.SilentInstaller.14.origin
- Tool.SilentInstaller.6.origin
- Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment that does not affect the main operating system.
- Tool.LuckyPatcher.1.origin
- A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third-party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat.
- Tool.ApkProtector.16.origin
- The detection name for Android apps protected by the ApkProtector software packer. This packer is not malicious in itself, but cybercriminals can use it when creating malware and unwanted applications to make it more difficult for anti-virus software to detect them.
- Tool.Packer.3.origin
- The detection name for Android programs whose code is encoded and obfuscated by the NP Manager tool.
- Adware.Fictus.1.origin
- An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads.
- Adware.ShareInstall.1.origin
- An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen.
- Adware.Airpush.7.origin
- A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server.
- Adware.MagicPush.3
- An adware module embedded into Android applications. It displays pop-up banners over the OS user interface when such hosting apps are not in use. These banners contain misleading information. Most often, they inform users about suspicious files that have allegedly been discovered, or they offer to block spam for users or to optimize their device’s power consumption. To do this, they ask users to open the corresponding app containing such an adware module. Upon opening the app, users are shown an ad.
- Adware.AdPush.39.origin
- A member of a family of adware modules that can be built into Android apps. It displays notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, this module collects a variety of confidential data and is able to download other apps and initiate their installation.
Threats on Google Play
In July on Google Play, Doctor Web’s virus laboratory discovered the Android.CoinSteal.105 trojan application, which is designed to steal cryptocurrency. Threat actors tried passing it off as an official application of the P2B crypto exchange. The genuine app’s name is “P2B official”, while the fake one was called something similar—“P2B Trade: Realize The P2Pb2b”.
In the next image, on the left, is a screenshot of the genuine program on Google Play, while on the right is a screenshot of the fake variant.
At the same time, the phony application was promoted by crypto bloggers. As a result, it was installed twice as many times as the original.
Upon launch, this trojan loads in WebView the TDS (Traffic Delivery System) website specified by the attackers. This site then performs a chain of redirects to other web resources. As of now, the trojan ends up loading the official website of the P2P crypto exchange: https://p2pb2b.com. However, other sites could potentially be loaded as well, including fraudulent ones, or ones that contain ads.
After the crypto-exchange website is loaded, Android.CoinSteal.105 injects JavaScript scripts into it. Using these scripts, it substitutes the crypto-wallet addresses that users enter to withdraw crypto currency.
Moreover, cybercriminals again used Google Play to distribute malicious applications that subscribed victims to paid services. Among them was the Android.Harly.80 trojan. Hidden in the Desktop Pets – Lulu interactive program, it allowed users to interact with a virtual pet.
Another subscription malware was from the Android.Joker trojan family and was added to the Dr.Web virus base as Android.Joker.2170, Android.Joker.2171, and Android.Joker.2176. The first one was built into the Cool Charging Animation program, which is designed to display battery-charging information on the lock screen. The second one was hidden in the Smart Counter app which provides notebook functionality for users to record their activity and track good or not-so-good habits. The last one was distributed under the guise of an image collection app called 4K HD Wallpaper, which can be used to change the home screen background on Android devices.
To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android.
Indicators of compromise
Your Android needs protection.
Use Dr.Web
- The first Russian anti-virus for Android
- Over 140 million downloads—just from Google Play
- Available free of charge for users of Dr.Web home products
Free download