In August, Doctor Web’s experts discovered the Android.Vo1d backdoor, which had infected nearly 1.3 million Android TV box sets belonging to users in 197 countries. This malicious app places its components into the system storage area of infected devices and, when commanded by threat actors, can covertly download and install various programs.
In addition, banking trojans targeting Indonesian users were found. One of these, Android.SmsSpy.888.origin, is protected with a software packer and detected as Android.Siggen.Susp.9415. It was distributed under the guise of the BRI bank customer support app BRImo Support.
When launched, the trojan loads the real bank website https://bri.co.id in WebView. At the same time, it uses a Telegram bot API to send technical information about the infected device into the Telegram chat created by the threat actors.
Android.SmsSpy.888.origin intercepts incoming SMS and also sends them into this chat. When it receives messages like 55555, <number>, <text>, it interprets them as commands and sends corresponding messages containing the text <text> to the number <number>. This way, the malware can both send SMS spam and spread among users.
Another trojan that attacked Indonesian users was Android.SmsSpy.11629. This malicious program is an SMS spy that is distributed under the guise of all kinds of apps. The variant in question was targeting Bank Mandiri Taspen customers and was passed off by the attackers as an official banking app—Movin by Bank Mandiri Taspen. The trojan displays instructions to potential victims and asks them to accept a user agreement. When a user accepts it, the trojan requests the permissions needed to work with SMS.
Next, the malicious program loads a real page of the bank’s website https://mail.bankmantap.co.id/: in WebView:
Android.SmsSpy.11629 intercepts all incoming SMS. Next, it uses the Telegram bot API to send these messages into the attackers’ Telegram chat. It adds the text developed by : @AbyssalArmy to all of the messages.
At the same time, our malware analysts again discovered threats on Google Play. Among them were many new fake apps and several ad-displaying trojans.