Mobile threat of the month
In early October, Doctor Web informed users of several clicker Trojans added to the Dr.Web virus database as Android.Click.322.origin , Android.Click.323.origin and Android.Click.324.origin . These malicious applications quietly loaded websites where they independently subscribed their victims to paid mobile services. Features of the Trojans:
- built into harmless programs;
- protected by a commercial packer;
- disguise themselves as known SDKs;
- attack users in certain countries.
Throughout the month, our virus analysts detected other modifications of these clickers - for example, Android.Click .791 , Android.Click .800 , Android.Click .802 , Android.Click .808 , Android.Click .839 , Android.Click . 841 . Later, malicious applications similar to them were found, which were named Android.Click .329.origin , Android.Click .328.origin and Android.Click .844 . They also signed victims for paid services, but other virus writers could be their developers. All these Trojans were hiding in seemingly innocuous programs - cameras, photo editors and wallpaper collections.
According to Dr.Web for Android Antivirus Products
- Android.HiddenAds .472.origin - Trojan showing intrusive ads.
- Android.RemoteCode .5564 - A malicious application that downloads and executes arbitrary code.
- Android.Backdoor .682.origin - A Trojan that executes malicious commands and allows them to control infected mobile devices.
- Android.DownLoader .677.origin - Downloader for other malware.
- Android.Triada.465 .origin - A multifunctional Trojan that performs a variety of malicious actions.
- Program.FakeAntiVirus .2.origin - Detection of adware applications that simulate the operation of antivirus software.
- Program.MonitorMinor .1.origin
- Program.MobileTool .2.origin
- Program.FreeAndroidSpy .1.origin
- Program.SpyPhone .4.origin - Programs that monitor the owners of Android devices and can be used for cyber espionage.
- Tool.SilentInstaller .6.origin
- Tool.SilentInstaller .7.origin
- Tool.SilentInstaller .11.origin
- Tool.VirtualApk .1.origin - Potentially dangerous software platforms that allow applications to run apk files without installing them.
- Tool.Rooter .3 - A utility designed to obtain root privileges on Android devices. It can be used by cybercriminals and malware.
- Adware.Patacore .25 3
- Adware.Myteam.2.origin
- Adware.Toofan.1.origin
- Adware.Adpush.6547
- Adware.Altamob.1.origin
Trojans on Google Play
Along with clicker Trojans, Doctor Web virus analysts have revealed many new versions on Google Play, as well as modifications of already known malicious applications of the Android.Joker family. Among them are Android.Joker .6 , Android.Joker .7 , Android.Joker .8 , Android.Joker .9 , Android.Joker .12 , Android.Joker .18 and Android.Joker .20.origin . These Trojans download and launch additional malicious modules, are capable of executing arbitrary code, and subscribe users to expensive mobile services. They are distributed under the guise of useful and harmless programs - collections of images for the desktop, cameras with art filters, various utilities, photo editors, games, Internet instant messengers and other software.
In addition, our experts discovered another adware Trojan from the Android.HiddenAds family, which received the name Android.HiddenAds .477.origin . Attackers distributed it under the guise of a video player and an application that provides information about phone calls. After launch, the Trojan hid its icon in the list of applications on the Android OS main screen and began to display annoying ads.
Records for detecting the Android.SmsSpy .10437 and Android.SmsSpy .10447 Trojans were also added to the Dr.Web virus database. They were hiding in a collection of images and a camera application. Both malware intercepted the contents of incoming SMS messages, while Android.SmsSpy .10437 could execute arbitrary code downloaded from the control server.
To protect Android devices from malicious and unwanted programs, users should install Dr.Web for Android anti-virus products.