Full Report
March 29, 2024 According to detection statistics collected by the Dr.Web for Android anti-virus, in January 2024, users were most likely to encounter Android.HiddenAds trojan applications; these were detected on protected devices 54.45% more often than in December 2023. At the same time, the activity of another adware trojan family, Android.MobiDash, remained virtually unchanged, increasing by only 0.90%. The number of attacks carried out by various banking trojan families increased by 17.04%, Android.Spy spyware trojan attacks increased by 11.16%, and Android.Locker ransomware attacks increased by an insignificant 0.92%. At the same time, our specialists uncovered more threats on Google Play, including a new family of unwanted adware modules dubbed Adware.StrawAd and new trojans from the Android.FakeApp family. Malicious actors use the latter to execute various fraudulent schemes. PRINCIPAL TRENDS IN JANUARY Adware trojans from the Android.HiddenAds family maintained their lead in terms of the number of times they were detected on protected devices Many Android malware families became more active More threats were discovered on Google Play According to statistics collected by Dr.Web for Android Android.HiddenAds.3851 Android.HiddenAds.3831 Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.Spy.5106 Android.Spy.4498 The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content. Android.MobiDash.7805 A trojan that displays obnoxious ads. It is a special software module that developers incorporate into applications. Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.wSpy.3.origin A commercial spyware app designed to covertly monitor Android device user activity. It allows intruders to read SMS and chats in popular messaging software, listen to the surroundings, track device location and browser history, gain access to the phonebook and contacts, photos and videos, and take screenshots and pictures through a device’s built-in camera. It also has keylogger functionality. Program.FakeMoney.7 The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments. Program.TrackView.1.origin The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc. Tool.NPMod.1 The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Tool.SilentInstaller.14.origin Tool.SilentInstaller.7.origin Tool.SilentInstaller.6.origin Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions. Tool.LuckyPatcher.1.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Adware.StrawAd.1 The detection name for Android programs containing the built-in Adware.StrawAd.1.origin unwanted adware module. This module displays ads from various advertising service providers when Android device screens are unlocked. Adware.AdPush.39.origin Adware.Adpush.21846 Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Adware.Airpush.7.origin A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server. Adware.ShareInstall.1.origin An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen. Threats on Google Play At the beginning of January 2024, Doctor Web’s virus laboratory tracked down a number of games on Google Play containing the built-in Adware.StrawAd.1.origin unwanted adware platform: Crazy Sandwich Runner Purple Shaker Master Poppy Punch Playtime, Meme Cat Killer Toiletmon Camera Playtime Finger Heart Matching Toilet Monster Defense Toilet Camera Battle Toimon Battle Playground This platform is a specialized encrypted software module that is stored in the resource directory of the host applications. When an Android device’s screen is unlocked, it can display ads coming from a variety of advertising service providers. Dr.Web anti-virus detects apps containing Adware.StrawAd.1.origin as members of the Adware.StrawAd family. During January, our specialists also discovered a number of malicious fake programs from the Android.FakeApp family. For example, the Android.FakeApp.1579 trojan was concealed in the Pleasant Collection app, which masqueraded as a program that lets users read comics. However, its only task was to load fraudulent websites, which could include sites through which users could allegedly access certain games, including adult ones. Below is an example of one such site. In this case, before “starting” the game, the potential victim is asked to answer several questions and then provide their personal data, followed by their bank card data―supposedly to verify the user’s age. Some of the malicious Android.FakeApp programs discovered were again disguised as games. They were added to the Dr.Web virus database as Android.FakeApp.1573, Android.FakeApp.1574, Android.FakeApp.1575, Android.FakeApp.1577, and Android.FakeApp.32.origin. Under certain conditions, such fakes could load online casino and bookmaker websites. Examples of how they operate as games: An example of one of the websites they loaded: Loading online casino and bookmaker websites was also the task assigned to few other trojans. For instance, Android.FakeApp.1576 malware was concealed in the Contour Casino Glam makeup teaching app and in Fortune Meme Studio―a meme-creation tool. And the Android.FakeApp.1578 trojan was in the Lucky Flash Casino Light flashlight program. Once installed, they operated as harmless apps, but after a while they could start loading target websites. In addition, malicious actors distributed different variants of the Android.FakeApp.1564 and Android.FakeApp.1580 trojans, disguising them as financial apps, reference books and teaching aids, programs for participating in surveys, and other software. These fake apps loaded bogus financial websites where potential victims were offered various services allegedly on behalf of well-known companies. For example, users “could” become investors or improve their financial literacy. To “access” one or another service, users had to take a survey and register an account by providing their personal data. Examples of websites loaded: To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise Your Android needs protection. Use Dr.Web The first Russian anti-virus for Android Over 140 million downloads—just from Google Play Available free of charge for users of Dr.Web home products Free download
Analysis Summary
# Tool/Technique: Android.HiddenAds Trojan Family
## Overview
A dominant family of adware trojans on Android devices in January 2024, showing a 54.45% increase in detections compared to December 2023. These applications are designed to relentlessly display intrusive advertisements.
## Technical Details
- Type: Malware family (Adware Trojan)
- Platform: Android
- Capabilities: Display intrusive ads, conceal presence from the user (e.g., hiding icons).
- First Seen: Not specified, established family.
## MITRE ATT&CK Mapping
* T1560 - Archive Collected Data
- T1560.001 - Archive via Utility (Implied, if packed for distribution)
* T1546 - Event Triggered Execution
- T1546.009 - Component Object Model Hijacking (If icon hiding leverages specific system components, or hooks for execution)
* T1204 - User Execution
- T1204.002 - Malicious File (Via drive-by download or deceptive app store installation)
## Functionality
### Core Capabilities
- Displaying intrusive advertisements to the end-user.
- Often distributed masquerading as popular and harmless applications.
### Advanced Features
- **Obfuscation/Evasion:** Hides its icon from the home screen menu to conceal presence from the user.
- **Persistence/Installation:** Can be installed directly by the user or secretly installed by other malware into the system directory.
## Indicators of Compromise
- File Hashes: Not provided in the context, but specific variants include `Android.HiddenAds.3851` and `Android.HiddenAds.3831`.
- File Names: Varied, based on the legitimate-looking application it is disguised as.
- Registry Keys: Not applicable (Android structure).
- Network Indicators: Not specified for C2, but relies on advertising service providers.
- Behavioral Indicators: Unsolicited display of ads, missing application icon after installation.
## Associated Threat Actors
- Not explicitly named, generally associated with financially motivated adware campaigns.
## Detection Methods
- Signature-based detection (Dr.Web signatures for variants .3851, .3831).
- Behavioral detection (Monitoring for persistent, intrusive ad display and icon hiding).
## Mitigation Strategies
- Installing reputable Android anti-virus solutions (like Dr.Web).
- Systematically reviewing application permissions upon installation.
- Installing apps only from trusted sources (though threats are appearing on Google Play).
## Related Tools/Techniques
- Android.MobiDash (Another active adware family).
- Adware.StrawAd (New adware found on Google Play).
---
# Tool/Technique: Android.Spy Malware Family (Variants: Android.Spy.5106, Android.Spy.4498)
## Overview
A spyware trojan family that primarily targets users by masquerading as modified versions of unofficial WhatsApp messenger mods. It focuses on information theft, notification interception, and delivering other applications.
## Technical Details
- Type: Malware family (Spyware Trojan)
- Platform: Android
- Capabilities: Steals notification contents, offers installation of apps from unknown sources, displays remotely configurable dialog boxes.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
* T1005 - Data from Local System
- T1005.001 - Data from User Execution (e.g., reading notifications)
* T1057 - Process Discovery (Implied, to interact with installed apps)
* T1119 - Screen Capture (Less direct, but potential precursor to data theft)
* T1059 - Command and Scripting Interpreter
- T1059.004 - Android Evasion Techniques (Displaying configurable dialogs)
## Functionality
### Core Capabilities
- Disguise as unofficial, modified WhatsApp messengers.
- Intercept and steal the content of user notifications.
### Advanced Features
- **External App Promotion:** Promotes the installation of other applications sourced from unknown origins.
- **Remote Configuration:** Capable of displaying dialog boxes populated with content configured remotely by the attacker.
## Indicators of Compromise
- File Hashes: Not provided, but variants include `Android.Spy.5106` and `Android.Spy.4498`.
- File Names: Disguised as unofficial WhatsApp mods.
- Network Indicators: Requires network connectivity for remote configuration of dialogs.
- Behavioral Indicators: Intercepting system notifications, prompting installation of external APKs.
## Associated Threat Actors
- Not specified.
## Detection Methods
- Signature detection for known variants.
- Behavioral analysis detecting notification content capture or sideloading attempts.
## Mitigation Strategies
- Avoiding unofficial or modified versions of popular applications, especially messengers.
- Disabling installation from "Unknown Sources."
## Related Tools/Techniques
- Program.wSpy.3.origin (Commercial spyware with broader surveillance capabilities).
---
# Tool/Technique: Android.FakeApp Family (Various Variants)
## Overview
A broad family of trojans designed to execute various fraudulent schemes by utilizing social engineering tactics. These apps often masquerade as popular utilities, games, or financial aids before loading fraudulent or malicious websites. Activity increased in January 2024.
## Technical Details
- Type: Malware family (Fraud/Deception Trojan)
- Platform: Android
- Capabilities: Loading fraudulent websites (online casinos, bookmakers, fake investment schemes), collecting personal and bank card data under false pretenses.
- First Seen: Not specified, established family.
## MITRE ATT&CK Mapping
* T1566 - Phishing
- T1566.002 - Spearphishing Link (Delivering users to fraudulent sites)
* T1539 - Data Staged (Collecting PII and financial data)
* T1562 - Impair Defenses
- T1562.001 - Disable or Modify System Firewall (Potentially via high permissions)
* T1189 - Drive-by Compromise (If the loaded site initiates downloads)
## Functionality
### Core Capabilities
- **Malicious Redirection:** After initial installation/operation as a seemingly legitimate app (makeup tool, flashlight, game, comic reader), they load malicious or fraudulent external websites.
- **Data Harvesting:** Tricking users into providing personal data and bank card details under the guise of verification (e.g., age verification, financial literacy access).
### Advanced Features
- **Variant Diversity:** Variants were found disguised as diverse software:
- **Games/Entertainment:** `Android.FakeApp.1573` to `.1575`, `.1577`, `.32.origin` (loaded casino/bookmaker sites).
- **Utility/Lifestyle:** `Android.FakeApp.1576` (makeup app), `Android.FakeApp.1578` (flashlight app).
- **Financial/Education:** `Android.FakeApp.1564`, `Android.FakeApp.1580` (financial apps, survey participation apps).
- **Delayed Action:** Some variants operate harmlessly initially before beginning to load target websites.
## Indicators of Compromise
- File Hashes: Not provided, but variants include .1579, .1573, .1574, .1575, .1576, .1577, .1578, .1564, .1580, .32.origin.
- File Names: Examples include *Pleasant Collection*, *Contour Casino Glam*, *Fortune Meme Studio*, *Lucky Flash Casino Light*.
- Network Indicators: Domains hosting online casinos, bookmakers, and fake investment schemes.
- Behavioral Indicators: Starting processes that immediately load web views pointing to non-whitelisted domains; requesting excessive PII/financial data forms.
## Associated Threat Actors
- Not specified (General fraudulent operators).
## Detection Methods
- Heuristics detecting unauthorized web launches following app execution.
- Monitoring known fraudulent domains loaded by these trojans.
## Mitigation Strategies
- Extreme caution when apps request excessive personal or financial information, regardless of the app's stated purpose.
- Scrutinizing the actual functionality of new or niche apps found in app stores.
## Related Tools/Techniques
- Banking Trojans (Increased 17.04% activity suggests convergence with financial fraud).
---
# Tool/Technique: Program.CloudInject.1 / Tool.CloudInject
## Overview
Android programs that have been modified remotely using the `CloudInject` cloud service or its associated utility (`Tool.CloudInject`). This modification process occurs on a remote server, meaning the end-user has no control over the injected content.
## Technical Details
- Type: Modified Program / Utility (Cloud Injection Framework)
- Platform: Android
- Capabilities: Remote modification of apps, gaining dangerous system permissions, remote management (blocking, displaying custom dialogs, tracking software installation/removal).
- First Seen: Not specified.
## MITRE ATT&CK Mapping
* T1484 - Domain Trust (Implied, if modifications subvert trust mechanisms)
* T1049 - Im Implication of Trusted System Behavior
- T1049.002 - Remote System Manipulation (Remote management capabilities)
* T1547 - Boot or Logon Autostart Execution (Implied, for persistent management)
## Functionality
### Core Capabilities
- Remote program modification via a cloud service.
- Granting subsequent modifications dangerous system permissions.
### Advanced Features
- **Remote Control:** Attackers can remotely manage the modified application, including:
- Blocking the app.
- Displaying custom dialog boxes.
- Tracking the installation or removal of other software on the device.
## Indicators of Compromise
- Behavioral Indicators: Apps exhibiting management capabilities or permission usage inconsistent with their stated function, suggesting remote injection.
## Mitigation Strategies
- Avoid using application modification services or utilities where the modification payload cannot be verified or controlled.
## Related Tools/Techniques
- Tool.NPMod.1 (Modification utility using NP Manager).
- Tool.LuckyPatcher.1.origin (General application patching tool).
---
# Tool/Technique: Program.wSpy.3.origin
## Overview
A commercial spyware application capable of covertly monitoring a wide range of user activities on an Android device.
## Technical Details
- Type: Commercial Spyware
- Platform: Android
- Capabilities: SMS/chat reading, environmental audio recording, location tracking, browser history monitoring, contact harvesting, media access, screenshotting, keylogging.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
* T1005 - Data from Local System
- T1005.005 - Data from Messages
* T1021 - Remote Services
- T1021.001 - Remote Access Software (Commercial Spyware proxying data)
* T1057 - Process Discovery
- T1057.001 - System Process Discovery (To monitor or inject into other apps)
* T1056 - Input Capture
- T1056.001 - Keylogging
## Functionality
### Core Capabilities
- Surveillance and data exfiltration spanning communications, location, and file system access.
- Full media and microphone access for surveillance.
### Advanced Features
- **Keylogging:** Recording all keyboard inputs.
- **Contact and Media Access:** Full exfiltration of phonebook, photos, and videos.
## Associated Threat Actors
- Typically marketed toward legitimate entities or sold on underground markets for individual surveillance purposes.
## Mitigation Strategies
- Disabling microphone/camera/location permissions for suspicious or unknown apps.
- Regularly auditing installed applications.
## Related Tools/Techniques
- Program.TrackView.1.origin (Monitoring program).
---
# Tool/Technique: Tool.SilentInstaller (Variants: .14.origin, .7.origin, .6.origin)
## Overview
Riskware platforms integrated into Android applications that enable the execution of other APK files without requiring a standard installation process. This is achieved by creating a virtual runtime environment within the host application.
## Technical Details
- Type: Riskware Platform/Installer
- Platform: Android
- Capabilities: Silent installation/execution of arbitrary APKs within a virtual runtime environment scoped to the host app's permissions.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
* T1105 - Ingress Tool Transfer
- T1105.003 - Download from Cloud Storage (If the APK to be installed comes from a remote server)
* T1106 - Native API (If used to directly invoke installer functions in the virtual environment)
* T1547 - Boot or Logon Autostart Execution (Potential use for persistence of secondary payloads)
## Functionality
### Core Capabilities
- Launching APK files without requiring explicit user confirmation for installation outside the host app's boundaries.
### Advanced Features
- **Permission Inheritance:** Executed APKs can potentially operate using the permissions granted to the host program.
## Mitigation Strategies
- Security software detection of known silent installer hooks.
- Restricting app permissions, especially those related to file access and running background services.
## Related Tools/Techniques
- Tool.LuckyPatcher.1.origin (Modification tool that can bypass security controls).
---
# Tool/Technique: Tool.LuckyPatcher.1.origin
## Overview
A general-purpose utility for modifying installed Android applications (patching) to alter their logic or bypass restrictions. While it can have benign uses (e.g., game modification), its patches can be malicious.
## Technical Details
- Type: Utility/Modification Tool
- Platform: Android
- Capabilities: Applying patches via downloaded scripts to alter app behavior, bypass root checks (e.g., in banking software), or gain unlimited resources in games.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
* T1584 - Resource Development
- T1584.002 - Compromise Software Supply Chain (If malicious scripts are added to the patch database)
* T1219 - Remote Access Software (If used to bypass security controls like root detection)
## Functionality
### Core Capabilities
- Modifying application logic by applying patches.
- Bypassing security checks (e.g., root detection).
### Advanced Features
- **Script-Based Modification:** Downloads externally prepared scripts from the internet to apply patches, introducing a supply chain risk as any third party can contribute malicious scripts.
## Mitigation Strategies
- Monitoring for applications whose behavior abruptly changes post-installation without updates.
- Security checks designed to detect runtime tampering or patched binaries.
## Related Tools/Techniques
- Tool.NPMod.1, Tool.CloudInject.1 (Other modification/injection utilities).
---
# Tool/Technique: Adware.StrawAd (Variant: Adware.StrawAd.1.origin)
## Overview
A newly discovered family of unwanted adware modules found embedded in games on Google Play. It specifically targets users when the device screen is unlocked to display advertisements.
## Technical Details
- Type: Adware Module
- Platform: Android
- Capabilities: Displays ads from various advertising service providers upon screen unlock.
- First Seen: January 2024 (Discovery timeline in the report).
## MITRE ATT&CK Mapping
* T1564 - Hide Artifacts
- T1564.003 - Hide Window Content (By displaying an ad over the unlocked screen/lock screen)
* T1021 - Remote Services (Retrieving ads from various service providers)
## Functionality
### Core Capabilities
- Displays advertising content immediately upon the user unlocking the Android screen.
### Advanced Features
- **Distribution Channel:** Successfully discovered distributed via Google Play store applications.
- **Concealment:** The module is described as a specialized encrypted software module stored in the host application's resource directory.
## Indicators of Compromise
- File Names: Found embedded in games such as *Crazy Sandwich Runner*, *Purple Shaker Master*, *Poppy Punch Playtime*, etc.
- Behavioral Indicators: Ads appearing immediately upon unlocking the device, originating from a game or utility app.
## Mitigation Strategies
- Careful review of applications downloaded from Google Play, especially games with high monetization intent.
## Related Tools/Techniques
- Adware.Adpush, Adware.Airpush (Other notification/ad-based adware modules).