Full Report
March 27, 2025 According to detection statistics collected by Dr.Web Security Space for mobile devices, ad-displaying Android.HiddenAds trojans remained the most common Android malware. Moreover, they were detected on protected devices more than twice as often as in the fourth quarter of last year. Second place once again went to Android.FakeApp malware, which cybercriminals use in various fraudulent schemes—their activity increased by almost 8%. Adware trojans from the Android.MobiDash family ranked third; the number of their detections almost quintupled. Similar dynamics were observed among many banking trojans. For instance, an increase was recorded in the number of attacks involving Android.BankBot and Android.Banker trojan family members—by 20.68% and 151.71%, respectively. At the same time, Android.SpyMax trojans, whose activity grew throughout almost all of 2024, were detected 41.94% less frequently than in the previous quarter. Over the past 3 months, Doctor Web’s specialists discovered dozens of new threats on Google Play. Our virus laboratory’s findings in this catalog included cryptocurrency-stealing malware and other trojans that display intrusive ads, along with the traditionally large number of Android.FakeApp trojans. PRINCIPAL TRENDS OF Q1 2025 Increased activity on the part of adware trojans Increased numbers of Android.BankBot and Android.Banker banker malware attacks Decreased activity on the part of Android.SpyMax spyware trojans The emergence of many new threats on Google Play According to statistics collected by Dr.Web Security Space for mobile devices Android.HiddenAds.657.origin Android.HiddenAds.655.origin Android.HiddenAds.4214 Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.FakeApp.1600 A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.MobiDash.7859 A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications. Program.FakeMoney.11 Program.FakeMoney.14 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc. Program.TrackView.1.origin The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc. Tool.NPMod.1 The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Tool.Androlua.1.origin The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions. Tool.SilentInstaller.14.origin A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions. Tool.LuckyPatcher.1.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Tool.Packer.1.origin A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software. Adware.ModAd.1 The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites. Adware.Basement.1 These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications. Adware.AdPush.3.origin Adware.Adpush.21846 Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Adware.Fictus.1.origin An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads. Threats on Google Play In Q1 2025, Doctor Web’s virus laboratory detected several dozen malicious programs. Among them were various modifications of the trojans Android.HiddenAds.4213 and Android.HiddenAds.4215, which conceal their presence on infected devices and start displaying ads on top of other apps’ windows and the operating system UI. They masqueraded as software for taking photos and videos with different effects, image-editing programs, an image collection app, and a women’s health diary. The Android.HiddenAds adware trojans concealed in the apps “Time Shift Cam” and “Fusion Collage Editor” Our specialists also discovered Android.CoinSteal.202, Android.CoinSteal.203, and Android.CoinSteal.206, malicious programs designed to steal cryptocurrency that are distributed under the guise of official software from the Raydium and Aerodrome Finance blockchain platforms and the Dydx cryptocurrency exchange. The “Raydium” and “Dydx Exchange” programs are trojans that steal cryptocurrency When launched, these malicious apps ask potential victims to enter a mnemonic phrase (the seed phrase)—supposedly to connect their crypto wallet. But, in reality, the data that users provide is sent to threat actors. To further mislead users, forms for entering mnemonic phrases can be disguised as requests from other crypto platforms. As shown in the example below, Android.CoinSteal.206 displayed a phishing form allegedly on behalf of the crypto exchange PancakeSwap. At the same time, Android.FakeApp fake programs were once again being distributed via Google Play. Fraudsters passed off many of them as finance-related software, including teaching aids, instruments for accessing investing services, and personal finance software. They loaded various phishing websites, including those used by threat actors to collect personal information. Examples of the Android.FakeApp trojan apps distributed under the guise of financial software: «Умные Деньги» (“Smart Money”) is Android.FakeApp.1803, and “Economic Union” is Android.FakeApp.1777 Under certain conditions, other Android.FakeApp trojans loaded bookmaker and online casino sites. Such malware variants were distributed as different games and other software, like a speed-typing trainer and a drawing tutorial. Among them were new modifications of the Android.FakeApp.1669 trojan. Examples of malicious fake apps that, instead of providing the declared functionality, could load online casino and bookmaker websites To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
## Malware and TTPs Summary (Q1 2025 Mobile Threats)
This summary covers the malware families, attack tools, and TTPs observed and detailed in the Dr.Web Q1 2025 mobile security review.
---
# Tool/Technique: Android.HiddenAds (e.g., .657.origin, .655.origin, .4214)
## Overview
Ad-displaying Android trojans that consistently dominate detection statistics. They are often distributed disguised as popular, legitimate applications and actively conceal their presence from the user, such as hiding their icons from the home screen menu.
## Technical Details
- Type: Malware Family (Adware Trojan)
- Platform: Android
- Capabilities: Displaying intrusive advertisements, concealing presence on the device.
- First Seen: Q1 2025 (Peak activity noted, detected more than twice as often as Q4 2024)
## MITRE ATT&CK Mapping
* T1070 - Indicator Removal on Host
- T1070.002 - Clear Host Application Log
* Note: Hiding icons is a form of persistence or evasion indicative of this tactic.
* T1564 - Hide Artifacts
- T1564.001 - Hidden Files and Directories
* Note: Specifically mentioned hiding icons from the home screen menu.
## Functionality
### Core Capabilities
- Displaying obnoxious, intrusive ads.
- Malicious installation into the system directory (sometimes by other malware).
### Advanced Features
- Icon obfuscation/hiding to evade user detection.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes require the linked IOC document)
- File Names: N/A (Distribution filenames vary)
- Registry Keys: N/A
- Network Indicators: Potential connections to ad servers/networks.
- Behavioral Indicators: Injecting ad views over other applications or the OS user interface.
## Associated Threat Actors
Unknown/General adware distribution groups.
## Detection Methods
- Signature-based detection (Dr.Web Security Space).
- Behavioral analysis targeting intrusive ad overlays and icon concealment.
## Mitigation Strategies
- Installation of reputable Android anti-virus solutions.
- Scrutiny of application permissions, especially those seeking display overlay control.
## Related Tools/Techniques
- Android.MobiDash, Adware.Basement, Adware.AdPush
---
# Tool/Technique: Android.FakeApp (e.g., .1600, .1803, .1777, .1669)
## Overview
A broad category of malware used in various fraudulent schemes. Its primary function is to load hardcoded websites, commonly online casinos, bookmakers, or phishing sites designed to collect personal information. Activity increased by almost 8% in Q1 2025.
## Technical Details
- Type: Malware Family (Trojan/Phishing)
- Platform: Android
- Capabilities: Loading hardcoded external webpages, phishing for credentials/personal data.
- First Seen: Trending threat in Q1 2025, increasingly disguised as financial software.
## MITRE ATT&CK Mapping
* T1566 - Phishing
- T1566.004 - Spearphishing Link in Email / Phishing (Via In-App Content)
* Note: Loading phishing/casino/bookmaker websites within the application context.
* T1568 - Dynamic Resolution
- T1568.002 - Domain Name System Compromise (Via hardcoded URL delivery)
## Functionality
### Core Capabilities
- Loading a website specified in the trojan's settings upon execution.
- Mass distribution via Google Play disguised as legitimate applications (e.g., finance, games, tutorials).
### Advanced Features
- Variations designed to load online casino/bookmaker sites.
- Variants spotted masquerading as financial tools like "Smart Money" or "Economic Union."
## Indicators of Compromise
- File Hashes: N/A
- File Names: Distributed under seemingly legitimate names (e.g., financial aids, games).
- Registry Keys: N/A
- Network Indicators: Hardcoded URLs pointing to online casinos, bookmakers, or phishing domains.
- Behavioral Indicators: Immediately launching a full-screen web view upon launch.
## Associated Threat Actors
Cybercriminals engaged in financial fraud and online gambling promotion.
## Detection Methods
- Signature-based detection for known variants.
- Behavioral analysis detecting immediate, unexpected web content loading.
## Mitigation Strategies
- Verify application functionality matches declared purpose before granting permissions.
- Avoid apps on Google Play that require high privileges but seem niche or too simple.
## Related Tools/Techniques
- Android.HiddenAds (also seen aggressively distributed on Google Play)
---
# Tool/Technique: Android.CoinSteal (e.g., .202, .203, .206)
## Overview
Malicious programs specifically designed to steal cryptocurrency. They are distributed by masquerading as official software for well-known blockchain platforms (e.g., Raydium, Aerodrome Finance, Dydx).
## Technical Details
- Type: Malware Family (Cryptocurrency Stealer)
- Platform: Android
- Capabilities: Stealing cryptocurrency mnemonic phrases (seed phrases).
- First Seen: Detected in Q1 2025 new threats on Google Play.
## MITRE ATT&CK Mapping
* T1552 - Compromise Software Supply Chain
- T1552.001 - Compromise Software Binary (Through impersonation of legitimate platform apps)
* T1559 - Inter-Process Communication
- T1559.002 - Dynamic Data Exchange (For interacting with wallet data or UI elements)
* T1598 - Spearphishing Campaign
- T1598.003 - Malicious Application
## Functionality
### Core Capabilities
- Requesting the user to enter their wallet mnemonic phrase under the guise of "connecting" the wallet.
- Exfiltrating the entered seed phrase directly to threat actors.
### Advanced Features
- Phishing forms disguised as official requests from other crypto platforms (e.g., Android.CoinSteal.206 used a PancakeSwap impersonation).
## Indicators of Compromise
- File Hashes: N/A
- File Names: Masqueraded as "Raydium," "Dydx Exchange."
- Registry Keys: N/A
- Network Indicators: Exfiltration C2 servers set up to receive seed phrases.
- Behavioral Indicators: Prompting for a seed phrase immediately after installation/launch.
## Associated Threat Actors
Cryptocurrency theft groups.
## Detection Methods
- Behavioral analysis focused on prompts requesting sensitive cryptographic keys (seed phrases).
- Signature detection based on known application code related to Raydium/Dydx/Aerodrome.
## Mitigation Strategies
- Never enter mnemonic phrases into any application downloaded from a non-official or unverified source.
- Always verify the developer identity on Google Play for financial/crypto apps.
## Related Tools/Techniques
- QR Code Phishing, Credential Harvesting
---
# Tool/Technique: Program.FakeMoney (e.g., .11, .14)
## Overview
Android applications falsely promising users rewards for completing tasks. They simulate reward accrual but prevent users from withdrawing any real payment, regardless of the accumulated balance. These apps often share code components with Adware.Basement.
## Technical Details
- Type: Unwanted Software/Fraudulent Application
- Platform: Android
- Capabilities: Social engineering to encourage task completion; refusal of withdrawal.
- First Seen: Ongoing threat, noted in Q1 2025 review.
## MITRE ATT&CK Mapping
* T1559 - Capitalization Through Fraud
- T1559.001 - E-commerce Gift Cards (Applicable to fraudulent reward systems)
* T1591 - Advertising and Social Media (Used for promotion)
## Functionality
### Core Capabilities
- User interaction workflow simulating task completion and reward accumulation.
- Displaying lists of popular banks/payment systems to enhance legitimacy.
### Advanced Features
- Inability to withdraw funds even after meeting the stated accumulation threshold.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Generic names related to making money online.
- Registry Keys: N/A
- Network Indicators: Communication with servers detailing task status or reward tracking.
- Behavioral Indicators: Inability to process withdrawal requests.
## Associated Threat Actors
Scammers focused on click revenue or data collection under the guise of remote work.
## Detection Methods
- Behavioral analysis of withdrawal failure loops.
- Signature matching against known codebases shared with Adware.Basement.
## Mitigation Strategies
- Skepticism towards apps promising easy, high rewards for minimal effort.
## Related Tools/Techniques
- Adware.Basement
---
# Tool/Technique: Tool.CloudInject
## Overview
An Android utility used by "modders" to remotely modify applications. Programs modified using this service are controlled remotely, allowing third parties to inject code, manage the application (block it, display custom dialogs), and track the installation/removal of other applications, generally after granting dangerous system permissions.
## Technical Details
- Type: Utility/Framework for Modification
- Platform: Android
- Capabilities: Remote modification of applications, privilege escalation, remote application management.
- First Seen: Mentioned as an existing tool encountered in Q1 2025 review context.
## MITRE ATT&CK Mapping
* T1105 - Ingress Tool Transfer
- T1105.003 - Cloud Storage (Implies remote injection mechanism)
* T1583 - Acquire Infrastructure
- T1583.006 - Cloud Services (Used to host modification/control functionality)
## Functionality
### Core Capabilities
- Remote server-side modification of installed Android programs.
- Obtaining dangerous system permissions within the modified app context.
### Advanced Features
- Remote management features: blocking apps, displaying custom dialogs, monitoring software lifecycle events.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Traffic associated with the CloudInject remote control servers.
- Behavioral Indicators: Application behavior changing dynamically post-installation based on remote commands.
## Associated Threat Actors
Threat actors utilizing dynamic code injection for maintaining control over compromised applications.
## Detection Methods
- Behavior monitoring for applications that suddenly alter their functionality post-install.
- Reputation checks on software modification tools.
## Mitigation Strategies
- Strict control over application sideloading.
- Monitoring for unexpected system permission changes.
## Related Tools/Techniques
- Tool.NPMod, Tool.LuckyPatcher (Both relate to modifying app logic/bypassing security)
---
# Tool/Technique: Tool.LuckyPatcher.1.origin
## Overview
A utility designed for patching installed Android applications to modify their logic or bypass restrictions (e.g., disabling root checks in banking software, cheating in games). Patches are downloaded from the internet scripts, which can be malicious.
## Technical Details
- Type: Utility (Patching/Hacking Tool)
- Platform: Android
- Capabilities: Modifying application logic, bypassing security controls (like root detection).
- First Seen: Ongoing threat/tool.
## MITRE ATT&CK Mapping
* T1546 - Event Triggered Execution
- T1546.003 - Component Object Model Hijacking (Analogy for runtime modification)
* T1059 - Command and Scripting Interpreter
- T1059.006 - Python (Scripts are downloaded and executed)
## Functionality
### Core Capabilities
- Applying user-selected patches to existing application APKs.
- Bypassing software limitations or security checks.
### Advanced Features
- Downloading and applying externally sourced scripts, introducing supply chain risk into the security bypass process.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Tool name itself or associated script files.
- Registry Keys: N/A
- Network Indicators: Connections downloading patch scripts.
- Behavioral Indicators: Manipulating the runtime execution environment of other apps.
## Associated Threat Actors
Users attempting to gain unauthorized access/features, or attackers using it as a component in a wider attack chain.
## Detection Methods
- Detection of the LuckyPatcher utility installation.
- Monitoring hooks/manipulations applied to sensitive applications (like banking apps).
## Mitigation Strategies
- Avoid using patching tools on devices containing sensitive data or banking apps.
## Related Tools/Techniques
- Tool.CloudInject, Tool.NPMod (All involve modifying installed application logic)