Full Report
July 1, 2024 According to detection statistics collected by the Dr.Web for Android anti-virus, in the second quarter of 2024, Android.HiddenAds adware-displaying trojans were most commonly detected on protected devices. The second most common malicious programs were trojans from the Android.FakeApp family. Cybercriminals use these to execute various fraudulent schemes. The most frequently detected representative of this family was Android.FakeApp.1600, a trojan that our experts discovered in late May. It is distributed via malicious sites from which it is downloaded as a gaming app. However, when launched, this fake app loads the website specified in its settings. Known modifications of the program load an online casino site. Its visitors are offered the chance to play a “wheel of fortune” type of game, but when they try to do so, they are redirected to a registration page. The high detection rates of this malicious program can be explained by the fact that the people behind it are promoting it via in-app ads in other software, for example. When users tap on such an ad, they end up on a corresponding malicious website from which the trojan is downloaded. The third most widespread malicious programs were Android.Spy trojans, which possess spyware functionality. At the same time, Doctor Web’s virus laboratory uncovered more threats on Google Play. Among them were various fake apps from the Android.FakeApp family and the unwanted Program.FakeMoney.11 app, which supposedly allows virtual rewards to be converted into real money that can then be withdrawn. Moreover, threat actors again used Google Play to distribute a trojan that subscribes victims to paid services. PRINCIPAL TRENDS OF Q2 2024 Android.HiddenAds ad-displaying trojans remain the most active Android threats The emergence of more threats on Google Play According to statistics collected by Dr.Web for Android Android.FakeApp.1600 A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.HiddenAds.3956 Android.HiddenAds.3980 Android.HiddenAds.3989 Trojan apps designed to display intrusive ads. Trojans of this family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.Spy.5106 The detection name for a trojan that presents itself as modified versions of unofficial WhatsApp messenger mods. This malicious program can steal the contents of notifications and offer users other apps from unknown sources for installation. And when such a modified messenger is used, it can also display dialog boxes containing remotely configurable content. Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by watching video clips and ads. These apps make it look as if rewards are accruing for completed tasks. To withdraw their “earnings”, users allegedly have to collect a certain sum. But even if they succeed, in reality they cannot get any real payments. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.TrackView.1.origin The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc. Program.SecretVideoRecorder.1.origin The detection name for various modifications of an application that is designed to record videos and take photos in the background using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous. Tool.SilentInstaller.17.origin Tool.SilentInstaller.14.origin Riskware platforms that allow applications to launch APK files without installing them. They create a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of these platforms, can operate as if they are part of such programs and can also obtain the same permissions. Tool.Packer.1.origin A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software. Tool.NPMod.1 Tool.NPMod.2 The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Adware.ModAd.1 The detection name for some modified versions (mods) of the WhatsApp messenger whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) during the messenger’s operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites. Adware.AdPush.39.origin Adware.Adpush.21846 Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Adware.ShareInstall.1.origin An adware module that can be built into Android applications. It displays notifications containing ads on the Android OS lock screen. Adware.Airpush.7.origin A member of a family of adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server. Threats on Google Play In Q2 2024, Doctor Web’s virus laboratory discovered more Android.FakeApp trojans on Google Play. Some of them were being distributed under the guise of finance-themed software and apps for participating in surveys and quizzes: They could load fraudulent sites on which potential victims, supposedly on behalf of famous credit organizations, as well as oil and gas companies, were offered the chance of getting a finance education or becoming investors. To access one or another “service”, users had to answer several questions and then provide personal data. Other Android.FakeApp trojans were hiding in different games. Under certain conditions, instead of the declared functionality, they would load bookmaker and online casino websites. Another trojan from this family, Android.FakeApp.1607, was disguised as an image collection app. It did provide the claimed functionality but could also load online casino websites instead. Threat actors passed off several Android.FakeApp members as job-search programs: These trojans (Android.FakeApp.1605 and Android.FakeApp.1606) load fake vacancy lists where users are asked to contact “employers” via messengers (Telegram, for example) or to send out a “resume” by providing personal data. After attracting their potential victims’ attention, fraudsters can lure them to various dubious money-making schemes in an attempt to steal their money. Our specialists also discovered another unwanted program from the Program.FakeMoney family. Such apps offer users various tasks to complete in order to receive virtual rewards. These rewards supposedly could then be withdrawn as real money. In fact, these programs mislead Android device owners as no real payouts are made. The purpose of such software is to encourage users to keep using it as long as possible so that the displayed ads bring a profit to the developers. One identified app (Program.FakeMoney.11) is a variation of the win-win “one-arm bandit” game. When users play it and also watch the in-app ads, they receive virtual rewards. When they try to withdraw their “earned” money, the program delays this process, putting more and more conditions on it. If users eventually “successfully” submit a withdrawal request, they will end up in some “under consideration” queue of up to several thousand other “applicants”. In addition, another trojan from the Android.Harly family (Android.Harly.87) was distributed via Google Play. Malicious programs of this family subscribe victims to paid services. To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
This summary is based on the detection statistics for Android malware during the second quarter of 2024, as reported by Dr.Web for Android antivirus.
***
# Tool/Technique: Android.HiddenAds (e.g., .3956, .3980, .3989)
## Overview
Adware-displaying trojans that are the most commonly detected threats on Android devices in Q2 2024. They specialize in displaying intrusive advertisements.
## Technical Details
- Type: Malware (Adware Trojan)
- Platform: Android
- Capabilities: Display intrusive ads, conceal presence from the user (e.g., hiding icons from the home screen menu).
- First Seen: Q2 2024 (Active trend)
## MITRE ATT&CK Mapping
(Note: Specific technique mapping requires deeper analysis, but generalized mapping based on description is provided.)
- TA0001 - Initial Access
- T1189 - Drive-by Compromise (Implied via malicious sites/in-app ads leading to download)
- TA0011 - Command and Control (Implied via remote configuration/management capabilities in related tools)
- T1105 - Ingress Tool Transfer (Implied if they download secondary payloads)
## Functionality
### Core Capabilities
- Display intrusive advertisements to users.
- Distribution often occurs disguised as popular/harmless applications.
### Advanced Features
- Concealment: Hiding icons from the home screen menu to maintain persistence and stealth.
- Installation via other malware into the system directory is possible.
## Indicators of Compromise
- File Hashes: N/A (Specific hashes not provided in text)
- File Names: N/A
- Registry Keys: N/A (Android specific)
- Network Indicators: N/A
- Behavioral Indicators: Concealing application icons, displaying intrusive ads via notifications or pop-ups.
## Associated Threat Actors
- Unknown threat actors (Cybercriminals).
## Detection Methods
- Dr.Web for Android antivirus detection.
## Mitigation Strategies
- Installing trusted Android antivirus products (e.g., Dr.Web).
- Being cautious when tapping on in-app advertisements that lead to downloads.
## Related Tools/Techniques
- Other adware modules mentioned: Adware.ModAd.1, Adware.AdPush.39.origin, Adware.Adpush.21846, Adware.ShareInstall.1.origin, Adware.Airpush.7.origin.
***
# Tool/Technique: Android.FakeApp Family (e.g., .1600, .1605, .1606, .1607)
## Overview
A widespread family of trojans used to execute various fraudulent schemes. They often impersonate legitimate applications (games, finance apps, job search tools) and redirect users to malicious websites.
## Technical Details
- Type: Malware (Trojan)
- Platform: Android
- Capabilities: Loading hardcoded external websites upon launch; social engineering via fake job listings or financial schemes.
- First Seen: Q2 2024 (Android.FakeApp.1600 discovered in late May)
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1189 - Drive-by Compromise
- TA0006 - Credential Access
- T1552.001 - Unsecured Credentials (If victims enter data on redirected sites)
- TA0010 - Exfiltration (If personal data is collected on fraudulent sites)
## Functionality
### Core Capabilities
- **Android.FakeApp.1600:** Disguised as a gaming app, loads a hardcoded website (known variants target online casinos), redirects users attempting to play games to registration pages. Promoted via in-app ads in other software.
- **Job Search Variants (.1605, .1606):** Disguised as job search programs, display fake vacancies, directing users to contact "employers" via messengers (like Telegram) or submit personal data via fake resumes, leading to money-making schemes.
- **General:** Distribution via malicious sites (often tricked by ads) and increasingly on Google Play.
### Advanced Features
- **Android.FakeApp.1607:** Disguised as an image collection app while also loading online casino websites under certain conditions.
- **Google Play Distribution:** Used to distribute apps masquerading as finance software or surveys, eliciting personal data under the pretense of finance education or investment opportunities from fake credit organizations or oil/gas companies.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Network Indicators: Redirects to online casino, bookmaker, and fraudulent financial scheme websites depending on the modification.
- Behavioral Indicators: Launching loads a website specified in settings instead of executing intended app function.
## Associated Threat Actors
- Unknown threat actors.
## Detection Methods
- Dr.Web for Android detection.
- Detection of URLs being loaded upon app launch that do not match the supposed application purpose.
## Mitigation Strategies
- Avoiding downloading apps from external, untrusted websites, especially after clicking on in-app ads.
- Scrutinizing job offers that require significant personal data submission outside standard secure portals or immediately moving communication to external chat apps.
## Related Tools/Techniques
- Android.FakeMoney (often associated with the lure of earning money).
***
# Tool/Technique: Android.Spy.5106
## Overview
A trojan that masquerades as modified versions of unofficial WhatsApp messenger mods, possessing spyware functionality.
## Technical Details
- Type: Malware (Spyware Trojan)
- Platform: Android
- Capabilities: Stealing notification contents, offering users other apps from unknown sources.
- First Seen: Q2 2024 (Active trend)
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1114.001 - Email/Calendar/Address Book (Implied via notification theft)
- TA0009 - Collection
- T1119 - Automated Collection (Notification content)
## Functionality
### Core Capabilities
- Steals the contents of user notifications.
- Offers users other applications from unknown sources for installation.
### Advanced Features
- Displays dialog boxes containing remotely configurable content when the modified messenger is in use.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Masquerades as unofficial WhatsApp messenger mods.
- Behavioral Indicators: Intercepting and stealing notification data; pushing secondary application installations.
## Associated Threat Actors
- Threat actors targeting user communication data and sideloading.
## Related Tools/Techniques
- Adware.ModAd.1 (also associated with modified WhatsApp).
***
# Tool/Technique: Program.FakeMoney.11
## Overview
An unwanted program family designed around a money-earning scam. It tricks users into believing they can convert virtual rewards into real cash.
## Technical Details
- Type: Unwanted Program (Adware/Scamware)
- Platform: Android
- Capabilities: Simulates earning virtual rewards for viewing ads/videos; delays or prevents withdrawal of alleged earnings.
- First Seen: Active in Q2 2024 discoveries on Google Play.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1216 - Drive-by Compromise (Via installation from Google Play)
- TA0003 - Persistence (Malware aims to keep users engaged)
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (For communication regarding reward balance/withdrawal)
## Functionality
### Core Capabilities
- Appears to award virtual currency for completing tasks (watching ads/videos).
- The sole purpose is to maximize ad revenue for developers.
- Users are ultimately never able to withdraw real money.
### Advanced Features
- Mimics a "win-win" one-arm bandit game variation.
- If a user seemingly succeeds in requesting a withdrawal, the request is placed in a long queue (up to several thousand applicants) for an indefinite "under consideration" status.
## Indicators of Compromise
- Behavioral Indicators: Requests for withdrawal are met with conditional delays or placement into excessively long virtual queues after users have viewed significant amounts of in-app advertising.
## Mitigation Strategies
- Skepticism towards apps promising easy, real-money conversion from watching ads or completing simple tasks.
## Related Tools/Techniques
- Android.FakeApp variants promoting financial schemes.
***
# Tool/Technique: Program.CloudInject.1 / Tool.CloudInject
## Overview
Android programs modified using the `CloudInject` cloud service or its eponymous utility. This modification process means the actual payload or behavior is controlled externally and unknown to the end-user.
## Technical Details
- Type: Malware/Program modified via utility
- Platform: Android
- Capabilities: Remote modification of application behavior; can be remotely managed (blocking, displaying dialogs, tracking installs/removals).
- First Seen: Active in Q2 2024 environment.
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059.007 - Command and Scripting Interpreter: Other (Remote execution capabilities)
- TA0004 - Privilege Escalation (Implied by obtaining dangerous system permissions)
- TA0011 - Command and Control
- T1106 - Native API (Used to interact with device functions for management)
## Functionality
### Core Capabilities
- Applications are modified on a remote server by "modders" who cannot fully control the final injected content.
- Programs receive a number of dangerous system permissions.
### Advanced Features
- Remote management post-infection, including the ability to block the app, display custom dialogs, and monitor other application installations or removals.
## Indicators of Compromise
- Behavioral Indicators: Apps displaying unexpected behavior or requesting excessive permissions that correlate with remote management capabilities.
## Related Tools/Techniques
- Tool.CloudInject (the utility used for modification).
***
# Tool/Technique: Tool.SilentInstaller.17.origin / Tool.SilentInstaller.14.origin
## Overview
Riskware platforms integrated into apps that allow the launching of APK files without explicit installation prompts, utilizing a virtual runtime environment.
## Technical Details
- Type: Riskware Platform/Tool
- Platform: Android
- Capabilities: Launching APK files within a virtual runtime context controlled by the host application, inheriting the host app's permissions.
- First Seen: Active in Q2 2024 environment.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation
- T1574.002 - Hijack Execution Flow: DLL Search Order Hijacking (Similar concept: injecting execution into a host process)
- TA0010 - Execution
- T1204.002 - User Execution: Malicious File (Bypassing standard installation confirmation via runtime execution)
## Functionality
### Core Capabilities
- Creates a virtual runtime environment within the host application.
- Launches APK files inside this environment, making them appear as part of the host application.
### Advanced Features
- Launched APKs can obtain the same permissions as the integrating program.
## Related Tools/Techniques
- Tool.Packer.1.origin (A tool used to obscure software, potentially used alongside silent installers).
***
# Tool/Technique: Android.Harly.87
## Overview
A trojan family member distributed via Google Play known for subscribing victims to paid services without consent.
## Technical Details
- Type: Malware (Subscription Fraud Trojan)
- Platform: Android
- Capabilities: Subscribing victims to paid services.
- First Seen: Active in Q2 2024 discovered on Google Play.
## MITRE ATT&CK Mapping
- TA0004 - Privilege Escalation/Defense Evasion
- T1078.002 - Valid Accounts: Cloud Accounts (If linked to carrier billing authorization)
- TA0001 - Initial Access
- T1484.002 - Bypass Hardware/Software Security Controls (Bypassing purchase confirmation for micro-transactions/subscriptions)
## Functionality
### Core Capabilities
- Subscribes the user to recurring paid services.
## Mitigation Strategies
- Carefully reviewing mobile carrier billing statements for unauthorized charges.
- Restricting application access to SMS/Subscription initiation privileges.