Full Report
October 1, 2024 According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.FakeApp trojan apps, used by threat actors in various fraudulent schemes, were the malicious programs most frequently detected on protected devices in the third quarter of 2024. Adware trojans from the Android.HiddenAds family ranked second. The third most commonly detected threats were Android.Siggen trojans—programs that have different malicious functionality and that are difficult to classify into any particular family. In August, Doctor Web’s experts discovered the Android.Vo1d backdoor, which had infected nearly 1.3 million Android TV box sets belonging to users in 197 countries. This malicious app places its components into the system storage area of infected devices and, when commanded by threat actors, can covertly download and install various programs. In addition, banking trojans targeting Indonesian users were found. One of these, Android.SmsSpy.888.origin, is protected with a software packer and detected as Android.Siggen.Susp.9415. It was distributed under the guise of the BRI bank customer support app BRImo Support. When launched, the trojan loads the real bank website https://bri.co.id in WebView. At the same time, it uses a Telegram bot API to send technical information about the infected device into the Telegram chat created by the threat actors. Android.SmsSpy.888.origin intercepts incoming SMS and also sends them into this chat. When it receives messages like 55555, , , it interprets them as commands and sends corresponding messages containing the text to the number . This way, the malware can both send SMS spam and spread among users. Another trojan that attacked Indonesian users was Android.SmsSpy.11629. This malicious program is an SMS spy that is distributed under the guise of all kinds of apps. The variant in question was targeting Bank Mandiri Taspen customers and was passed off by the attackers as an official banking app—Movin by Bank Mandiri Taspen. The trojan displays instructions to potential victims and asks them to accept a user agreement. When a user accepts it, the trojan requests the permissions needed to work with SMS. Next, the malicious program loads a real page of the bank’s website https://mail.bankmantap.co.id/: in WebView: Android.SmsSpy.11629 intercepts all incoming SMS. Next, it uses the Telegram bot API to send these messages into the attackers’ Telegram chat. It adds the text developed by : @AbyssalArmy to all of the messages. At the same time, our malware analysts again discovered threats on Google Play. Among them were many new fake apps and several ad-displaying trojans. PRINCIPAL TRENDS OF Q3 2024 The Android.Vo1d backdoor infected over a million TV box sets High activity on the part of Android.FakeApp malicious apps, which are used to commit fraud High activity on the part of Android.HiddenAds adware trojans The emergence of new malware on Google Play According to statistics collected by Dr.Web Security Space for mobile devices Android.FakeApp.1600 A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.HiddenAds.3994 A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.MobiDash.7815 Android.MobiDash.7813 Trojans that display obnoxious ads. These are special software modules that developers incorporate into applications. Android.Click.1751 This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers. It receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in their browser. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.SecretVideoRecorder.1.origin The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous. Program.TrackView.1.origin The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc. Tool.Packer.1.origin A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software. Tool.SilentInstaller.17.origin A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files, launched with the help of this platform, can operate as if they are part of such programs and can also obtain the same permissions. Tool.NPMod.1 Tool.NPMod.2 The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Tool.LuckyPatcher.1.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Adware.ModAd.1 The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites. Adware.Basement.1 These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications. Adware.Fictus.1.origin An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads. Adware.Adpush.21846 Adware.AdPush.39.origin Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Threats on Google Play In Q3 2024, Doctor Web’s malware analysts continued uncovering threats on Google Play. Among these were many new Android.FakeApp fake programs that were distributed under the guise of a variety of software. Malicious actors passed some of them off as finance-related programs, such as investing apps, financial reference books and teaching aids, different home bookkeeping tools, and so on. Quite a few of these did actually provide the stated functionality, but their primary task is to load fraudulent websites. Such sites promise potential victims quick and easy money through investments, trading natural resources, cryptocurrency, etc. To supposedly join the “service”, users are asked to register an account or to provide personal data by filling out an “application”. It is noteworthy that fraudsters disguised one of the Android.FakeApp trojans as an online dating and chat app. However, it also loaded a bogus “investing” site. Other Android.FakeApp trojans were again distributed as games. Under certain conditions, they loaded online casino and bookmaker sites. Among these fake apps, our experts also detected new trojan variants that masquerade as job-search tools. Such malware loads fake job lists and suggests to users that they contact the applicable employer via a messenger (this “employer” is, in fact, a fraudster) or that they create a “resume” by providing personal data. Doctor Web’s virus analysts also discovered more Android.HiddenAds trojans on Google Play. These trojans conceal their icons from the home screen menu and start displaying intrusive ads. The detected malware was camouflaged as various apps, including image collections, photo-editing software, and barcode scanners. To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
# Tool/Technique: Android.FakeApp
## Overview
A high-frequency trojan app family used in various fraudulent schemes on Android devices, often camouflaged as legitimate applications like finance tools, dating apps, games, or job search aids. Its primary function is to load fraudulent websites to trick users into providing personal data or engaging in gambling/investment scams.
## Technical Details
- Type: Malware family (Trojan)
- Platform: Android
- Capabilities: Loading hardcoded (sometimes casino) websites; Masquerading as legitimate applications (finance, dating, job search).
- First Seen: Q3 2024 reported as most detected.
## MITRE ATT&CK Mapping
- T1588.001 - Obtain Capabilities: [Obtain Infrastructure: Domains] (Related to hosting fraudulent sites)
- T1566.002 - Phishing: Spearphishing Link (Users might follow links or register on fraudulent sites presented by the app)
- T1598.002 - Phishing: Pretexting (Masquerading as job recruiters or financial support)
## Functionality
### Core Capabilities
- Disguise as various legitimate applications (finance apps, job search apps, games, dating apps).
- Load fraudulent websites via hardcoded settings (e.g., online casinos, investment scams) when launched.
- Collect user registration or personal data under the pretext of joining a service or applying for a job.
### Advanced Features
- Distribution via Google Play Store.
- Specific variants: Variant 1600 loads online casino sites. Others distribute as job search tools, leading users to communicate with fraudsters via messengers or submit resumes.
## Indicators of Compromise
- File Hashes: N/A (Family information)
- File Names: Varied; distributed under guises like investing apps, financial reference books, job-search tools, dating apps, and games.
- Registry Keys: N/A
- Network Indicators: Connects to fraudulent/scam websites (e.g., online casinos, investment platforms).
- Behavioral Indicators: Loading external URLs in WebView for fraudulent purposes; requesting personal data registration.
## Associated Threat Actors
- Unspecified threat actors engaged in financial fraud and online scams.
## Detection Methods
- Detection by Dr.Web Security Space for mobile devices.
- Detection based on known malicious URLs loaded by variants like Android.FakeApp.1600.
## Mitigation Strategies
- Exercise caution when downloading finance, investment, or job-search applications, even from Google Play.
- Verify the legitimacy of services advertised through apps before providing personal data or funds.
## Related Tools/Techniques
- Other Trojans detected frequently in Q3 2024: Android.HiddenAds, Android.Siggen.
***
# Tool/Technique: Android.HiddenAds
## Overview
The second most frequently detected family of adware trojans targeting Android devices. These trojans are designed to display intrusive advertisements and often conceal their presence from the user.
## Technical Details
- Type: Malware family (Adware Trojan)
- Platform: Android
- Capabilities: Displaying intrusive/ obnoxious ads; Concealing application icons/presence.
- First Seen: Q3 2024 reported as highly active.
## MITRE ATT&CK Mapping
- T1564.001 - Hide Artifacts: Hidden Files and Directories (Concealing icons from the home screen menu)
- T1003.004 - OS Credential Dumping: Configuration (/etc/shadow/config) (Implying data collection, though primarily adware)
- T1498.001 - Web Service Manipulation: Advertising (Displaying intrusive ads)
## Functionality
### Core Capabilities
- Display intrusive advertisements to the end-user.
- Conceal self presence by hiding icons from the home screen menu.
### Advanced Features
- Variants like Android.HiddenAds.3994 can be installed by other malware into the system directory.
- Found distributed on Google Play disguised as utility apps (image collections, photo editors, barcode scanners).
## Indicators of Compromise
- File Hashes: N/A (Family information)
- File Names: Varied; camouflage as utility apps.
- Registry Keys: N/A
- Network Indicators: Displays ads, likely connecting to ad distribution infrastructure.
- Behavioral Indicators: Unsolicited ad display; hiding application launcher icons.
## Associated Threat Actors
- Unspecified threat actors utilizing adware for monetization.
## Detection Methods
- Detection by Dr.Web Security Space for mobile devices.
- Detection based on icon hiding and aggressive ad display behavior.
## Mitigation Strategies
- Regularly check granted permissions for installed applications.
- Be wary of apps that request permissions disproportionate to their claimed functionality.
## Related Tools/Techniques
- Other Adware variants mentioned: Android.MobiDash.7815, Android.MobiDash.7813, Adware.ModAd.1, Adware.Basement.1, Adware.Fictus.1.origin, Adware.Adpush.21846, Adware.AdPush.39.origin.
***
# Tool/Technique: Android.Vo1d
## Overview
A backdoor discovered in August 2024 that significantly impacted Android TV box sets globally (nearly 1.3 million devices across 197 countries). It has the capability to covertly manage the device, including downloading and installing additional payloads.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Android TV Box Sets
- Capabilities: Covertly downloading and installing various programs; Operating system persistence.
- First Seen: Discovered August 2024.
## MITRE ATT&CK Mapping
- T1105 - Ingress Tool Transfer: Transfer Data from Remote Repository
- T1071.001 - Application Layer Protocol: Web Protocols (Likely using HTTP/S for command and control)
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Inferred from persistence mechanism)
## Functionality
### Core Capabilities
- Infected nearly 1.3 million Android TV box sets.
- Persists by placing components in the system storage area of infected devices.
- Accepts external commands from threat actors.
### Advanced Features
- Covertly downloads and installs supplementary malicious programs onto the compromised device.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Communication channels used for command and control (C2).
- Behavioral Indicators: Writing components to system storage; downloading secondary executables.
## Associated Threat Actors
- Unspecified threat actors targeting embedded Android systems (TV boxes).
## Detection Methods
- Detection by Dr.Web Security Space.
## Mitigation Strategies
- Ensure security updates are applied to embedded operating systems like those on Android TV boxes.
- Limit the permissions granted to system-level components unless absolutely necessary.
## Related Tools/Techniques
- Android.Siggen (Generalized classification for threats hard to classify).
***
# Tool/Technique: Android.SmsSpy.888.origin
## Overview
A banking trojan specifically targeting Indonesian users, disguised as the official BRI bank customer support application ("BRImo Support"). It employs SMS interception, device information exfiltration via Telegram, and uses a packer for obfuscation.
## Technical Details
- Type: Malware (Banking Trojan/SMS Spy)
- Platform: Android
- Capabilities: SMS interception and exfiltration; Device technical data exfiltration via Telegram Bot API; SMS spamming/spreading upon receiving specific command codes.
- First Seen: Q3 2024 within Indonesian banking sphere.
## MITRE ATT&CK Mapping
- T1056.001 - Input Capture: Keylogging (Via SMS interception)
- T1041 - Exfiltration Over C2 Channel (Sending data via Telegram Bot API)
- T1560.001 - Archive via Utility: Built-in Archive Utility (Implied by the use of a software packer)
## Functionality
### Core Capabilities
- Displays the legitimate BRI website (`https://bri.co.id`) in a WebView to simulate legitimacy.
- Intercepts all incoming SMS messages.
- Sends intercepted SMS content and device technical information to a specified Telegram chat via the Telegram Bot API.
### Advanced Features
- Protected by a software packer (detected as Android.Siggen.Susp.9415).
- Executes two-way communication: interprets specific received SMS messages (e.g., starting with `55555`) as commands, allowing remote control and capability to send SMS to specified numbers for spam/spreading.
## Indicators of Compromise
- File Hashes: N/A (Family information)
- File Names: Distributed as "BRImo Support."
- Registry Keys: N/A
- Network Indicators: Uses Telegram Bot API for C2. Potential connection/loading of `https://bri.co.id`.
- Behavioral Indicators: Requesting SMS permissions; loading bank content in WebView; communicating secretly via Telegram API.
## Associated Threat Actors
- Threat actors targeting Indonesian banking customers (BRI).
## Detection Methods
- Detected as Android.Siggen.Susp.9415 due to software packer protection.
- Detection based on Telegram API usage for exfiltration.
## Mitigation Strategies
- Do not install banking applications from untrusted sources.
- Verify all banking support apps directly from official bank websites or app stores.
## Related Tools/Techniques
- Android.SmsSpy.11629 (Similar SMS spying technique targeting Bank Mandiri Taspen).
- Tool.Packer.1.origin (Used for obfuscation).
***
# Tool/Technique: Android.SmsSpy.11629
## Overview
An SMS spying trojan targeting Indonesian Bank Mandiri Taspen customers, disguised as the official banking app "Movin by Bank Mandiri Taspen." It intercepts SMS, exfiltrates data via Telegram, and appends a specific signature to all exfiltrated messages.
## Technical Details
- Type: Malware (SMS Spy Trojan)
- Platform: Android
- Capabilities: SMS interception and exfiltration; Data tagging using threat actor signature; WebView display of bank site.
- First Seen: Q3 2024 campaign targeting Bank Mandiri Taspen.
## MITRE ATT&CK Mapping
- T1056.001 - Input Capture: Keylogging (Via SMS interception)
- T1041 - Exfiltration Over C2 Channel (Sending data via Telegram Bot API)
- T1566.001 - Phishing: Spearphishing Link (Disguise as official app)
## Functionality
### Core Capabilities
- Masquerades as "Movin by Bank Mandiri Taspen."
- Requests SMS permissions after displaying a fake user agreement.
- Intercepts all incoming SMS messages.
- Sends intercepted SMS to the attackers’ Telegram chat using the Telegram Bot API.
### Advanced Features
- Appends the text "developed by : @AbyssalArmy" to all exfiltrated messages.
- Loads the real bank website (`https://mail.bankmantap.co.id/`) in WebView for deception.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Distributed as "Movin by Bank Mandiri Taspen."
- Registry Keys: N/A
- Network Indicators: Uses Telegram Bot API for C2. Potential connection/loading of `https://mail.bankmantap.co.id/`.
- Behavioral Indicators: Demanding SMS permissions based on a staged agreement; Appending "@AbyssalArmy" tag to outgoing data blobs.
## Associated Threat Actors
- Threat actors targeting Indonesian banking customers (Bank Mandiri Taspen). Associated with Telegram handler "@AbyssalArmy".
## Detection Methods
- Detection based on SMS permission abuse combined with Telegram Bot API communication.
- Signature matching for the appended text "*developed by : @AbyssalArmy*".
## Mitigation Strategies
- Verify app authenticity before accepting user agreements, especially if it involves granting sensitive permissions like SMS access.
- Avoid installing banking or financial support apps from non-official sources.
## Related Tools/Techniques
- Android.SmsSpy.888.origin (Similar SMS spying technique targeting BRI).
***
# Tool/Technique: Program.FakeMoney.11
## Overview
A detection name for Android applications designed to defraud users by simulating earnings for completing various tasks. Users are led to believe they accumulate rewards which they can never actually withdraw.
## Technical Details
- Type: Potentially Unwanted Program (PUP) / Fraudulent Application
- Platform: Android
- Capabilities: Deceiving users on reward accumulation for supposed paid tasks; Listing multiple supposed withdrawal methods.
- First Seen: Q3 2024 detections by Dr.Web.
## MITRE ATT&CK Mapping
- T1558.004 - Steal or Forge Credentials: Credentials from Password Stores (Potential data theft during fake registration)
- T1562.001 - Impair Defenses: Disable or Modify Tools (If related to unwanted software detection evasion)
- T1598.003 - Phishing: Social Media (If deployed via social engineering online)
## Functionality
### Core Capabilities
- Displays fake accrual of earnings based on task completion within the app.
- Promises payouts to various real payment systems/banks once a threshold is met.
- Prevents actual withdrawal of "earnings."
### Advanced Features
- Often shares a common code base with Adware.Basement.1 applications.
- Used as a baseline detection for other unwanted software utilizing this fraudulent model.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Varied applications promising task-based earnings.
- Registry Keys: N/A
- Network Indicators: Connections to endpoints associated with reward processing/withdrawal simulation.
- Behavioral Indicators: Failure to process actual payouts upon reaching withdrawal thresholds.
## Associated Threat Actors
- Unspecified actors running get-paid-to (GPT) style scams.
## Detection Methods
- Detection signature Program.FakeMoney.11.
- Behavioral analysis identifying fabricated asset accumulation without legitimate transaction logging.
## Mitigation Strategies
- Be highly skeptical of apps promising high, easy returns for small amounts of work.
- Real payment systems do not typically require users to accumulate arbitrary amounts within a third-party app before allowing a payout.
## Related Tools/Techniques
- Adware.Basement.1 (Shared lineage).
***
# Tool/Technique: Tool.CloudInject
## Overview
An Android utility (and the resulting modified programs) that allows remote modification of applications via a cloud service. Users integrating this tool cannot fully control what modifications are added, raising significant security concerns regarding integrity and permissions.
## Technical Details
- Type: Tool/Framework (Code Modification Utility)
- Platform: Android
- Capabilities: Remote modification of application logic; Granting dangerous system permissions to modified apps; Remote management of infected apps (blocking, displaying notifications/dialogs).
- First Seen: Detected in Q3 2024 deployments.
## MITRE ATT&CK Mapping
- T1105 - Ingress Tool Transfer: Transfer Data from Remote Repository (Downloads modifications from the cloud service)
- T1547.006 - Boot or Logon Autostart Execution: Audio Hooks (Implied capability to manage execution environment)
- T1078.003 - Valid Accounts: Local Accounts (If modifications exploit system accounts)
## Functionality
### Core Capabilities
- Programs are modified remotely via the CloudInject service upon execution or command.
- Modified apps receive a range of dangerous system permissions.
- Allows remote management capabilities: blocking the app, displaying custom dialogs, and monitoring installation/removal of other software.
### Advanced Features
- Total loss of control over the final executable code by the original app developer or user (modder).
## Indicators of Compromise
- File Hashes: N/A
- File Names: Detection signature Program.CloudInject.1 applied to modified apps.
- Registry Keys: N/A
- Network Indicators: Communication with the CloudInject remote modification server.
- Behavioral Indicators: Apps requesting permissions not aligned with their ostensible function post-installation; receiving dynamic remote instructions.
## Associated Threat Actors
- Developers or groups utilizing the CloudInject service for unauthorized app modification.
## Detection Methods
- Detection signature Program.CloudInject.1.
- Detection of Tool.CloudInject binary presence.
## Mitigation Strategies
- Use official app sources only.
- Monitor apps for unexpected runtime permission requests or behavioral changes after modifications (e.g., system updates).
## Related Tools/Techniques
- Tool.NPMod.1/2 (Similar modification/signature bypassing capability).
- Tool.LuckyPatcher.1.origin (General modification tool).