Full Report
October 1, 2025 According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.MobiDash ad-displaying trojans were the most widespread threats of Q3 2025. They were detected on protected devices 18.19% more often than during the previous observation period. The adware trojans Android.HiddenAds, whose activity decreased for the second quarter in a row, fell to second place. In the past 3 months, users encountered them 71.85% less often. These malicious apps conceal their icons, making the trojans harder to detect and remove, and then display ads, including full-screen videos. Third place was again occupied by the Android.FakeApp trojans that cybercriminals use in various fraudulent schemes; the number of times they were detected decreased by 7.49%. Instead of providing the declared functionality, these malicious apps often load various websites, including fraudulent and malicious ones, as well as bookmaker and online casino websites. Despite a 38.88% decline in activity, Android.Banker trojans remain the most widespread banking malware. Threat actors use them to gain illegal access to banking accounts and steal money. These trojans can display phishing windows to hijack logins and passwords, imitate the appearance of real banking software, intercept SMS to obtain one-time codes, etc. Android.Banker trojans were followed by the Android.BankBot trojans, which were detected 18.91% more often than in Q2. Such trojans also try to gain access to users’ online banking accounts by intercepting confirmation codes. At the same time, these malicious apps can execute various commands coming from cybercriminals. Some of them also allow infected devices to be controlled remotely. Rounding out the top three, Android.SpyMax banking trojans were detected 17.25% less often than in the previous quarter. These malicious apps are based on the source code of the spyware trojan SpyNote and provide a wide range of functions, including the ability to remotely control affected devices. In August, we informed users about a malware distribution campaign involving the Android.Backdoor.916.origin multi-functional backdoor. Cybercriminals use this piece of malware to steal confidential data and spy on Android device users. Threat actors sent messages to potential victims via various messengers, offering an “anti-virus” that can be installed from the attached APK file. Doctor Web’s anti-virus laboratory discovered the first versions of this backdoor back in January 2025 and has continued to monitor its development ever since. Our experts believe that this backdoor is used in targeted attacks and is not intended for mass distribution. The main target for cybercriminals is representatives of Russian businesses. Over the course of Q3, a large number of malicious programs were distributed on Google Play for a combined total of over 1,459,000 installations. Among them were dozens of Android.Joker trojans that subscribe victims to paid services and Android.FakeApp malicious fake programs. In addition, our malware analysts discovered yet another app that supposedly allowed virtual rewards to be converted into real money. Principal trends of Q3 2025 Android.MobiDash ad-displaying trojans became the most widespread threats The activity of Android.HiddenAds adware trojans continued to decline The number of Android.BankBot banking trojan attacks increased Banking trojans Android.Banker and Android.SpyMax were less active Cybercriminals used a multi-functional backdoor, Android.Backdoor.916.origin, to attack representatives of Russian businesses Many malicious apps were found on Google Play According to statistics collected by Dr.Web Security Space for mobile devices Android.MobiDash.7859 A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications. Android.FakeApp.1600 A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.Click.1812 The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background. Android.HiddenAds.673.origin A trojan app designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.Triada.5847 The detection name for a packer for Android.Triada trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with malicious Telegram messenger mods in which these trojans are embedded. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Program.CloudInject.5 Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.TrackView.1.origin The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, take photos and video with the camera, eavesdrop via the microphone, record audio, etc. Tool.NPMod.3 Tool.NPMod.1 Tool.NPMod.4 The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Tool.LuckyPatcher.2.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to a shared database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Tool.Androlua.1.origin The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions. Adware.AdPush.3.origin Adware.Adpush.21846 Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Adware.ModAd.1 The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites. Adware.Youmi.4 The detection name for an unwanted adware module that adds advertizing shortcuts onto the Android OS home screen. Adware.Basement.1 These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications. Threats on Google Play In Q3 2025, Doctor Web's anti-virus laboratory detected over 50 trojans from the Android.Joker family which subscribe users to paid services. They were distributed under the guise of different software, including messengers, various system tools, image-editing apps, camera apps, programs for working with documents, etc. One trojan was hidden in the system-optimizing app Clean Boost (Android.Joker.2412), and another — in the app Convert Text to PDF (Android.Joker.2422) for creating PDF documents Moreover, our specialists discovered more fake apps from the Android.FakeApp family being used in fraudulent schemes. As before, cybercriminals passed off some of them as financial apps, like reference books and teaching aids and software for accessing investing services. Other Android.FakeApp trojans were distributed as games and under certain conditions could load bookmaker and online casino websites instead of operating as promised. Examples of Android.FakeApp trojans disguised as financial apps. Android.FakeApp.1889 offered users the chance to test their financial literacy and Android.FakeApp.1890 the opportunity to develop financial intellection Our experts also discovered Program.FakeMoney.16—an unwanted app, distributed as software called Zeus Jackpot Mania. In this program, users could get virtual rewards that they could supposedly convert into real money and withdraw it. Program.FakeMoney.16 on Google Play To “withdraw” the money, victims had to give this app some of their data. However, ultimately, they did not receive any payments. Program.FakeMoney.16 asks users to provide their full name and information about their bank account To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
This summary synthesizes the information regarding malware families, tools, and observed TTPs from Dr.Web's Q3 2025 mobile threat review.
# Tool/Technique: Android.MobiDash
## Overview
Android.MobiDash is an ad-displaying trojan that became the most widespread mobile threat in Q3 2025, showing an 18.19% increase in detections compared to the previous quarter. Its primary function is to display conspicuous advertisements.
## Technical Details
- Type: Malware Family (Adware Trojan)
- Platform: Android
- Capabilities: Displays obnoxious ads.
- First Seen: Not specified (Widespread in Q3 2025).
## MITRE ATT&CK Mapping
As an adware trojan focused on displaying nuisance, the primary tactics relate to impact and execution.
- TA0001 - Initial Access (T1473 - Drive-by Compromise, potentially via malicious app stores)
- T1473 - Drive-by Compromise
- TA0011 - Command and Control (Inferential, for C2 or updates)
- T1071 - Application Layer Protocol
- TA0010 - Impact (T1486 - Data Encrypted for Impact, or T1487 - System Shutting Down/Modifying Output)
- T1487 - Output Blocking
## Functionality
### Core Capabilities
- Display obnoxious advertisements to users.
- Often incorporated as a software module within legitimate-looking applications.
### Advanced Features
- None explicitly detailed beyond ad display.
## Indicators of Compromise
- File Hashes: Not provided in the text.
- File Names: Variants include `Android.MobiDash.7859`.
- Registry Keys: Not applicable (Android).
- Network Indicators: Defanged references to domains within ads are not provided.
- Behavioral Indicators: High frequency of ad display events, often full-screen.
## Associated Threat Actors
- Undetermined; widespread distribution suggests opportunistic threat actors.
## Detection Methods
- Signature-based detection (by Dr.Web Security Space).
- Behavioral detection (monitoring excessive ad activity).
## Mitigation Strategies
- Install reputable mobile security software (e.g., Dr.Web for Android).
- Exercise caution when installing new applications, especially those that request excessive permissions without justification.
## Related Tools/Techniques
- Android.HiddenAds (Adware trojan, currently declining in activity).
***
# Tool/Technique: Android.HiddenAds
## Overview
Android.HiddenAds is an adware trojan that fell to second place in prevalence during Q3 2025, showing a significant decline in activity (71.85% drop over three months). Its primary malicious feature is concealing its icon to make detection and removal difficult after installation.
## Technical Details
- Type: Malware Family (Adware Trojan)
- Platform: Android
- Capabilities: Icon concealment, display of intrusive ads, including full-screen videos.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
The concealment technique aligns with defense evasion.
- TA0005 - Defense Evasion
- T1562 - Disable or Modify Tools
- T1562.001 - Disable or Modify Cloud Resources (Analogous to hiding locally)
- TA0010 - Impact
- T1486 - Data Encrypted for Impact (Affecting usability via fullscreen ads)
## Functionality
### Core Capabilities
- Display intrusive advertisements (including fullscreen videos).
- Conceal application icons on the home screen/app drawer.
### Advanced Features
- Stealth mechanisms (icon hiding) for persistence.
- Some variants may be installed by other malware into the system directory.
## Indicators of Compromise
- File Names: Variants include `Android.HiddenAds.673.origin`.
- Behavioral Indicators: Absence of an expected application icon post-installation; intrusive ad delivery.
## Associated Threat Actors
- Opportunistic adware distributors.
## Detection Methods
- Signature-based detection.
- Behavioral monitoring for icon removal or unexpected ad display.
## Mitigation Strategies
- Routinely check installed apps and look for apps with no visible icon leading to unwanted behavior.
- Use security software to monitor system file changes.
## Related Tools/Techniques
- Android.MobiDash (Another leading adware trojan).
***
# Tool/Technique: Android.FakeApp
## Overview
Android.FakeApp trojans are utilized in various fraudulent schemes. They trick users by promising specific functionality but instead load unwanted websites, particularly fraudulent sites, bookmaker platforms, or online casinos. Detections decreased by 7.49% in Q3 2025.
## Technical Details
- Type: Malware Family (Trojan)
- Platform: Android
- Capabilities: Loading user-defined external websites (often fraudulent/gambling).
- First Seen: Not specified.
## MITRE ATT&CK Mapping
This is primarily used for credential/financial manipulation and phishing.
- TA0006 - Credential Access
- T1553 - Subvert Trust Controls (via fake interfaces)
- TA0001 - Initial Access (Distribution via app stores)
- TA0011 - Command and Control
- T1573 - Encrypted Channel
## Functionality
### Core Capabilities
- Deceive users by pretending to offer legitimate software functions (e.g., financial literacy tools, games).
- Load hardcoded, malicious, or unwanted external websites (casinos, bookmakers).
### Advanced Features
- Sophisticated social engineering, masquerading as financial education apps (e.g., `Android.FakeApp.1889` and `Android.FakeApp.1890`).
## Indicators of Compromise
- File Names: Variants include `Android.FakeApp.1600`, `Android.FakeApp.1889`, `Android.FakeApp.1890`.
- Behavioral Indicators: Application launching triggers an immediate redirect to an external URL instead of delivering declared functionality.
## Associated Threat Actors
- Cybercriminals running online promotional/gambling scams.
## Detection Methods
- Application behavior analysis, specifically checking network requests upon launch or user interaction.
## Mitigation Strategies
- Avoid sideloading apps; source applications carefully, preferably directly from official app stores.
- Be wary of applications that promise financial knowledge or excessive virtual rewards.
## Related Tools/Techniques
- Program.FakeMoney (Associated with payment request scams).
***
# Tool/Technique: Android.Banker
## Overview
Android.Banker remains the most widespread banking malware despite a 38.88% decline in activity in Q3 2025. These trojans aim to illegally access banking accounts and steal money through various overlays and interception techniques.
## Technical Details
- Type: Malware Family (Banking Trojan)
- Platform: Android
- Capabilities: Phishing overlays, SMS interception for 2FA codes, imitation of legitimate banking software.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
This malware family heavily leverages interception and credential theft.
- TA0006 - Credential Access
- T1553 - Subvert Trust Controls (using overlays to mimic legitimate apps)
- T1431 - Input Capture (via keystroke logging or screen capture)
- TA0002 - Persistence (Subtle system integration)
- TA0003 - Execution
- T1469 - Intercepting or Modifying Data
- T1469.001 - Intercepting SMS Messages
## Functionality
### Core Capabilities
- Display phishing windows to capture logins and passwords.
- Intercept SMS messages to steal one-time confirmation codes (MFA bypass).
### Advanced Features
- Imitate the visual appearance of official banking software for successful social engineering.
## Indicators of Compromise
- Behavioral Indicators: Prompting unauthorized input requests; attempts to read incoming SMS messages.
## Associated Threat Actors
- Financial cybercriminals targeting banking credentials.
## Detection Methods
- Monitoring for overlay windows displayed over banking applications.
- SMS interception monitoring.
## Mitigation Strategies
- Never enter sensitive data into prompts appearing outside the official banking application interface.
- Use hardware tokens if available, or only rely on authenticated application processes for 2FA confirmation.
## Related Tools/Techniques
- Android.BankBot, Android.SpyMax (Other prominent banking malware).
***
# Tool/Technique: Android.BankBot
## Overview
Android.BankBot detection increased by 18.91% in Q3 2025. These trojans focus on gaining access to online banking accounts, often by intercepting confirmation codes, and can also execute remote commands sent by the cybercriminals, sometimes enabling remote device control.
## Technical Details
- Type: Malware Family (Banking Trojan/Bot)
- Platform: Android
- Capabilities: Intercepting confirmation codes, executing arbitrary remote commands, potential for Remote Access Trojan (RAT) functions.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
This family demonstrates command execution capabilities beyond simple theft.
- TA0011 - Command and Control
- T1059 - Command and Scripting Interpreter (Remote execution of commands)
- TA0006 - Credential Access (SMS Interception)
- TA0008 - Lateral Movement (Implied via remote control capabilities)
## Functionality
### Core Capabilities
- Intercept SMS codes for online banking authorization.
- Receive and execute various commands from the C2 server.
### Advanced Features
- Remote control capability for the infected device.
## Indicators of Compromise
- Behavioral Indicators: Communication with external infrastructure for command retrieval; unauthorized SMS reading.
## Associated Threat Actors
- Organized groups capable of maintaining persistent C2 infrastructure for command delivery.
## Detection Methods
- Monitoring for unusual system interactions or unauthorized SMS access.
## Mitigation Strategies
- Restrict third-party app SMS permissions where possible.
- Ensure devices are not rooted or jailbroken, which could facilitate increased command execution privileges.
## Related Tools/Techniques
- Android.Banker, Android.SpyMax.
***
# Tool/Technique: Android.SpyMax
## Overview
Android.SpyMax banking trojans were detected 17.25% less often than in the previous quarter. Notably, this malware is derived from the source code of the **SpyNote** spyware trojan, indicating a lineage that prioritizes surveillance and remote control functionalities alongside banking theft objectives.
## Technical Details
- Type: Malware Family (Banking Trojan/Spyware)
- Platform: Android
- Capabilities: Remote device control, based on SpyNote code.
- First Seen: Not specified (Activity decreased in Q3 2025).
## MITRE ATT&CK Mapping
Leverages extensive spying and control mechanisms inherited from SpyNote.
- TA0008 - Lateral Movement (Implied access scope)
- TA0012 - Collection
- T1113 - Screen Capture
- T1119 - Data from Local System (Stealing files)
- TA0007 - Discovery
- TA0011 - Command and Control (Remote Control)
## Functionality
### Core Capabilities
- Stealing money (Banking Trojan aspect).
- Providing a wide range of remote surveillance and control functions.
### Advanced Features
- Based on SpyNote source code, providing sophisticated RAT capabilities.
- Remote device control.
## Indicators of Compromise
- Behavioral Indicators: High volume of background operations suggestive of deep system monitoring (location tracking, camera activation, microphone eavesdropping—characteristics associated with SpyNote).
## Associated Threat Actors
- Actors interested in deep surveillance alongside financial gain.
## Detection Methods
- Profiling for code components matching known SpyNote libraries.
## Mitigation Strategies
- Tight control over application permissions, especially microphone, camera, and location services.
## Related Tools/Techniques
- SpyNote (Source code lineage).
***
# Tool/Technique: Android.Backdoor.916.origin
## Overview
This is a multi-functional backdoor used in targeted attacks, specifically identified in a campaign leading up to August 2025. Distribution occurred via social engineering: threat actors sent messages via messengers offering a fake "anti-virus" in an attached APK file. The primary tactics involve data theft and espionage. It is believed not intended for mass distribution.
## Technical Details
- Type: Malware Family (Backdoor)
- Platform: Android
- Distribution Vector: Targeted social engineering via messengers (APK attachment).
- First Seen: First versions discovered January 2025; campaign active in Q3 2025.
## MITRE ATT&CK Mapping
This clearly targets specific organizations through social engineering.
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Via messenger APK)
- TA0010 - Collection
- T1119 - Data from Local System
- TA0007 - Discovery
## Functionality
### Core Capabilities
- Steal confidential data.
- Spy on Android device users.
### Advanced Features
- Multi-functional backdoor capabilities for persistent access.
- Used in targeted attacks (likely espionage or corporate theft).
## Indicators of Compromise
- Distribution Method: Claims of an "anti-virus" distributed via messaging app attachments (APKs).
- Target Profile: Representatives of Russian businesses.
## Associated Threat Actors
- Actors performing targeted espionage or specific corporate intrusion campaigns (APT-like activity).
## Detection Methods
- Detecting suspicious APK installations originating from peer-to-peer messaging platforms.
## Mitigation Strategies
- Strict policy against installing unknown APKs, even if presented as security software by known contacts (due to potential account compromise).
- Email/messenger gateway scanning for suspicious attachments.
## Related Tools/Techniques
- General Backdoor families.
***
# Tool/Technique: Android.Joker
## Overview
Dozens of Android.Joker trojans were found active on Google Play in Q3 2025, totaling over 1,459,000 installations for various malicious apps. Their core function is subscribing victims to paid services without consent, disguised as utility, document, camera, or messenger applications.
## Technical Details
- Type: Malware Family (Subscription Trojan)
- Platform: Android (Distributed via Google Play)
- Capabilities: Covert subscription to premium/paid services.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
This focuses on financial impact through hidden monetization.
- TA0010 - Impact
- T1485 - Data Destruction (Financial loss via unauthorized subscriptions)
- TA0001 - Initial Access (T1479 - Compromising Software Supply Chain - direct inclusion in Google Play suggests policy bypass or initial success).
## Functionality
### Core Capabilities
- Silently enrolling users in recurring paid services.
### Advanced Features
- Masquerading as benign utilities (e.g., PDF converters, system optimizers).
- Variants cited: `Android.Joker.2412` (in Clean Boost) and `Android.Joker.2422` (in Convert Text to PDF).
## Indicators of Compromise
- File Names/App Context: Found in apps like "Clean Boost," "Convert Text to PDF."
- Behavioral Indicators: Unexpected recurring charges appearing on phone bills or payment methods linked to the device.
## Associated Threat Actors
- Monetization-focused criminal groups.
## Detection Methods
- Google Play security scanning focusing on subscription initiation attempts post-installation.
## Mitigation Strategies
- Regular review of recurring charges on mobile service bills.
- Restricting apps' ability to interact with communication or payment frameworks.
## Related Tools/Techniques
- Android.FakeApp (Co-distributed on Google Play).
***
# Tool/Technique: Program.FakeMoney.16 (Zeus Jackpot Mania)
## Overview
Program.FakeMoney.16 was identified as an unwanted application distributed on Google Play, specifically disguised as a game called "Zeus Jackpot Mania." It promised users the ability to convert accumulated virtual rewards into real money, but ultimately required victims to submit personal data (full name, bank account details) without ever paying out the promised funds.
## Technical Details
- Type: Unwanted Program (Financial Scam/Fraud)
- Platform: Android (Distributed via Google Play)
- Capabilities: Deceptive reward accumulation system to harvest PII and banking information.
- First Seen: Q3 2025.
## MITRE ATT&CK Mapping
Classic social engineering leading to information harvesting.
- TA0006 - Credential Access
- T1553 - Subvert Trust Controls (Trust established via virtual reward mechanism)
- TA0009 - Collection
- T1114 - Data Staged (Collecting PII/financial details)
## Functionality
### Core Capabilities
- Offer virtual currency/rewards within an in-app economy.
- Harvest Personally Identifiable Information (PII) and bank account details under the pretext of payment withdrawal.
### Advanced Features
- Mimics functionality of legitimate payment systems for trust building.
## Indicators of Compromise
- App Name Context: "Zeus Jackpot Mania."
- Behavioral Indicators: Attempts to gather full names and bank account details before payout processing.
## Associated Threat Actors
- Financial scammers utilizing gamification for data theft.
## Detection Methods
- Detection based on suspicious data collection requests coinciding with reward withdrawal prompts.
## Mitigation Strategies
- Extreme skepticism regarding any application offering large sums of real money for simple in-app tasks.
## Related Tools/Techniques
- Android.FakeApp (Shares goal of deceiving users for illicit gain).
***
# Tool/Technique: Android.Click.1812
## Overview
Android.Click.1812 is a detection name applied to malicious modifications (mods) of the WhatsApp messenger. These mods covertly load various websites in the background, redirecting users to advertised content.
## Technical Details
- Type: Malware Variant (Modified Application/Adware)
- Platform: Android
- Capabilities: Covert background loading of URLs/advertisements via WebView component.
## MITRE ATT&CK Mapping
Focuses on unauthorized access to information flow for advertising delivery.
- TA0005 - Defense Evasion (Modifying existing trusted application)
- TA0010 - Impact (Delivery of unwanted content)
## Functionality
### Core Capabilities
- Load hidden web content when the legitimate messenger is running.
### Advanced Features
- Exploits trust associated with modified, popular messaging applications.
## Related Tools/Techniques
- Adware.ModAd.1 (Modified WhatsApp versions that inject code to load target URLs).
***
# Tool/Technique: Program.CloudInject.5 / Program.CloudInject.1 / Tool.CloudInject
## Overview
These detections identify Android programs that have been modified using the CloudInject cloud service or utility. The modification process is remote, meaning the user who initiates the modification cannot precisely control what malicious code or payloads are added. The modified programs request dangerous system permissions and can be remotely managed by the modders (including blocking or displaying custom dialogs).
## Technical Details
- Type: Utility/Service (Cloud Modification Framework)
- Platform: Android
- Capabilities: Remote modification of installed applications; enabling remote management of the infected app (T1105).
## MITRE ATT&CK Mapping
This involves supply chain compromise and persistent remote control.
- TA0005 - Defense Evasion (Leveraging authorized app structure but injecting unknown code)
- TA0011 - Command and Control
- T1078 - Valid Accounts (If the modder uses legitimate developer credentials)
## Functionality
### Core Capabilities
- Remote injection of code or functionality into existing applications.
- Granting dangerous system permissions to the modified app.
### Advanced Features
- Remote management capabilities (blocking apps, showing custom prompts).
## Associated Threat Actors
- Developers/users of the CloudInject service interested in customizing or weaponizing legitimate apps.
## Detection Methods
- Behavioral detection targeting apps that frequently interact with external services for runtime configuration changes or permission escalations post-installation.
## Related Tools/Techniques
- Tool.NPMod (Similar modification utility).
***
# Tool/Technique: Tool.NPMod / Tool.LuckyPatcher.2.origin
## Overview
**Tool.NPMod** refers to applications modified using the NP Manager utility, which embeds a module allowing the modified apps to bypass digital signature verification. **Tool.LuckyPatcher** is a utility that allows modification (patching) of installed apps to change logic or bypass restrictions, such as disabling root/security checks in banking apps or gaining unlimited in-game resources. Scripts used by Lucky Patcher can be malicious.
## Technical Details
- Type: Tool (Application Modification Utility)
- Platform: Android
- Capabilities: Bypassing signature verification (NPMod); altering application logic/security checks (LuckyPatcher).
## MITRE ATT&CK Mapping
These tools are used by actors to bypass security controls already in place.
- TA0005 - Defense Evasion
- T1553 - Subvert Trust Controls (Bypassing signature checks or security verification)
## Functionality
### Core Capabilities
- Modifying package structure to bypass checks.
- Disabling security features (e.g., root detection in banking apps).
## Mitigation Strategies
- Developers should use strong integrity checks and obfuscation to prevent patching.
- Security software must detect tampering attempts and the invocation of patching tools.
## Related Tools/Techniques
- Tool.CloudInject (Another modification mechanism).