Full Report
December 26, 2024 According to detection statistics collected by Dr.Web Security Space for mobile devices, Android.HiddenAds ad-displaying trojans were the malware programs most frequently detected in the fourth quarter of 2024 (Q4). The second most common threats were Android.FakeApp trojans, which are used in fraudulent schemes. Trojans from the Android.Siggen family, capable of executing various malicious tasks, ranked third. Over the course of Q4, Doctor Web’s malware analysts discovered many threats on Google Play. Among them were numerous Android.FakeApp trojans and malware from the Android.Subscription and Android.Joker families, which subscribe users to paid services. More Android.HiddenAds adware trojans were also detected. In addition, threat actors distributed malicious apps protected with a sophisticated software packer. PRINCIPAL TRENDS OF Q4 2024 High activity on the part of Android.HiddenAds adware trojans and Android.FakeApp fraudulent apps The distribution of many malicious programs through the Google Play catalog According to statistics collected by Dr.Web Security Space for mobile devices Android.FakeApp.1600 A trojan app that loads a website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.HiddenAds.655.origin Android.HiddenAds.657.origin Trojan apps designed to display intrusive ads. Members of the Android.HiddenAds family are often distributed as popular and harmless applications. In some cases, other malware can install them in the system directory. When these infect Android devices, they typically conceal their presence from the user. For example, they “hide” their icons from the home screen menu. Android.Packed.57083 The detection name for malicious applications protected with an ApkProtector software packer. Among them are banking trojans, spyware, and other malicious software. Android.Click.1751 This trojan is built into third-party WhatsApp messenger mods and camouflaged as Google library classes. While the host application is being used, Android.Click.1751 connects to one of the C&C servers and receives two URLs from it. One of them is intended for Russian-speaking users, and the other is for everyone else. The trojan then displays a dialog box whose contents it has also received from a remote server. When a user clicks on the confirmation button, malware loads the corresponding link in the browser. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, users can remotely manage these apps. They can block them, display custom dialogs, and track when other software is being installed or removed from a device, etc. Program.TrackView.1.origin The detection name for a program that allows users to be monitored via their Android devices. Malicious actors can utilize it to track a target device’s location, use the camera to record video and take photos, eavesdrop via the microphone, record audio, etc. Program.SecretVideoRecorder.1.origin The detection name for various modifications of an application that is designed to record videos and take photos in the background, using built-in Android device cameras. It can operate covertly by allowing notifications about ongoing recordings to be disabled. It also allows an app’s icon and name to be replaced with fake ones. This functionality makes this software potentially dangerous. Tool.NPMod.1 The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Tool.SilentInstaller.14.origin A riskware platform that allows applications to launch APK files without installing them. It creates a virtual runtime environment in the context of the apps in which they are integrated. The APK files launched with the help of this platform can operate as if they are part of such programs and can also obtain the same permissions. Tool.LuckyPatcher.1.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to the common database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Tool.Packer.1.origin A packer tool designed to protect Android applications from unauthorized modifications and reverse engineering. This tool is not malicious in itself, but it can be used to protect both harmless and malicious software. Tool.Androlua.1.origin The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in the corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions. Adware.ModAd.1 The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites. Adware.Basement.1 These are apps that display unwanted ads which often lead to malicious and fraudulent websites. They share a common code base with the Program.FakeMoney.11 unwanted applications. Adware.Fictus.1.origin An adware module that malicious actors embed into the cloned versions of popular Android games and applications. Its incorporation is facilitated by a specialized net2share packer. Copies of software created this way are then distributed through various software catalogs. When installed on Android devices, such apps and games display obnoxious ads. Adware.AdPush.3.origin Adware.Adpush.21846 Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Threats on Google Play In Q4 2024, Doctor Web’s malware analysts discovered over 60 malicious apps on Google Play, most of which were trojans from the Android.FakeApp family. Some of them were distributed as financial programs, teaching aids, reference books, and other software, including diaries, notepads, and so on. Their primary task was to load fraudulent websites. The “QuntFinanzas” and “Trading News” apps, which, among other numerous Android.FakeApp trojans, loaded fraudulent sites Malicious actors disguised other Android.FakeApp trojans as games. These could load online casino and bookmaker websites. “Bowl Water” and “Playful Petal Pursuit” are examples of games with trojan functionality Our experts also uncovered new variants of the Android.FakeApp.1669 trojan that was hiding behind the mask of various programs and could also load online casino websites. Android.FakeApp.1669 is interesting in that it gets the target website URL from the malicious DNS server’s TXT file. At the same time, it only manifests itself when connected to the Internet through certain providers. Examples of new Android.FakeApp.1669 trojan modifications. The “WordCount” app was disguised as a text tool, and the “Split it: Checks and Tips” app was supposed to help café- and restaurant-goers pay their bills and calculate tips. Several new members of the Android.HiddenAds adware trojan family were among the threats detected on Google Play. They conceal their presence on infected devices. This “Cool Fix Photo Enhancer” photo-editing software was hiding the Android.HiddenAds.4013 ad-displaying trojan Moreover, trojans protected with a sophisticated software packer were also discovered: Android.Packed.57156, Android.Packed.57157, and Android.Packed.57159, for example. The “Lie Detector Fun Prank” and “Speaker Dust and Water Cleaner” programs are trojans protected with a software packer Our specialists also detected Android.Subscription.22, malware designed to subscribe users to paid services. Instead of editing photos, the “InstaPhoto Editor” program subscribed users to a paid service At the same time, cybercriminals again distributed trojans from the Android.Joker family, which also subscribed victims to paid services. The SMS messenger “Smart Messages” and the third-party keyboard “Cool Keyboard” tried to covertly subscribe victims to a paid service To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
# Tool/Technique: Android.HiddenAds
## Overview
Android.HiddenAds is a family of adware trojans primarily focused on displaying intrusive advertisements to the user. These trojans are often distributed disguised as popular and seemingly harmless applications. A key characteristic is their attempt to conceal their presence post-infection, often by hiding their icons from the home screen menu.
## Technical Details
- Type: Malware Family (Adware Trojan)
- Platform: Android
- Capabilities: Displaying intrusive advertisements, concealing presence from the user.
- First Seen: Q4 2024 was noted as having high activity.
## MITRE ATT&CK Mapping
Since the specific actions described relate to user interface deception and persistence, the following mappings are relevant:
- **TA0005 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Startup Folder: (Implied persistence via system directory installation or icon hiding)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols: (Required for fetching ad content/commands)
- **TA0001 - Initial Access**
- T1433.001 - Drive-by Compromise: Drive-by Download Targeting Specific Software: (Distribution via Google Play)
## Functionality
### Core Capabilities
- Display intrusive advertisements.
- Conceal presence from the user (e.g., hiding app icons).
### Advanced Features
- In some cases, these trojans can be installed into the system directory by other malware.
- Variants like **Android.HiddenAds.4013** were found distributed via Google Play disguised as benign software (e.g., photo-editing apps).
## Indicators of Compromise
- File Hashes: (Not explicitly provided in the text, but associated with variants like .655.origin and .657.origin)
- File Names: Disguised as popular applications (e.g., "Cool Fix Photo Enhancer").
- Registry Keys: (Not applicable to Android structure in the same way)
- Network Indicators: Communicates for ad delivery.
- Behavioral Indicators: Attempts to hide launcher icons; displays intrusive ads.
## Associated Threat Actors
- Not explicitly named, but associated with high-volume malware distribution campaigns via Google Play in Q4 2024.
## Detection Methods
- Detection by Dr.Web Security Space (identified by names like **Android.HiddenAds.655.origin**, **Android.HiddenAds.657.origin**, **Android.HiddenAds.4013**).
## Mitigation Strategies
- Install mobile security solutions like Dr.Web.
- Exercise caution when installing applications from third-party sources, particularly those claiming to be popular utilities.
## Related Tools/Techniques
- Other high-ranking Q4 threats like **Android.FakeApp** (fraudulent schemes).
***
# Tool/Technique: Android.FakeApp
## Overview
Android.FakeApp is a family of trojans utilized in fraudulent schemes. Their primary function is to load hardcoded or remotely fetched websites, often leading to phishing, online gambling, or other scam sites. This malware was highly prevalent in Q4 2024 detections and on Google Play.
## Technical Details
- Type: Malware Family (Fraud Trojan)
- Platform: Android
- Capabilities: Loading hardcoded or remotely retrieved websites (often online casinos or bookmakers).
- First Seen: Highly active in the statistics for Q4 2024.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1433.001 - Drive-by Compromise: Drive-by Download Targeting Specific Software: (Distribution via Google Play)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel: (If used to funnel users to fraudulent sites for data harvesting)
## Functionality
### Core Capabilities
- Load a hardcoded website upon launch (**Android.FakeApp.1600** loads online casino sites).
- Distribution through various application disguises (financial programs, diaries, games like "Bowl Water" and "Playful Petal Pursuit").
### Advanced Features
- **Android.FakeApp.1669**: Retrieves the target website URL from a malicious DNS server's TXT record and may only activate when connected through specific Internet providers.
## Indicators of Compromise
- File Hashes: (Associated with variants like .1600, .1669)
- File Names: Disguised as utility apps ("WordCount," "Split it: Checks and Tips") or games.
- Network Indicators: Direct connection to fraudulent websites (casinos, bookmakers).
- Behavioral Indicators: Loading web content (potentially disguised as legitimate UI).
## Associated Threat Actors
- Threat actors actively utilizing Google Play for mass distribution of these fraudulent applications.
## Detection Methods
- Detection by Dr.Web (e.g., **Android.FakeApp.1600**, **Android.FakeApp.1669**).
## Mitigation Strategies
- Only install apps from trusted sources.
- Be wary of apps requesting web view permissions or loading external URLs immediately upon starting.
## Related Tools/Techniques
- **Android.HiddenAds** (also highly active in Q4; both families saw distribution via Google Play).
***
# Tool/Technique: Android.Click.1751
## Overview
Android.Click.1751 is a specific trojan embedded within third-party, modified versions (mods) of the WhatsApp messenger. It camouflages itself as legitimate Google library classes to remain hidden during the legitimate use of the host messenger application.
## Technical Details
- Type: Malware Variant (Trojan)
- Platform: Android (Specifically targeting users of third-party WhatsApp mods)
- Capabilities: Connecting to C2, receiving targeted URLs, displaying user dialogs, and launching content in the browser upon user confirmation.
- First Seen: Active in Q4 2024.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols: (Communicates with C2 for URLs)
- **TA0005 - Persistence**
- T1588.002 - Obtain Capabilities: Compromise Software Supply Chain: (Infecting third-party messenger mods)
- **TA0001 - Initial Access**
- T1204.002 - User Execution: Malicious File: (User installing the compromised mod)
## Functionality
### Core Capabilities
- Connect to C2 servers while the host app (WhatsApp mod) is in use.
- Receive two distinct URLs: one for Russian-speaking users and one for all others.
- Display a remotely configured dialog box to the user.
- Load the specified URL in the browser if the user presses the confirmation button.
### Advanced Features
- Camouflaged as Google library classes within the host application structure.
- Targets delivery via localized URLs based on potential user geography/language profile.
## Indicators of Compromise
- File Hashes: (Associated with variant **Android.Click.1751**)
- File Names: N/A (Embedded within modded WhatsApp APKs).
- Network Indicators: Connects to C2 servers to receive dual URLs.
- Behavioral Indicators: Displaying system-lookalike dialogs during messenger use; redirecting the browser.
## Associated Threat Actors
- Threat actors targeting users of unofficial/modified messaging applications.
## Detection Methods
- Detection by Dr.Web upon analyzing the embedded code structure.
## Mitigation Strategies
- Avoid using modified or third-party versions of popular applications like WhatsApp.
- Ensure applications are sourced only from official app stores.
## Related Tools/Techniques
- **Adware.ModAd.1** (Also involves modified WhatsApp loading web content).
***
# Tool/Technique: Software Packers (ApkProtector, Generic Packer)
## Overview
Software packers are utilities used by developers to protect Android applications from reverse engineering and unauthorized modification. However, threat actors frequently use them to obfuscate malicious payloads, including banking trojans and spyware, making static analysis much harder.
## Technical Details
- Type: Attack Tool (Packer/Obfuscation)
- Platform: Android Applications (.apk)
- Capabilities: Protecting applications from unauthorized modification and reverse engineering.
- First Seen: Generic packers exist long-term; specific variants like **Android.Packed.57083** were active in Q4 2024.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information: (The primary function of a packer)
## Functionality
### Core Capabilities
- Obfuscate application code and resources.
- Difficult manual or automated inspection of the compiled payload.
### Advanced Features
- **Android.Packed.57083**: Detected protecting diverse malware types, including banking trojans and spyware.
- Specific variants like **Android.Packed.57156, .57157, .57159** were found on Google Play protecting malware.
- Some packers mentioned are associated with **ApkProtector**.
## Indicators of Compromise
- File Hashes: (Associated with detection names **Android.Packed.57083**, **.57156**, **.57157**, **.57159**).
- Behavioral Indicators: Signatures of known packer headers or protective mechanisms during initial file scanning.
## Associated Threat Actors
- Threat actors using advanced distribution methods, including deployment on Google Play, seeking to extend malware lifespan against static analysis.
## Detection Methods
- Signature-based detection targeting the packer metadata or compiled structure.
## Mitigation Strategies
- Employ advanced static and dynamic analysis techniques when evaluating applications.
- Security solutions must have effective packer unpacking capabilities.
## Related Tools/Techniques
- **Tool.Packer.1.origin** (The generic detection for the packer tool itself).
***
# Tool/Technique: Android.Subscription / Android.Joker
## Overview
These families focus on rogue monetization by unauthorizedly subscribing users to paid services. **Android.Joker** resurfaced with this capability in Q4 2024, while **Android.Subscription.22** was specifically cited modifying an app to perform unwanted subscriptions.
## Technical Details
- Type: Malware Family (Subscription Fraud Trojan)
- Platform: Android
- Capabilities: Covertly subscribing users to premium paid services without user consent or clear notification.
- First Seen: Active in Q4 2024.
## MITRE ATT&CK Mapping
- **TA0013 - Collection**
- T1552.001 - Credentials in Files: (Indirectly, by forcing financial commitment/subscription)
- **TA0014 - Resource Development**
- T1588.003 - Obtain Capabilities: Obtain Infrastructure: (Generating illicit revenue via forced subscriptions)
## Functionality
### Core Capabilities
- Subscribe victims to recurring paid services.
- **Android.Subscription.22** example: "InstaPhoto Editor" disguised its true subscription function.
- **Android.Joker** examples: Hidden within an SMS messenger ("Smart Messages") and a keyboard app ("Cool Keyboard").
### Advanced Features
- Covert operation to prevent immediate user detection.
## Indicators of Compromise
- File Hashes: (Associated with variants like **Android.Subscription.22** and **Android.Joker** modifications).
- File Names: Disguised as mainstream utilities (keyboards, editors, SMS apps).
- Behavioral Indicators: Initiating premium SMS messages or unauthorized subscriptions/billing charges.
## Associated Threat Actors
- Cybercriminals focused on revenue generation through subscription fraud.
## Detection Methods
- Detection by Dr.Web based on communication patterns associated with premium services.
## Mitigation Strategies
- Closely monitor bank/phone statements for unauthorized recurring charges.
- Be cautious with apps requiring access to SMS functionalities or system-level settings (like keyboards).
## Related Tools/Techniques
- **Program.FakeMoney.11** (Related revenue-based fraud, though FakeMoney focuses on non-payment).
***
# Tool/Technique: Program.FakeMoney.11
## Overview
Program.FakeMoney.11 detects Android applications designed to mislead users into believing they are earning money by completing tasks. Rewards accrue visually, but users are ultimately unable to withdraw any real payments, even after meeting the threshold.
## Technical Details
- Type: Unwanted Software/Fraud Application
- Platform: Android
- Capabilities: Simulating earning activity, displaying accrued balances, listing numerous legitimate payment systems, while preventing actual withdrawal.
- First Seen: Active in Q4 2024 reporting.
## MITRE ATT&CK Mapping
- **TA0008 - Lateral Movement** (Not directly, but related to phishing/scam infrastructure)
- **TA0010 - Exfiltration**
- T1056.001 - Input Capture: Keylogging: (Indirectly, as users might input personal info into fake forms)
## Functionality
### Core Capabilities
- Visual simulation of monetary reward accrual.
- Requiring users to accumulate a target sum for withdrawal.
### Advanced Features
- The detection signature is reusable for other unwanted software based on common source code foundations shared with this fraud scheme.
## Indicators of Compromise
- Behavioral Indicators: Apps displaying large, accruing balances but blocking withdrawal mechanisms.
## Associated Threat Actors
- Threat actors focused on user exploitation through perceived financial gain.
## Mitigation Strategies
- Treat "easy money" schemes with extreme skepticism.
- Verify app legitimacy before investing time or personal data.
## Related Tools/Techniques
- **Adware.Basement.1** shares a common code base with associated unwanted applications.
***
# Tool/Technique: Tool.LuckyPatcher.1.origin
## Overview
Tool.LuckyPatcher.1.origin is a utility used to modify installed Android applications via patches, altering their logic or bypassing security restrictions. While this can be used for benign modification (e.g., disabling ads), its mechanism for downloading and applying community-sourced scripts allows for malicious use, such as bypassing root checks in banking apps.
## Technical Details
- Type: Attack Tool (Application Modification Utility)
- Platform: Android
- Capabilities: Creating patches, bypassing software restrictions (e.g., license verification, root checks), downloading external modification scripts.
- First Seen: Known utility, active context implied by prevalence of modified software.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1556.001 - Bypass User Account Control: Credentials in Files: (Bypassing built-in security checks)
- **TA0003 - Persistence**
- T1595.002 - Vulnerability Software Patching: (Modifying application logic)
## Functionality
### Core Capabilities
- Applying patches to installed apps.
- Downloading scripts from the internet to facilitate patching.
### Advanced Features
- Can be used to disable security checks (e.g., root verification in banking apps), posing a significant risk to transactional security.
- Scripts used for patching can themselves be malicious.
## Indicators of Compromise
- Behavioral Indicators: Attempts to modify the runtime environment or code structure of other installed applications.
## Associated Threat Actors
- Users or threat actors seeking to crack or defeat application security measures.
## Detection Methods
- Detection focuses on the presence/execution of the utility itself or detecting derived malicious patches.
## Mitigation Strategies
- Security software should monitor for attempts to hook or modify the runtime memory of critical applications (like banking apps).
## Related Tools/Techniques
- **Tool.NPMod.1** (Modifies apps via NP Manager, potentially for signature bypass).
- **Tool.CloudInject.1** (Modifies apps remotely).
***
# Tool/Technique: Program.CloudInject.1 / Tool.CloudInject
## Overview
Program.CloudInject.1 refers to Android applications modified using the remote CloudInject cloud service or utility. This modification happens server-side, meaning the end-user installing the app has no control over what malicious code or dangerous system permissions are added or enabled remotely.
## Technical Details
- Type: Malware/Modification Platform (Cloud-based Modification Utility)
- Platform: Android Applications
- Capabilities: Remote modification of installed applications; granting of dangerous system permissions; remote command execution post-modification (blocking apps, displaying custom dialogs, monitoring installation/removal).
- First Seen: Active in Q4 2024 context.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise: (Users download seemingly legitimate apps that are later modified)
- **TA0002 - Execution**
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell: (Remote management/execution capabilities)
- **TA0003 - Persistence**
- T1546.009 - Event Triggered Execution: (Monitoring other software installation/removal)
## Functionality
### Core Capabilities
- Receive runtime modifications from a remote server post-installation.
- Acquire and utilize dangerous system permissions.
### Advanced Features
- Remote management capabilities: blocking apps, displaying custom dialogs, and tracking other software lifecycle events.
## Indicators of Compromise
- Behavioral Indicators: Application functionality changes significantly after initial installation; excessive permission requests obtained dynamically.
## Associated Threat Actors
- Attackers utilizing a Software-as-a-Service (SaaS) model for malicious app modification.
## Detection Methods
- Behavioral analysis detecting unexpected dynamic permission usage or remote management commands.
## Mitigation Strategies
- Limit application permissions granted at installation time.
- Security software should detect the use of the associated utility, **Tool.CloudInject**.
## Related Tools/Techniques
- **Tool.NPMod.1**, **Tool.LuckyPatcher.1.origin** (Other tools focused on application modification).