Full Report
January 12, 2026 According to detection statistics collected by Dr.Web Security Space for mobile devices, the trojans Android.MobiDash and Android.HiddenAds, which display intrusive ads, were again the most widespread Android threats. At the same time, their activity decreased, and they were detected less frequently on protected devices by 43.24% and 18.06%, respectively. These malicious programs were followed by trojans from the Android.Siggen family, which includes malware whose functionality varies. They were also detected less often—by 27.47%. At the same time, noticeable banking trojan activity was observed, with users encountering them 65.52% more frequently. This growth was largely due to members of the Android.Banker family. Such malicious programs intercept SMS with one-time codes for confirming banking transactions and can also imitate the appearance of legitimate bank software and display phishing windows. Android apps modified with the CloudInject cloud service (Dr.Web anti-virus detects them as Program.CloudInject) were the most widespread unwanted software. CloudInject adds dangerous system permissions to the apps and obfuscated code, while the purpose of that code cannot be controlled. Program.FakeAntiVirus (fake anti-viruses) and Program.FakeMoney (apps) were also commonly found on protected devices. The former detect non-existing threats and ask users to purchase the full version to “cure” the infection, while the latter allegedly allow users to make money by completing various tasks. The most widespread riskware programs in Q4 were Tool.NPMod apps, programs modified using the NP Manager utility. This tool obfuscates the code of the modified apps and adds a special module to them that allows digital signature verification to be bypassed once applications are modified. Among the adware detections, members of the Adware.Adpush family retained their lead. These are special software modules that developers integrate into apps to display notifications containing advertisements. In October, our specialists informed users about the dangerous backdoor Android.Backdoor.Baohuo.1.origin. Threat actors embedded it into unofficial Telegram X messenger modifications and distributed it through malicious websites and third-party Android app catalogs. This malware steals logins and passwords for Telegram accounts as well as other confidential data. Moreover, with its help, threat actors can practically control the victim’s account and covertly perform various actions in the messenger on their behalf. For example, the attackers can join Telegram channels and leave them, conceal new authorized devices, conceal certain messages, etc. Malicious actors use several control mechanisms to operate Android.Backdoor.Baohuo.1.origin. One of them is the Redis database, which has not been seen previously in Android threats. In total, this backdoor infected around 58,000 devices, including about 3,000 different models of smartphones, tablets, TB box sets, and cars with on-board Android-based computers. Over the past quarter, Doctor Web’s anti-virus laboratory discovered new malware on Google Play. Among these programs were Android.Joker trojans, which subscribe victims to paid services, and various Android.FakeApp fake programs, which are used in fraudulent schemes. They had at least 263,000 downloads combined. PRINCIPAL TRENDS OF Q4 2025 Ad-displaying trojans remain the most widespread Android threats The number of banking trojan attacks increased Malicious actors distributed the dangerous backdoor Android.Backdoor.Baohuo.1.origin, which was built into Telegram X messenger modifications More malicious programs emerged on Google Play According to statistics collected by Dr.Web Security Space for mobile devices Android.MobiDash.7859 A trojan app that displays obnoxious ads. It is a special software module that developers incorporate into applications. Android.FakeApp.1600 A trojan app that loads the website that is hardcoded into its settings. Known modifications of this malicious program load an online casino site. Android.Click.1812 The detection name for malicious WhatsApp messenger mods that can covertly load various websites in the background. Android.Packed.57.origin The detection name for an obfuscator that is used to protect apps, including malicious ones (for example, some Android.SpyMax banking trojan versions). Android.Triada.5847 The detection name for a packer for Android.Triada trojans that is designed to protect them from being detected and analyzed. Threat actors most often use the packer together with the malicious Telegram messenger mods in which these trojans are embedded. Program.CloudInject.5 Program.CloudInject.1 The detection name for Android programs that have been modified using the CloudInject cloud service and the eponymous Android utility (the latter was added to the Dr.Web virus database as Tool.CloudInject). Such programs are modified on a remote server; meanwhile, the modders (users) who are interested in such modifications cannot control exactly what will be added to the apps. Moreover, these programs receive a number of dangerous system permissions. Once modification is complete, modders can remotely manage these apps—blocking them, displaying custom dialogs, tracking when other software is being installed or removed from a device, etc. Program.FakeAntiVirus.1 The detection name for adware programs that imitate anti-virus software. These apps inform users of nonexistent threats, mislead them, and demand that they purchase the software’s full version. Program.FakeMoney.11 The detection name for Android applications that allegedly allow users to earn money by completing different tasks. These apps make it look as if rewards are accruing for each one that is completed. At the same time, users are told that they have to accumulate a certain sum to withdraw their “earnings”. Typically, such apps have a list of popular payment systems and banks that supposedly could be used to withdraw the rewards. But even if users succeed in accumulating the needed amount, in reality they cannot get any real payments. This virus record is also used to detect other unwanted software based on the source code of such apps. Program.SnoopPhone.1.origin An application designed to monitor the activity of Android device owners. It allows intruders to read SMS, collect call information, track device location, and record the surroundings. Tool.NPMod.3 Tool.NPMod.1 Tool.NPMod.1.origin The detection name for Android programs that have been modified using the NP Manager utility. A special module is embedded in such apps, and it allows them to bypass digital signature verification once they have been modified. Tool.LuckyPatcher.2.origin A tool that allows apps installed on Android devices to be modified (i.e., by creating patches for them) in order to change the logic of their work or to bypass certain restrictions. For instance, users can apply it to disable root-access verification in banking software or to obtain unlimited resources in games. To add patches, this utility downloads specially prepared scripts from the Internet, which can be crafted and added to a shared database by any third party. The functionality of such scripts can prove to be malicious; thus, patches made with this tool can pose a potential threat. Tool.Androlua.1.origin The detection name for some potentially dangerous versions of a specialized framework for developing Android software based on the Lua scripting language. The main logic of Lua-based apps resides in corresponding scripts that are encrypted and decrypted by the interpreter upon execution. By default, this framework often requests access to a large number of system permissions in order to operate. As a result, the Lua scripts that it executes can potentially perform various malicious actions in accordance with the acquired permissions. Adware.AdPush.3.origin Adware.Adpush.21846 Adware modules that can be built into Android apps. They display notifications containing ads that mislead users. For example, such notifications can look like messages from the operating system. In addition, these modules collect a variety of confidential data and are able to download other apps and initiate their installation. Adware.Bastion.1.origin The detection name for optimization programs that periodically create notifications with misleading messages about allegedly low storage and “system errors” in order to display ads during the “optimization”. Adware.Airpush.7.origin Adware modules that can be built into Android apps and display various ads. Depending on the modules’ version and modification, these can be notifications containing ads, pop-up windows or banners. Malicious actors often use these modules to distribute malware by offering their potential victims diverse software for installation. Moreover, such modules collect personal information and send it to a remote server. Adware.ModAd.1 The detection name for some modified versions (mods) of the WhatsApp messenger, whose functions have been injected with a specific code. This code is responsible for loading target URLs by displaying web content (via the Android WebView component) when the messenger is in operation. Such web addresses perform redirects to advertised sites, including online casino, bookmaker, and adult sites. Threats on Google Play Over the course of Q4 2025, Doctor Web’s virus analysts detected over 20 Android.Joker malicious programs on Google Play. These are designed to subscribe users to paid services; Threat actors camouflaged them as various software: messengers, system optimization tools, image-editing apps, and apps that allow users to watch movies. Examples of Android.Joker malicious apps that were detected. Android.Joker.2496 masqueraded as Useful Cleaner, a tool for clearing out “junk” from the phone, and one of the Android.Joker.2495 modifications was passed off as the movie player Reel Drama Our experts also discovered several new fake programs from the Android.FakeApp family. As before, some of them were distributed as financial apps and were designed to load fraudulent websites. Other fakes were passed off as games. Under certain conditions (for instance, if a user’s IP address met the attackers’ requirements), they could load bookmaker and online casino sites. The Chicken Road Fun game was the fake app Android.FakeApp.1910. It could open an online casino website instead of providing the declared functionality To protect your Android device from malware and unwanted programs, we recommend installing Dr.Web anti-virus products for Android. Indicators of compromise
Analysis Summary
## Tool/Technique: Android.MobiDash and Android.HiddenAds
## Overview
These are trojans that display intrusive advertisements on Android devices. While they remain the most widespread Android threats, their overall detection frequency decreased in Q4 2025 (by 43.24% and 18.06%, respectively).
## Technical Details
- Type: Malware Family (Adware/Trojan)
- Platform: Android
- Capabilities: Displaying intrusive advertisements.
- First Seen: Not specified in context, but noted as consistently widespread.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1204.002 - User Execution: Malicious File (*Implied, as they are loaded onto devices*)
- TA0008 - Collection
- T1560 - Archive Collected Data (*Potential, depending on full functionality*)
## Functionality
### Core Capabilities
- Displaying obfuscated or intrusive advertisements to the user.
### Advanced Features
- None explicitly mentioned beyond the core ad-displaying function.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Frequent display of advertisements, often intrusive.
## Associated Threat Actors
- Not specified; these appear to be widely deployed commodity malware.
## Detection Methods
- Detection by Dr.Web Security Space mobile protection as `Android.MobiDash` and `Android.HiddenAds`.
## Mitigation Strategies
- Installing reputable mobile anti-virus software (e.g., Dr.Web for Android).
- Being cautious when installing applications, particularly those that exhibit excessive or intrusive ad behavior.
## Related Tools/Techniques
- Adware.Adpush family members.
***
# Tool/Technique: Android.Siggen Family
## Overview
A family of trojans characterized by varying functionalities. Their overall detection rate decreased by 27.47% in Q4 2025.
## Technical Details
- Type: Malware Family (Trojan)
- Platform: Android
- Capabilities: Functionality varies among members of the family.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- Varies based on specific member functionality.
## Functionality
### Core Capabilities
- Generic trojan functionality; specifics depend on the variant.
### Advanced Features
- None explicitly detailed in the context provided.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Detection by vendor signature.
## Associated Threat Actors
- Not specified.
## Detection Methods
- Detection by Dr.Web Security Space as members of the `Android.Siggen` family.
## Mitigation Strategies
- General mobile security best practices.
## Related Tools/Techniques
- Other general Android trojans.
***
# Tool/Technique: Android.Banker Family
## Overview
Banking trojans whose activity saw a significant **65.52% increase** in encounters during Q4 2025. These programs target financial credentials and transactions.
## Technical Details
- Type: Malware Family (Banking Trojan)
- Platform: Android
- Capabilities: Intercepting SMS for transaction confirmation codes; displaying phishing windows mimicking legitimate banking software.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1552.001 - Credentials from Password Stores (*Potentially via phishing*)
- TA0005 - Defense Evasion
- T1564.003 - Hide Artifacts: Hidden Files and Directories (*May relate to phishing overlays*)
- TA0011 - Command and Control
- T1189 - Drive-by Compromise (*If used for initial infection*)
## Functionality
### Core Capabilities
- SMS interception to steal one-time passwords (OTPs) needed for banking transaction confirmation.
- Overlay attacks using phishing windows that mimic bank software GUIs.
### Advanced Features
- Sophisticated social engineering through UI imitation to trick users into inputting credentials/codes.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Likely communicates with C2 for phishing data exfiltration.
- Behavioral Indicators: Attempts to read SMS messages; drawing UI elements over legitimate banking apps.
## Associated Threat Actors
- Threat actors specializing in mobile financial fraud.
## Detection Methods
- Detection by Dr.Web Security Space as members of the `Android.Banker` family.
## Mitigation Strategies
- Avoiding the entry of OTPs unless absolutely necessary and confirming the transaction context outside the initial prompt.
- Avoiding suspicious apps, especially those masquerading as financial tools.
## Related Tools/Techniques
- Android.FakeApp (used for phishing scams).
***
# Tool/Technique: Program.CloudInject (and Tool.CloudInject)
## Overview
Detection names for Android applications that have been modified using the remote **CloudInject cloud service**. This service obfuscates code and adds dangerous system permissions to the applications, with the ultimate purpose of the injected code remaining outside the control of the app modder.
## Technical Details
- Type: Unwanted Software / Technique (Modification Service)
- Platform: Android
- Capabilities: Injecting obfuscated, uncontrollable code into applications; automatically obtaining dangerous system permissions. Post-modification, remote management capabilities exist (blocking apps, displaying custom dialogs, monitoring installations/removals).
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1574 - Hijack Execution Flow
- T1574.009 - DLL Search Order Hijacking (*Analogy for code injection*) - *Less precise for this remote modification.*
- T1105 - Ingress Tool Transfer
- T1105.003 - Download from Cloud Service
- T1548.002 - Bypass User Account Control (UAC) (Implied privilege gain)
## Functionality
### Core Capabilities
- Remotely modifying third-party applications.
- Granting dangerous system permissions to modified apps.
### Advanced Features
- Remote management of the modified app, including the ability to block it or track device activity (e.g., monitoring software installation/removal).
## Indicators of Compromise
- File Hashes: N/A
- File Names: Programs detected as `Program.CloudInject.5`, `Program.CloudInject.1`.
- Registry Keys: N/A
- Network Indicators: Connection to the CloudInject service for modification instructions/deployment.
- Behavioral Indicators: Applications requesting excessive or unusual permissions post-installation/modification.
## Associated Threat Actors
- Modders utilizing the CloudInject utility (`Tool.CloudInject`).
## Detection Methods
- Detection by Dr.Web AV as `Program.CloudInject`.
## Mitigation Strategies
- Reviewing applications for excessively broad permissions requested upon installation.
- Restricting app installation sources to trusted, official stores.
## Related Tools/Techniques
- Tool.CloudInject (the utility used to facilitate the modification).
***
# Tool/Technique: Program.FakeAntiVirus
## Overview
Detection for fake anti-virus applications. These programs deceive users by reporting non-existent threats and then demand payment for the full version to "cure" the supposed infection.
## Technical Details
- Type: Potentially Unwanted Program (PUP) / Scareware
- Platform: Android
- Capabilities: Falsely reporting system infection; demanding payment for non-existent removal/cures.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (*If delivered via a deceptive download link*)
- T1559 - Inter-Process Communication
- T1559.001 - Inter-Process Instruction Injection (*To display fake alerts*)
- T1559.007 - Client-Server Channel over other protocols (Implied C2 for updates/confirmation)
## Functionality
### Core Capabilities
- Generating false alarms regarding malware or system instability.
- Coercing users into purchasing a "premium" or "full" version.
### Advanced Features
- User deception and manipulation to induce payment.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Programs detected as `Program.FakeAntiVirus.1`.
- Registry Keys: N/A
- Network Indicators: Communication to finalize fraudulent purchase.
- Behavioral Indicators: Displaying constant, urgent alerts about non-existent threats.
## Associated Threat Actors
- Scammers focused on scareware techniques on mobile platforms.
## Detection Methods
- Detection by Dr.Web AV as `Program.FakeAntiVirus`.
## Mitigation Strategies
- Never purchasing software activated through unsolicited alerts within an application.
- Relying on established, highly-rated security software.
## Related Tools/Techniques
- Program.FakeMoney.
***
# Tool/Technique: Program.FakeMoney
## Overview
Android applications designed to trick users into completing various tasks under the false premise of earning money. Users accumulate fake "earnings" but are ultimately unable to withdraw any real payments, even after reaching stated minimum withdrawal thresholds.
## Technical Details
- Type: Potentially Unwanted Program (PUP) / Financial Fraud Scheme
- Platform: Android
- Capabilities: Simulating earnings accumulation through task completion; collecting user engagement without providing payouts; potentially listing popular payment systems fraudulently.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1559.002 - Data Transfer Size Limits (*Relevant to the withdrawal process*)
- T1598.001 - Phishing: Spearphishing Link (*If used to distribute the initial download*)
## Functionality
### Core Capabilities
- Creating a façade of a money-making opportunity.
- Misleading users regarding accrual and withdrawal processes.
### Advanced Features
- Maintaining a convincing interface showing accrued, non-withdrawable funds.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Programs detected as `Program.FakeMoney.11`.
- Registry Keys: N/A
- Network Indicators: Communication with services tracking task completion or displaying targeted advertisements.
- Behavioral Indicators: Apps requiring extensive setup or permissions related to banking/payment systems without clear justification.
## Associated Threat Actors
- Cybercriminals running online job/task scams.
## Detection Methods
- Detection by Dr.Web AV as `Program.FakeMoney`.
## Mitigation Strategies
- Treating "too good to be true" earning opportunities with extreme skepticism.
- Ensuring that apps requiring personal financial details offer robust security validation.
## Related Tools/Techniques
- Program.FakeAntiVirus.
***
# Tool/Technique: Tool.NPMod (NP Manager Utility)
## Overview
These are riskware programs that have been modified using the **NP Manager utility**. This utility is used to obfuscate the application code and adds a specialized module that enables the bypassing of digital signature verification after the application has been modified.
## Technical Details
- Type: Tool / Riskware Modifier
- Platform: Android
- Capabilities: Code obfuscation; bypassing digital signature verification on repackaged/modified apps. These modified apps were the most widespread riskware in Q4.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1484 - Impair Defenses
- T1484.001 - Modify Boot Configuration (*Analogy for modifying application integrity*)
- T1622 - Alter Security Product (*Implied, as bypassing signatures is a form of defense evasion*)
## Functionality
### Core Capabilities
- Modifying APK structures.
- Embedding mechanisms to bypass the integrity checks enforced by re-signed applications.
### Advanced Features
- Code obfuscation to hinder reverse engineering of the applied modifications.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Applications detected as `Tool.NPMod.3`, `Tool.NPMod.1`, etc.
- Registry Keys: N/A
- Network Indicators: N/A (The tool itself is used locally for modification).
- Behavioral Indicators: Applications exhibiting self-modification capabilities or failing standard signature checks.
## Associated Threat Actors
- App pirates, cracked software distributors, and potentially malware distributors who rely on repackaging legitimate apps.
## Detection Methods
- Detection by Dr.Web AV as `Tool.NPMod`.
## Mitigation Strategies
- Ensuring that applications used have not been modified or repacked from unknown sources, as signature verification bypass is a major indicator of tampering.
## Related Tools/Techniques
- Tool.LuckyPatcher.2.origin (Another modification tool).
***
# Tool/Technique: Adware.Adpush Family
## Overview
Adware modules integrated into Android applications by developers. They specialize in displaying notifications containing advertisements, often using tactics designed to mislead the user by spoofing OS messages. They can also collect confidential data and download/install other applications.
## Technical Details
- Type: Adware Module
- Platform: Android
- Capabilities: Displaying unsolicited advertisements via notifications; data collection; initiating the installation of other software.
- First Seen: Not specified, but retained the lead in adware detections.
## MITRE ATT&CK Mapping
- T1057 - Perform System Discovery (*If collecting device info for ad targeting*)
- T1219 - Remote Access Software (Implied C2 communication for ad serving)
- T1071.001 - Application Layer Protocol: Web Protocols (For ad delivery)
## Functionality
### Core Capabilities
- Injecting ads into the notification tray.
### Advanced Features
- Data exfiltration of confidential user information.
- Capability to act as secondary malware distributors by pushing other app installs.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Modules detected as `Adware.Adpush.3.origin`, `Adware.Adpush.21846`.
- Registry Keys: N/A
- Network Indicators: Connections to ad serving infrastructure.
- Behavioral Indicators: Unexpected notifications or background installation processes initiated.
## Associated Threat Actors
- App developers or third-party ad networks engaging in aggressive monetization.
## Detection Methods
- Detection by Dr.Web AV as various members of the `Adware.Adpush` family.
## Mitigation Strategies
- Restricting notification access for non-essential or untrusted applications.
## Related Tools/Techniques
- Adware.Bastion.1.origin, Adware.Airpush.7.origin.
***
# Tool/Technique: Android.Backdoor.Baohuo.1.origin
## Overview
A dangerous backdoor embedded in unofficial modifications of the Telegram X messenger. Distributed via malicious websites and third-party catalogs. It steals Telegram credentials and confidential data, allowing threat actors to fully control the victim’s account to perform covert actions (joining/leaving channels, hiding devices/messages).
## Technical Details
- Type: Backdoor Malware
- Platform: Android
- Capabilities: Stealing Telegram login data; covert account control (sending messages, managing settings); stealing general confidential data.
- First Seen: Identified in October (prior to Q4 2025 review).
## MITRE ATT&CK Mapping
- T1078.003 - Valid Accounts: Cloud Accounts (*Specifically Telegram*)
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (*If using system commands through C2*)
- T1490 - Inhibit System Recovery (*Potentially by hiding activity*)
## Functionality
### Core Capabilities
- Telegram credential theft.
- Remote account takeover/manipulation.
- Stealing other confidential information.
### Advanced Features
- **Uses a Redis database for control mechanisms, noted as a first for Android threats.**
- Extensive covert control over the compromised messenger account.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Embedded in unofficial Telegram X mods.
- Registry Keys: N/A
- Network Indicators: Communication with C2 servers for instruction, possibly leveraging Redis protocols.
- Behavioral Indicators: Undocumented activity within the Telegram application; unusual network traffic originating from the messenger process.
## Associated Threat Actors
- Threat actors who specifically target Telegram X users for espionage or account hijacking.
## Detection Methods
- Detection by Dr.Web AV as `Android.Backdoor.Baohuo.1.origin`.
- Signature matching against known malicious Telegram X modifications.
## Mitigation Strategies
- **Strictly avoiding unofficial client modifications or third-party app stores for critical applications like messengers.**
- Using official distribution channels only.
- Using two-factor authentication on Telegram accounts.
## Related Tools/Techniques
- General data-stealing trojans.
***
# Tool/Technique: Android.Joker Trojans
## Overview
Malicious programs discovered on Google Play designed to subscribe victims to unwanted paid services. They were camouflaged as legitimate apps such as cleaners, movie players, and system tools. Combined, these apps had at least 263,000 downloads.
## Technical Details
- Type: Trojan (Subscription Fraud)
- Platform: Android (Sourced from Google Play)
- Capabilities: Subscribing users to premium services without explicit consent; application cloaking/masquerading.
- First Seen: Detected over the review quarter (Q4 2025).
## MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link (*If links were used outside Play Store*)
- T1588.002 - Obtain Capabilities: Acquire Infrastructure (Utilizing Google Play infrastructure)
- T1595.001 - T1595.001 - Develop or Purchase Malicious Tools (The subscription mechanism)
## Functionality
### Core Capabilities
- Covertly subscribing users to recurring paid services.
### Advanced Features
- Successful camouflage on the Google Play Store (e.g., `Android.Joker.2496` as "Useful Cleaner," `Android.Joker.2495` as "Reel Drama").
## Indicators of Compromise
- File Hashes: N/A
- File Names: `Android.Joker.2496`, `Android.Joker.2495`.
- Registry Keys: N/A
- Network Indicators: Connections to payment gateway or subscription confirmation endpoints.
- Behavioral Indicators: Unexpected recurring charges on mobile bills; hidden background connections.
## Associated Threat Actors
- Threat actors leveraging official app stores for financial fraud schemes.
## Detection Methods
- Detection by Dr.Web AV as `Android.Joker` variants.
- Google Play Store security monitoring.
## Mitigation Strategies
- Carefully scrutinizing app reviews and permissions before installation, even on the official Play Store.
- Regularly checking mobile billing statements for unauthorized recurring subscriptions.
## Related Tools/Techniques
- Android.FakeApp (also found on Google Play).
***
# Tool/Technique: Android.FakeApp Family
## Overview
Various fake programs distributed on Google Play used in fraudulent schemes. They often masquerade as financial apps or games. When conditions are met (e.g., matching a required IP address), they display phishing content, such as loading bookmaker or online casino websites.
## Technical Details
- Type: Trojan / Phishing App
- Platform: Android (Sourced from Google Play)
- Capabilities: Loading hardcoded/conditional fraudulent websites (casinos, bookmakers); masquerading as legitimate applications.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1566.002 - Phishing: Spearphishing Link
- T1583.002 - Acquire Infrastructure: Domains (*For hosting fraudulent sites*)
- T1057 - Perform System Discovery (*To check IP for conditional loading*)
## Functionality
### Core Capabilities
- Displaying phishing/gambling URLs based on triggers (like IP address).
- Camouflage as financial tools or games.
### Advanced Features
- Conditional execution based on environmental factors (IP check). Example: `Android.FakeApp.1910` (Chicken Road Fun) opening a casino site.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `Android.FakeApp.1910` (Chicken Road Fun).
- Registry Keys: N/A
- Network Indicators: Connections to online casino or bookmaker domains.
- Behavioral Indicators: App launches loading web views that do not match the declared purpose.
## Associated Threat Actors
- Threat actors running online gambling and financial fraud scams using the Google Play distribution channel.
## Detection Methods
- Detection by Dr.Web AV as `Android.FakeApp` variants.
## Mitigation Strategies
- Never inputting financial or credential information into applications that redirect to unknown gambling or betting sites.
## Related Tools/Techniques
- Android.Joker.
***
# Tool/Technique: Tool.LuckyPatcher.2.origin
## Overview
A tool used to modify installed Android applications by creating patches. Its purpose is to alter application logic, commonly used to bypass restrictions such as disabling root-access verification in banking software or cheating in games (unlimited resources). It downloads patch scripts from the internet, which introduces a risk of malicious code execution.
## Technical Details
- Type: Application Modification Tool (Riskware)
- Platform: Android
- Capabilities: Creating patches to alter app logic; bypassing software restrictions (e.g., license/root checks); downloading external patch scripts which could be malicious.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1546.008 - Event Triggered Execution: Installer Log/Script (Via patch application download)
- T1548.002 - Bypass User Account Control (UAC) (Implied bypassing of security measures)
## Functionality
### Core Capabilities
- Modifying local application binaries/logic via patching.
### Advanced Features
- Ability to download and execute user-defined or third-party scripts for patching, posing a direct threat vector.
## Indicators of Compromise
- File Hashes: N/A
- File Names: `Tool.LuckyPatcher.2.origin`.
- Registry Keys: N/A
- Network Indicators: Connections to repositories hosting patch scripts.
- Behavioral Indicators: Attempts to modify the runtime functions or integrity of other installed applications.
## Associated Threat Actors
- Users seeking unfair advantages or attempting to remove security protections from other apps.
## Detection Methods
- Detection by Dr.Web AV as `Tool.LuckyPatcher.2.origin`.
## Mitigation Strategies
- Avoiding tools that require modifying the integrity of other installed applications, especially security or financial software.
## Related Tools/Techniques
- Tool.NPMod.1 (Another modification utility that bypasses signatures).
***
# Tool/Technique: Tool.Androlua.1.origin
## Overview
Potentially dangerous versions of a framework used for developing Android software based on the Lua scripting language. The core logic resides in encrypted/decrypted Lua scripts executed by the interpreter. This framework often requests excessive system permissions upon installation, allowing the executed scripts to perform various malicious actions.
## Technical Details
- Type: Software Development Framework (Weaponizable)
- Platform: Android
- Capabilities: Executing obfuscated/encrypted Lua scripts; requesting a large number of system permissions by default.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1027 - Obfuscated Files or Information
- T1027.003 - Obfuscated Files or Information: Script (*Lua scripts are encrypted/decrypted*)
- T1548.002 - Bypass User Account Control (UAC) (Implied via excessive initial permission requests)
## Functionality
### Core Capabilities
- Running Lua-based application logic.
- Handling encrypted/decrypted scripts at runtime.
### Advanced Features
- High potential for malicious action due to default high privilege levels requested by the framework interpreter.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Detected as `Tool.Androlua.1.origin`.
- Registry Keys: N/A
- Network Indicators: C2 communication if scripts require external data.
- Behavioral Indicators: Applications using this framework requesting broad, interconnected system permissions.
## Associated Threat Actors
- Developers using this framework for legitimate means, or threat actors leveraging it for malware creation.
## Detection Methods
- Detection by Dr.Web AV as `Tool.Androlua.1.origin`.
## Mitigation Strategies
- Restricting installation of apps built with lesser-known or high-permission development frameworks.
## Related Tools/Techniques
- Similar to packed/obfuscated malware given the script encryption.
***
# Tool/Technique: Adware.ModAd.1
## Overview
Specifically refers to modified versions (mods) of the **WhatsApp messenger**. These mods have injected code that loads target URLs discreetly in the background using the Android WebView component. These URLs redirect users to advertising sites, including online casinos, bookmakers, and adult content platforms.
## Technical Details
- Type: Adware (Modified Application)
- Platform: Android (WhatsApp modification)
- Capabilities: Covert loading of web content via WebView; redirection to third-party advertising/gambling sites.
- First Seen: Not specified.
## MITRE ATT&CK Mapping
- T1055 - Process Injection (*Implied code injection into the messenger*)
- T1584.002 - Compromise Software Supply Chain: Compromise Software Component (*Modifying a popular client*)
## Functionality
### Core Capabilities
- Injecting and executing hidden web browser components (`WebView`).
- Redirecting traffic to advertising or malicious sites.
### Advanced Features
- Targeting a highly used application (WhatsApp) for integration.
## Indicators of Compromise
- File Hashes: N/A
- File Names: Detected as `Adware.ModAd.1`.
- Registry Keys: N/A
- Network Indicators: Connections to domains associated with online casinos or bookmakers.
- Behavioral Indicators: WhatsApp process initiating connections to non-standard URLs in the background.
## Associated Threat Actors
- Individuals modifying popular messaging apps for personal advertising gain.
## Detection Methods
- Detection by Dr.Web AV as `Adware.ModAd.1`.
## Mitigation Strategies
- **NEVER use modified versions of popular applications.** Only install from official channels.
## Related Tools/Techniques
- Adware.Adpush (General adware notification injection).