Android users will probably remember June 2014 for the advent and wide-scale distribution of a significant number of blocker and encryption Trojans designed specifically for Android, as well as for a marked increase in the number of infections involving Android.SmsBot.120.origin.
Also in June, Doctor Web's security researchers discovered new representatives of common malicious programs, such as spy Trojans and applications that send SMS messages to premium numbers without user consent.
According to Doctor Web statistics collected via Dr.Web for Android, in June 2014 the anti-virus registered 6,101,306 positives. As before, various advertising modules, used by developers to generate a profit from free applications, became the main cause for concern.
These modules can display annoying notifications on the Android notification bar. Such messages often include advertisements for questionable and potentially dangerous websites. June 26 was the most “peaceful day” with only 163,580 threats discovered, while June 8 saw the greatest number of positives registered—226,002.
Traditionally, the number of malicious programs within the total number of advertising and potentially dangerous applications detected was relatively small and rarely exceeded 4%-5%, but in June the situation changed dramatically.Android.SmsBot.120.origin broke into the lead in terms of the number of infections attempted.
It was disarmed by Dr.Web over 670,000 times, a figure that accounts for almost 11% of the total volume of identified threats. In addition to sending SMS messages to specified numbers, this malware can transmit information about infected devices (including IMEIs, lists of installed programs, etc.) to servers belonging to cyber criminals, remove installed programs and incoming SMS messages, and display notifications.
 |  |
 | |
In 13.88% of the cases (93,036 times) the threat was removed before the malware was installed on the device; the Trojan was moved to the quarantine 34,162 times (5.10% of the incidents), and 17,672 users (2.64%) ignored the Dr.Web warning, allowing the Trojan to run on their handhelds.
Android.SmsBot.120.origin was most frequently detected in Russia. The figure below illustrates the geographical distribution of this threat.
| Threat name | %% | |
|---|---|---|
| 1 | Android.SmsBot.120.origin | 10,99 |
| 2 | Android.SmsSend.1215.origin | 1,43 |
| 3 | Android.SmsSend.859.origin | 1,35 |
| 4 | Android.SmsSend.1081.origin | 1,08 |
| 5 | Android.Spy.83.origin | 0,82 |
| 6 | Android.SmsSend.991.origin | 0,68 |
| 7 | Android.SmsSend.914.origin | 0,62 |
| 8 | Android.SmsSend.309.origin | 0,59 |
| 9 | Android.Subser.1.origin | 0,54 |
| 10 | Android.SmsSend.315.origin | 0,52 |
June will also be remembered for the intense distribution of Android blocker Trojans which interfere with the normal operation of infected devices. For instance, Android.Locker.5.origin primarily targets devices in China and locks the smart phone or tablet screen only temporarily, without inflicting severe damage to the information stored on the device.
Yet the Trojans Android.Locker.6 .origin and Android.Locker.7.origin lock the touch screen and demand that the victim pay ransom to unlock it. These programs are distributed under the guise of the Adobe Flash Player and target Android handhelds in the U.S.
 |  |
 |  |
Doctor Web is the Russian developer of Dr.Web anti-virus software. We have been developing our products since 1992. The company is a key player on the Russian market for software that meets the fundamental need of any business — information security.
