Some time ago, viruses were restricted to computers, but as our phones became small computers, they also become more vulnerable to viruses. Just in 2016, anti-malware software Kaspersky detected over 8 million malware packages targeting Android, that includes ransomware, banking and advertisement Trojans, and adware.
Android virus creators are becoming increasingly smarter, and manage to come up with various ways to infect a device. Malware creating has been proven to be a profitable business, and we will likely see a steady increase in Android viruses in the foreseeable future. And as that happens, it is important that users become familiar with how infections happen, what are the signs, and how to get rid of malware.
How dangerous are Android viruses?
There are a variety of ways viruses could affect your device, depending on how severe the infection is. It could lock you out of your device, steal your personal details, slow down your phone or open backdoors for more severe malware to enter.
One of the most serious malware consequences you could experience is stolen bank credentials. Such infections are usually referred to as banking Trojans. They generate fake login pages for online banking, and when you type in your credentials, instead of being taken to your banking account, you would be allowing the malware to send your data to malicious parties. Those fake login screens may look completely identical to the legitimate ones, so users might not even notice anything wrong. The malware creators would then try to sell your banking data on the deep web, or use it themselves.
Android viruses can also take your files for hostage. Usually, ransomware (file-encrypting malware) is a problem for Windows computers but Android devices can be affected as well. One example is DoubleLocker ransomware. Security software company ESET reported back in October about an Android ransomware that encrypts the data on the phone, locks the user out of the phone by changing the PIN, and then asks for Bitcoin in exchange for the release of your phone. It was distributed via fake Adobe Flash Player updates.
Some viruses are less malicious but can act as backdoors for other malware to enter. These kinds of Trojans can enter via email attachments, infected links, and once they are installed, they can download malware in the background without your knowledge.
A lot of Android viruses aim to make revenue by opening advertisements in the background, and accessing certain pages. These infections are usually referred to as adware (How to remove adware from android). Users usually download these infections themselves unknowingly, as they often come disguised as legitimate apps. The app might even work as it is supposed to but it could also be causing pop-ups to appear on your screen, or opening certain sites in the background, aiming to earn revenue.
How to recognize viruses in Android devices?
Usually, even if you are not very in tune with your device, you will notice the symptoms of an infections. However, you might not link it to viruses, and just consider it normal behavior for your device, especially if it is an older phone. Nevertheless, if the strange behaviors start all at once, and the decrease in your device’s performance is not gradual, it could be a sign that you have a case of an Android virus. So what are the major signs?
We do not mean the pop-ups you get when you are visiting questionable websites. When we say pop-ups, we mean the ads that are appearing constantly, even when you are browsing completely safe websites. There might be one pop-up, or there might be ten of them. This kind of behavior makes it very noticeable that something might be wrong. So if your browser constantly has numerous tabs open, with suspicious contents in the ads, you might be dealing with adware.
Increased phone bill
An increased bill is a bit more difficult to notice. Unless you are very meticulous when it comes to your bills, you might not even notice an increase in your phone bill, or put it down to some services that your might have used. However, an increase in your bill could mean an infection too. There are certain Android viruses that make phone calls and send texts to premium numbers in the background. Check your call log and your messages for any suspicious behavior, and find out where the extra phone charges come from.
Battery drained faster and poor performance
If you notice that your battery drains faster than before, and you are not using any apps that could result in that, it could be malware using your phone’s resources. If the infection is constantly running in the background, performing malicious activity, it needs to fuel itself somehow, and uses your phone to do so.
Since the malware is using your device’s resources, the phone will become quite slow and laggy, even when no programs are running. Same with overheating. Your phone might become hot for no reason as well.
You can easily check whether there is any suspicious battery draining by going to Settings and then clicking on Battery. Check the apps using most of your device’s resources, and if there is any suspicious behavior, investigate it.
Another sign you should notice immediately is unfamiliar apps. Unless your Android phone is full of apps, and even you do not keep track of them, noticing an additional application installed should be no issue. The unfamiliar app could have come together with other apps, or it could have been downloaded without your knowledge. Whatever the reason may be, if you notice unknown apps on your device, delete them immediately.
Unauthorized connection to the Internet
If you notice that you are connected to the Internet, whether it is via mobile data or WiFi, and specifically remember disconnecting, it could be a sign of malware. Of course, you could just not remember connecting, but if that is happening constantly, it might be more serious than just a case of forgetfulness. Android malware needs the Internet, so that it could download additional threats, or open certain pages in the background.
If you notice all of these signs, or even just a few, you should immediately check your phone for malware. You should also continue reading to find out how you might have picked up the infection and how to get rid of it.
How do Android viruses spread?
Most users usually use official app stores, such as Google Play to get their apps. And while Google Play is not 100% secure, it still is much safer compared to third-party stores. Not all apps you get from there will be malicious, far from it, but those stores are less regulated and sometimes do not have proper security measures in place to prevent the upload of malicious apps. So you are more likely to download some kind of Android virus by using third-party stores.
Trend Micro has also noticed that countries where third-party stores are most popular seem to be at a higher risk of infection.
“Citizens often can’t access certain apps censored by the government, forcing them to go to less-than-secure third party app stores”, it said, giving China as an example. The country was among the top 3 markets containing malware-infected Android devices in 2015, according to Cheetah Mobile Security.
We recommend you avoid third-party stores, and if you must download something from them, look into the app very carefully, read the reviews, and only then make a decision. But for the majority of your apps, stick to the official Android store, Google Play.
We just mentioned that you should download apps mainly from Google Play but it should be mentioned that the store will not always host only secure apps. Google is regularly coming up with ways to secure its app store, but malware creators still find ways to bypass the implemented security measures.
Just last month, four security software companies noticed four different malware campaigns on Google Play. Malicious apps were downloaded millions of times, they were noted to subscribe to premium phone numbers, open ads in the background, and fake login screens in order to steal credentials. All these apps managed to by pass Google Play Protect, Google Play’s built-in anti-malware system.
Nevertheless, it is much safe to download from Google Play Store. You just need to be attentive. Even if the app has millions of downloads, and a great rating, it could still be dangerous. Thus, you need to look into it properly, read the reviews (both good and bad), check the developer, review the permissions it asks, and just generally look into the program.
As any other kind of malware, malicious apps targeting Android users could also be obtained by pressing on an infected link/website/update. Do not press on weird links in emails, messages or texts, unless you are sure it is safe to do so. They could lead to malicious sites, where malware could download without you even knowing.
Refrain from visiting questionable websites, as they could trigger a malware download, or redirect to even more dangerous sites. The banners that offer you updates can also lead you to downloading malware. If you accept the ‘update’, you would end up installing some kind of malware. One thing to remember is that legitimate updates will never be advertised this way. If an update is needed, and the program cannot do it automatically, the app will inform you itself, not via some banner.
Most notable Android viruses
A lot Android viruses do not go very far, they might be active for some time, and even manage to make some kind of profit, but then they disappear. However, there are those that are constantly updated, and are becoming more and more advanced. Below, you will find brief descriptions of Android viruses that you should look out for.
Svpeng and Invisible man
The notorious banking Trojan Svpeng has been around for a long while, and once in a while, it gets updated. Over the years, it has used phishing pages to steal credentials, take devices for ransom, and its updated version ‘Invisible Man’ can now install a keylogger on your device. Invisible Man was noticed mid-July 2017, and was noted to spread as a fake Flash Player update.
The malware first checks your phone’s language, if it is set to Russian, it does not proceed further. All other devices are fair game. It then proceeds to ask permission to use accessibility services, which are designed to help users with disabilities. Once the permission is granted, it gains the ability to draw on screens, which allows it to create an invisible overlay above real banking apps. If you enter your card details, you are essentially giving them away to the malware creators.
Like we mentioned above, DoubleLocker was first noticed by ESET, and was quite notable because it not only locked users out of their devices but also encrypted data. And interestingly enough, this ransomware was based on the same code as Svpeng.
“DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data it finds in them – a combination that has not been seen previously in the Android ecosystem,” ESET explained.
Again, this infection was spread using Adobe Flash Player, and once it gains administration rights, it sets itself as the default home application, it encrypts your files, changes your PIN and locks you out of your device.
This spyware was discovered by Google, and seemed to target users in Africa. This piece of spyware has social media as the main target, but is capable of performing all kinds of activities. Primarily, it will steal data from social media accounts, such as Facebook, Twitter, and WhatsApp. It is also capable of recording calls made from communication apps like WhatsApp, Viber or Skype.
Google engineers noticed the infection when Google Play Protect alerted them that a Tizi-infected app was installed on a user’s device via Google Play Store. It was then discovered that the app dates back to 2015.
It has since been removed from Google Play, and was uninstalled from all infected devices.
HummingBad and HummingWhale
HummingBad is a notorious one, it even has its own Wikipedia page. It was noticed back in 2016 by Check Point, and at some point, has accounted for 72% of smartphone infections by infecting as many as 85 million devices, making it one of the largest Android malware infections.
The infection primarily aims to click on ads in order to generate profit, but it can also download and install other apps. During its peak, it was making creators as much as $300,000 per month.
Some time later, an updated version of HummingBad was discovered, nicknamed HummingWhale. The new version does not install any additional apps onto the device, but instead, installs a virtual machine app. It would show users advertisements, and when users close those unwanted ads, the installed virtual machine is opened, and the advertised app is installed there. This allows the malware to earn profit from pay-per-install.
The LeakerLocker gave a few people quite a scare back when it was first detected in July 2017. Once it got into a victim’s computer, it would threaten the user to leak personal information to their whole contact list, which would pressure the victim to pay the creators. Of course, users are never recommended to pay as that would only increase the number of these kinds of attacks.
Interestingly, the malware was spreading via Google Play. It was disguised in apps going with the names Wallpapers Blur HD, Booster & Cleaner Pro and Calls Recorder. When the user grants these apps the permissions they ask, the ransomware can then access certain files, contacts and information on the device. A note would then appear on the screen, informing the user that a backup was made of all files, and if payment is not made, everything would be shared with the contact list.
Security company Trend Micro noticed the Trojan back in June 2017, and it was noted to have infected around 800 apps on Google Play. It was disguised as all kinds of applications, from wallpaper to photo edit apps. It was capable of stealing and leaking information without the user noticing.
“Xavier’s stealing and leaking capabilities are difficult to detect because of a self-protect mechanism that allows it to escape both static and dynamic analysis. In addition, Xavier also has the capability to download and execute other malicious codes, which might be an even more dangerous aspect of the malware. Xavier’s behavior depends on the downloaded codes and the URL of codes, which are configured by the remote server,” Trend Micro researchers reported.
How to remove Android virus
We mentioned how you can notice if your device has been infected with Android virus, but in addition to that, Android anti-malware apps could also help you identify an infection. There are many options from which you can choose from, some are free, some offer 30-day trials. Launch the program of your choice and allow it to scan your device. If it manages to find some kind of infection, allow anti-malware to delete it.
You can also remove Android virus manually. You just need to find the apps responsible. Try to recall when the infection symptoms started, and if you installed some app around that time. If you are not sure which app is causing the infection, investigate them all by using a reliable search engine. One by one, research the apps until you find the perpetrator.
If both automatic and manual Android virus removal did not work, there is also Factory Reset. Bear in mind that this method will wipe your whole phone, including all your files and saved data. If you wish to proceed, go to Settings -> Privacy -> Factory Reset.