Trojans

Hacktool:Win32/Keygen is a code-name referred to by anti-malware software when the usage/presence of license-cracking tools gets detected on the system. Such tools allow the fake generation of keys to activate licensed versions of software and therefore bypass paying for it. Although keygen tools are not intended to be harmful to users' safety initially, some threat actors may use them to deliver various malware alongside. While the detection and labeling of the cracking tool as "Hacktool:Win32/Keygen" by your antivirus does not always indicate your system is infected with actual malware, it still might be a good idea to perform a thorough scan of your system. Infections that can be distributed alongside key-generating tools are ransomware (software that encrypts data and demands money from victims), crypto-miners (software that stealthily mines cryptocurrency for cybercriminals), banking trojans, spyware, and other types of potentially devastating infiltrations. Having such malware installed on your system may lead to severe privacy problems, financial losses, downgraded PC performance, and other kinds of threats. Thus, if you recently used a license-cracking tool (Hacktool:Win32/Keygen) and suspect your system could be in danger, make sure to read our guide below and scan your system with effective anti-malware software to detect and eliminate possible threats.

BrasDex is categorized as a banking virus that infects Android (and Windows) devices to access bank accounts and steal money from victims. This specific banker has been observed targeting victims in the Brazilian region - recently via a fake banking app named "Brazilian Banco Santander". Previously, it used to infiltrate devices by disguising itself as essential Android settings applications. BrasDex abuses Accessibility Services to record the information entered into banking applications. However, instead of showing overlaid (fake) screens to bait users into entering their log-in credentials, it instead keyloggers them inside targetted banking applications themselves. Unlike other banking malware, BrasDex also employs an ATS (Automated Transfer System) mechanism, which allows cybercriminals to perform fraudulent transactions in an automated way - therefore automating malicious business and increasing illegal profits. In addition, it is also known that BrasDex exploits a popular Pix fast payment system that was developed by the Central Bank of Brazil. This makes its easier for cybercriminals since all they require is the victim's identifier (which can be an email, CPF, phone number, or random ID). Please note that the Pxi system is not vulnerable - threat actors simply use this system to speed up the process of fraudulent transfers. A lot more technical information about BrasDex can be discovered in this report made by ThreatFabric. BrasDex is a dangerous virus that can cause unpleasant financial losses and privacy issues - thus, make sure to read our guide below and delete this devastating malware from your device. Once done, it is also important to change your log-in credentials.

GodFather is the name of a banking trojan that targets Android devices. Developers behind this malware seek to exfiltrate account credentials and use them for accessing 400+ online banking pages and crypto exchanges across 16 countries worldwide. The GodFather trojan functions by creating overlaid log-in screens and displaying them over legitimate apps or web pages. This way, it tricks users into entering their login data on fake screens, which allows threat actors to access finance-related accounts and abuse them for financial fraud. Before GodFather becomes capable of performing such malicious action, it needs users to allow certain permissions (access to SMS texts and notifications, screen recording, contacts, making calls, recording to external storage, and reading the device status) in the Accessibility Service window. The trojan does it by imitating the legitimate "Google Protect" tool, therefore making the process look ordinary and less likely to trigger suspicion from users. After the permissions are granted, the trojan gets complete liberty to run its malicious actions. GodFather also abuses the granted access to complicate manual removal, steal two-factor authentication codes, process different commands, and hijack data from PIN and password fields. If you want to learn more about the technical specs of GodFather banking trojan, you can check out this page. In summary, GodFather is a highly-devastating infection that can lead to significant financial losses, which is why it must be removed completely and without traces from your device. Use our guide below to do it.

Cypher is a remote administration trojan (RAT) promoted by cybercriminals to control Android devices and run a number of malicious actions on them. Once it hacks an Android device, threat actors become able to manage almost the whole device for achieving their purposes. Cypher is also a public trojan that can be purchased by anyone in form of subscription plans on the developers' website. One of the special features that cybercriminals behind Cypher get access to is the so-called clipboard hijacker. It is designed to substitute copied addresses of crypto wallets with ones owned by trojan owners. In other words, if a victim runs some cryptocurrency transaction while the trojan is on the smartphone, cybercriminals will be able to stealthily replace the copied address and receive the payment to their wallet instead. Apart from this, Cypher RAT has a plethora of other capabilities typical for such malware. For instance, it can change smartphone wallpapers, manage calls and SMSs, force-open various apps, manipulate the screen, memorize keyboard strokes, take screenshots, use a microphone to record incoming audio, analyze the device location, download additional software, read 2-factor authentication codes, imitate log-in windows, and other such functions aimed at benefiting cybercriminals in any desired way.

FlyTrap is a trojan infection designed to steal Facebook accounts and use them for future abuse. An authoritative security company named Zimperium researched this malware and confirmed its activity across 100+ countries with at least 10,000 users affected by it. According to reports, many have been affected by FlyTrap via a malicious application that promotes coupons, discounts, and other similar content. Clicking on such content can lead to a fake verification window demanding login credentials for a Facebook account. After successfully retrieving the inserted data and accessing the targetted Facebook account, FlyTrap becomes able to inject malicious JavaScript code in order to collect sensitive information (e.g., IP-addresses, geolocations, e-mail addresses, internet cookies, tokens, etc.). The stolen accounts may thereafter be abused for scamming friends or spreading malware via malicious links or attachments. Thus, FlyTrap is a dangerous infection that may lead to massive security problems and compromise users' identities. Follow our guide below to get rid of the virus from your Android smartphone. After doing so, it is important to change passwords and notify your friends/contacts about the committed hacking.

Payroll Timetable is a malicious e-mail campaign designed to trick users into downloading a devastating trojan called TrickBot. Developers in charge of this campaign send thousands of identical messages representing fake information about some payroll timetable. By impersonating the name of a legitimate company named PricewaterhouseCoopers and pretending to be its employees, cybercriminals encourage users to review some "irregularities" by opening the attached file. Such text is usually random to users and simply meant to raise curiosity for opening a malicious attachment in .docx, .xls, or other MS Office formats. If you ever receive a message accompanied by some attachment, chances are, this is an attempt to deliver a virus infection. The distributed TrickBot trojan is meant to record sensitive information (e.g., passwords, usernames, e-mails, etc.) and use it for stealing related accounts. The scope of cybercriminals is especially towards various finance-related applications, such as pocket banks or crypto-wallets. Unfortunately, if you trusted the Payroll Timetable e-mail message and opened the attached document, then your system is more likely infected. Use our guide below to avert the damage by running complete deletion of the infection.

S.O.V.A. is a banking trojan virus designed to extract finance-related information from Android devices. Specifically, it was spotted to do so on devices ranging from 7 to 11 Android versions. While being distributed under the disguise of ostensibly legitimate software, the sneaky trojan demands users to grant a number of device permissions. If such permissions are eventually given, the trojan will become capable of reading the device's screen and simulating fake log-in windows to bait users into entering their credentials. As mentioned, the main target of S.O.V.A. is banking information, which means it is likely the trojan will try to collect information from banking applications, cryptocurrency wallets, and other places related to finance. Due to the keylogging abilities, the trojan can record all the typed keystrokes and abuse them for stealing accounts or performing unauthorized money transactions. In addition, it was also observed that S.O.V.A. has access to managing SMS messages and displaying various pop-ups. Allowing such malware to operate for too long may indeed lead to severe privacy issues and potential loss of finance. On top of that, the S.O.V.A. banking trojan is still considered under development and is expected to acquire more features (performing DDoS attacks, operating as screen-locking ransomware, impeding 2FAs (Two-Factor Authentications), and so forth) in future updates. Thus, if you suspect your Android is under the affection of this or similar infection, follow our guidelines below to remove it and ensure further protection against such threats.

Conteban is a remote-access trojan that, upon successful Infiltration, manipulates system features to run malicious actions on it. While the actual purpose of this virus remains unclear, malware of such tends to cause chain infections. This means that Conteban may act as a "backdoor" to bring other viruses, such as ransomware, along the way. Ransomware is a devastating malicious software that usually encrypts system stored data and blackmails victims into paying money for its return. In addition, many developers behind trojan infections also seek the extraction of valuable information (e.g. passwords, log-ins, banking credentials, etc.). This data can therefore be misused to perform fraudulent financial operations, putting users' funds and privacy at significant risk. Sometimes, however, there is software mistakenly tagged as Trojan-Win32/Conteban by various antivirus engines, including native Windows Defender. These false positives happen pretty often and may occur while launching or installing a third-party file downloaded from the web. If you suspect your system to be actually infected, or you doubt the trustworthiness of the file downloaded, we recommend you use our guide to make sure nothing threatens your PC.