Trojans

BianLian is the name of a banking trojan designed to exfiltrate mainly finance-related information. After successful installation, it bombards the device's screen with pop-up windows that request users to allow various Accessibility Features. Once the demanded permissions are granted, the trojan acquires an almost limitless range of malicious features. For instance, it might display fake interactable windows on top of various banking applications. This way, cybercriminals attempt to trick users into entering their log-in credentials and steal them eventually. BianLian was also discovered able to run USSD codes and perform calls; prevent users from using a device by force-locking the screen; enable screen recording, manage SMS text messages, and also create an SSH server for protecting its communication channels. Such modules used by the trojan are obviously dangerous and might lead users to significant financial losses, identity thefts, and other problems that no one would desire. Thus, it is important to remove the trojan infection and restore safety on your Android device. You should also change all your log-in credentials and even block your card at the bank to prevent financial abuse.

Recently discovered by cybersecurity researchers at MalwareHunterTeam and Cyble, Hydra has developed a new banking trojan variant designed to infect Android devices. It mimics itself under the Play Store app called Document Manager, with over 10,000 downloads in total. Users who download this app and allow certain permissions required by it will experience substantial security threats. The trojan was specifically reported targeting the second-biggest German bank, named Commerzbank. It requests more than 20 permissions, which, in case allowed, will let threat actors to do whatever they want with your smartphone - e.g. monitor passwords entered in apps, alter various settings, manage phone calls and SMS messages, lock and unlock the infected device, disable antivirus activity, record camera footage and deploy tons of other malicious tasks aimed at stealing finance-related credentials. It is also possible that other collected data like phone or social media contacts may also be abused for tricking people into downloading fake software that executes infections. The most popular symptoms of trojans running within a smartphone system are lags, moments of freezing, overheating, random opening of websites or apps, and other signs of weird behavior that were not present before. Trojans like Hydra are extremely dangerous, and it is important to stop their malicious action by performing the full-blown deletion. It may be hard to do on your own without relevant knowledge, so we prepared a thorough guide to help you succeed in removing Hydra Banking Trojan from your Android device.

Quite recently, hackers found a new Windows vulnerability to aid the penetration of systems with malware. The exploit is inherently related to MSDT (Microsoft Support Diagnostic Tool) and allows cybercriminals to perform various actions by deploying commands through the PowerShell console. It was therefore called Follina and assigned this tracker code CVE-2022-30190. According to some reputable experts who researched this problem, the exploit ends up successful once users open malicious Word files. Threat actors use Word’s remote template feature to request an HTML file from a remote web server. Following this, attackers get access to running PowerShell commands to install malware, manipulate system-stored data as well as run other malicious actions. The exploit is also immune to any antivirus protection, ignoring all safety protocols and allowing infections to sneak undetected. Microsoft does work on the exploit solution and promises to roll out a fix update as soon as possible. We thus recommend you constantly check your system for new updates and install them eventually. Before that, we can guide you through the official resolution method suggested by Microsoft. The method is to disable the MSDT URL protocol, which will prevent further risks from being exploited until an update appears.

Often mistaken by a separate virus, messages spamming Google Calendar events are actually related to a malicious/unwanted app that might be running on your Android device. Many victims complain that messages usually appear all over the calendar and attempt to persuade users into clicking on deceptive links. It is likely that after an unwanted application was installed, users experiencing spam at the moment granted access to certain features including permissions to modify Google Calendar events. The links may therefore lead to external websites designed to install malware and other types of infections. In fact, whatever information claimed by them ("severe virus detected"; "virus alert"; "clear your device", etc.) is most likely fake and has nothing to do with reality. In order to fix this and prevent your calendar from being cluttered with such spam messages, it is important to find and remove an application causing the issue and reset the calendar to clean up unwanted events.

Dllhost.exe is a piece of malicious software masking itself under dllhost.exe (COM Surrogate) - a legitimate and important Windows process running by default inside of each system. By doing so, the virus attempts to prevent users from thinking it is something suspicious. It is also possible to see a number of genuine dllhost.exe processes in Task Manager eating tons of CPU resources. For instance, a trojan called Poweliks is known to exploit the legitimate process to execute its dirty work. The malware we are talking about today creates a separate fake process to execute its unwanted tasks. It was found that users affected by it see force-open websites like adult pages, casinos, gambling, phishing, scam, pornography, and other types of resources promoting potentially dangerous content. The list of possible malware functions does not end with forcing redirects only. Such infections may embrace screen/audio recording features, keystroke memorization, spying on sensitive data, installation of malicious programs like crypto miners, and other similar things. If you suspect being infected with Dllhost.exe-masqueraded malware, make sure you follow our tutorial below to detect and remove it immediately.

L3MON RAT is a type of trojan allowing its profiteers to access Android devices and control them remotely. The virus employs a cloud-based android management utility to encourage remote manipulations directly from web browsers. Upon successful infiltration, L3MON RAT becomes able to steal various types of sensitive data (e.g. SMS messages, contacts, call history, messages sent and received on WhatsApp and Signal, entered passwords, etc.). It is also able to record audio and surveil other log-in attempts by users. In other words, this malicious software can see whatever is being done during device usage. Depending on how valuable the collected information is, it can therefore be abused to enter banking accounts, perform unauthorized transactions, or even communicate with the collected contacts (for instance, your friends) to impose something under your name. General symptoms indicating that your Android device is under infection are slow/buggy performance, reduced response time, intermediate screen blackouts, decreased battery life, questionable push notifications, and other things implemented without users' permission. L3MON is an open-access trojan, which can be purchased and used by any hacker willing to do so. It is highly devastating and must be removed immediately upon its detection. Use our free guide below to do it correctly and without traces.

89N3PDyZzakoH7W6n8ZrjGDDktjh8iWFG6eKRvi3kvpQ is the name of a clipboard hijacker. Such type of malware is quite rare to get infected with due to its recent development. The operation of this malware is simple - it substitutes whatever is copied into the copy-paste buffer with the 89N3PDyZzakoH7W6n8ZrjGDDktjh8iWFG6eKRvi3kvpQ string. In other words, if you try to copy and paste some piece of text, it will be eventually replaced with the aforementioned characters. Luckily, this malware sample does not work exactly as intended. Devastating clipboard hijackers are originally designed to detect when victims perform crypto-related transactions and substitute the recipient's wallet address with one by cybercriminals. This way, victims may overlook the replacement and send cryptocurrencies to the substituted address of cybercriminals. The operation of such clipboard manipulations can be prevented by terminating the AutoIt v3 Script (32 bit) process in Windows Task Manager. Unfortunately, the same symptoms may appear again until a malicious program is present. This is why it is important to detect and remove it as soon as possible. It is also worth checking whether some other malware got installed along with the clipboard hijacker. Run a full analysis of your system and perform the complete removal of detected threats using our guidelines below.

Octo is the name of a banking trojan seeking to cause financial fraud on Android smartphones. Some consider it is a rebranded version of ExobotCompact - another devastating trojan designed to target finance-related abuse. Octo possesses a wide range of remote-access abilities to fulfill its fraudulent blueprint. After successfully attacking the system, Octo banking trojan becomes fully eligible to read and capture various device sectors. Any information entered by users in real-time (log-in credentials, keystrokes, screen lock PIN codes, etc.) can be recorded and therefore used to carry out overlay attacks on banking-related apps. This means the virus is able to read the content of any app displayed on the screen and provide the actor with sufficient information to perform fraudulent actions. The C2 server allows cybercriminals to send any commands they want and literally have full control of your device to perform monetary transactions without your consent. In addition, Octo may hijack SMS features to feed your contacts with phishing links designed to install the virus as well. Developers of this trojan also made sure there are persistence measures to prevent traditional uninstallation and antivirus detection. Capabilities of Octo banking trojan can be marked similar to other renowned trojans like Cerberus and Medusa, for instance. Malware of this type if truly devastating and it is important to know working solutions to remove it. We encourage you to use our guide and apply removal instructions below.