Trojans

CraxsRAT is a highly dangerous Android Remote Access Trojan (RAT) that allows a threat actor to remote control an infected device from a Windows computer. The malware is highly customizable and versatile, with several versions available, and can infiltrate systems with minimal permissions, raising little suspicion. CraxsRAT can monitor accessed websites and force-open specific pages, causing infection chains either by downloading and executing payloads or by tricking victims into doing so themselves via force-opened deceptive sites. The malware can investigate call logs, read, remove, and add contacts, and monitor accessed websites. CraxsRAT can also bypass Google Play protect, live screen view, and has a shell for command execution. The malware is generated using a builder, which comes with options to customize and obfuscate the payload, choose an icon, the app name, and the features and permissions that need to be activated once installed on the smartphone. The malware can cause infection chains either by downloading and executing payloads or by tricking victims into doing so themselves via force-opened deceptive sites.

IDP.Generic is a generalized code name used by anti-malware software for labeling and therefore quarantining possibly malicious activity. IDP.Generic is not tied to any specific file – a plethora of different files can be assigned with this detection component by your antivirus. In the majority of cases, such IDP.Generic detections are often false positives and do not pose any real threat to users. A false positive is simply when anti-malware software mistakenly identifies some harmless or legitimate file as malicious and blocks its operation or even deletes it completely. Many users report that false flagging happens with files of video games or other third-party software. Usually, it is Avast and AVG engines that tend to detect IDP.Generic as false positive the most. In this case, it is enough to add the file to your antivirus whitelist and continue using the associated program without problems. However, despite many detections like this being nothing to worry about, there are of course cases when the detected file(s) is actually malicious. Make sure that the software/file you downloaded is totally legitimate and was not downloaded from some unofficial and compromised resource.

Crackonosh is the name of a trojan stealthily distributed inside cracked software installers. Upon successful installation, its purpose is to inject the XMRIG miner and start mining Monero cryptocurrency for the threat actors. As of now, statistics show that this miner has helped cybercriminals mine the amount of Monero worth roughly two million dollars. A couple of words on how the trojan does its malicious job: After the installer of cracked software is launched, it places an installer and script onto the targeted system, which then changes the Windows Registry settings to turn off hibernation mode and activate Crackonosh in Safe Mode at the next system start-up. This way, the trojan deactivates Windows Update and Windows Defender and is even able to uninstall third-party antivirus programs (e.g., Avast, Bitdefender, Kaspersky, McAfee, and Norton) in order to reduce the chance of getting detected and blocked. To conceal its presence, it erases system log files, serviceinstaller.msi files, and maintenance.vbs files. As a result, some infected systems may display error messages indicating issues with the aforementioned files. In addition, Crackonosh may also halt Windows Update services and substitute the Windows Security icon with a fake green system tray icon. The main symptoms that should attract your attention and lead you to suspect something is wrong with your system are usually slower and laggy PC performance, increased CPU/GPU/RAM usage, overheating, unexpected crashes, and other related issues. Thus, if any of these symptoms are present, make sure to read our guide below and eliminate the potential crypto-mining trojan from your computer.

Hacktool:Win32/Keygen is a code-name referred to by anti-malware software when the usage/presence of license-cracking tools gets detected on the system. Such tools allow the fake generation of keys to activate licensed versions of software and therefore bypass paying for it. Although keygen tools are not intended to be harmful to users' safety initially, some threat actors may use them to deliver various malware alongside. While the detection and labeling of the cracking tool as "Hacktool:Win32/Keygen" by your antivirus does not always indicate your system is infected with actual malware, it still might be a good idea to perform a thorough scan of your system. Infections that can be distributed alongside key-generating tools are ransomware (software that encrypts data and demands money from victims), crypto-miners (software that stealthily mines cryptocurrency for cybercriminals), banking trojans, spyware, and other types of potentially devastating infiltrations. Having such malware installed on your system may lead to severe privacy problems, financial losses, downgraded PC performance, and other kinds of threats. Thus, if you recently used a license-cracking tool (Hacktool:Win32/Keygen) and suspect your system could be in danger, make sure to read our guide below and scan your system with effective anti-malware software to detect and eliminate possible threats.

BrasDex is categorized as a banking virus that infects Android (and Windows) devices to access bank accounts and steal money from victims. This specific banker has been observed targeting victims in the Brazilian region - recently via a fake banking app named "Brazilian Banco Santander". Previously, it used to infiltrate devices by disguising itself as essential Android settings applications. BrasDex abuses Accessibility Services to record the information entered into banking applications. However, instead of showing overlaid (fake) screens to bait users into entering their log-in credentials, it instead keyloggers them inside targetted banking applications themselves. Unlike other banking malware, BrasDex also employs an ATS (Automated Transfer System) mechanism, which allows cybercriminals to perform fraudulent transactions in an automated way - therefore automating malicious business and increasing illegal profits. In addition, it is also known that BrasDex exploits a popular Pix fast payment system that was developed by the Central Bank of Brazil. This makes its easier for cybercriminals since all they require is the victim's identifier (which can be an email, CPF, phone number, or random ID). Please note that the Pxi system is not vulnerable - threat actors simply use this system to speed up the process of fraudulent transfers. A lot more technical information about BrasDex can be discovered in this report made by ThreatFabric. BrasDex is a dangerous virus that can cause unpleasant financial losses and privacy issues - thus, make sure to read our guide below and delete this devastating malware from your device. Once done, it is also important to change your log-in credentials.

GodFather is the name of a banking trojan that targets Android devices. Developers behind this malware seek to exfiltrate account credentials and use them for accessing 400+ online banking pages and crypto exchanges across 16 countries worldwide. The GodFather trojan functions by creating overlaid log-in screens and displaying them over legitimate apps or web pages. This way, it tricks users into entering their login data on fake screens, which allows threat actors to access finance-related accounts and abuse them for financial fraud. Before GodFather becomes capable of performing such malicious action, it needs users to allow certain permissions (access to SMS texts and notifications, screen recording, contacts, making calls, recording to external storage, and reading the device status) in the Accessibility Service window. The trojan does it by imitating the legitimate "Google Protect" tool, therefore making the process look ordinary and less likely to trigger suspicion from users. After the permissions are granted, the trojan gets complete liberty to run its malicious actions. GodFather also abuses the granted access to complicate manual removal, steal two-factor authentication codes, process different commands, and hijack data from PIN and password fields. If you want to learn more about the technical specs of GodFather banking trojan, you can check out this page. In summary, GodFather is a highly-devastating infection that can lead to significant financial losses, which is why it must be removed completely and without traces from your device. Use our guide below to do it.

Cypher is a remote administration trojan (RAT) promoted by cybercriminals to control Android devices and run a number of malicious actions on them. Once it hacks an Android device, threat actors become able to manage almost the whole device for achieving their purposes. Cypher is also a public trojan that can be purchased by anyone in form of subscription plans on the developers' website. One of the special features that cybercriminals behind Cypher get access to is the so-called clipboard hijacker. It is designed to substitute copied addresses of crypto wallets with ones owned by trojan owners. In other words, if a victim runs some cryptocurrency transaction while the trojan is on the smartphone, cybercriminals will be able to stealthily replace the copied address and receive the payment to their wallet instead. Apart from this, Cypher RAT has a plethora of other capabilities typical for such malware. For instance, it can change smartphone wallpapers, manage calls and SMSs, force-open various apps, manipulate the screen, memorize keyboard strokes, take screenshots, use a microphone to record incoming audio, analyze the device location, download additional software, read 2-factor authentication codes, imitate log-in windows, and other such functions aimed at benefiting cybercriminals in any desired way.

FlyTrap is a trojan infection designed to steal Facebook accounts and use them for future abuse. An authoritative security company named Zimperium researched this malware and confirmed its activity across 100+ countries with at least 10,000 users affected by it. According to reports, many have been affected by FlyTrap via a malicious application that promotes coupons, discounts, and other similar content. Clicking on such content can lead to a fake verification window demanding login credentials for a Facebook account. After successfully retrieving the inserted data and accessing the targetted Facebook account, FlyTrap becomes able to inject malicious JavaScript code in order to collect sensitive information (e.g., IP-addresses, geolocations, e-mail addresses, internet cookies, tokens, etc.). The stolen accounts may thereafter be abused for scamming friends or spreading malware via malicious links or attachments. Thus, FlyTrap is a dangerous infection that may lead to massive security problems and compromise users' identities. Follow our guide below to get rid of the virus from your Android smartphone. After doing so, it is important to change passwords and notify your friends/contacts about the committed hacking.