Trojans

Previously known under the name of Aberebot, Escobar is a banking trojan developed for Android. The main goal of such software lies in the pursuit of valuable information that cybercriminals seek to capitalize on. After successfully committing an attack on Android devices, Escobar obtains a wide number of capabilities - it is, therefore, able to send remote commands, control the screen, manipulate SMS messages, record audio, take photos, disable protection, memorize keystrokes, redirect to websites asking to enter login credentials, modify the list of installed applications, and many other actions as well. In short, Escobar gains the entire control over your device which makes it almost unlimited in doing whatever it wants. The rebranded banking trojan also acquired a feature of looking into the Google Authenticator and recording one-time-use passwords from it. Escobar malware is now explicitly advertised on hacking forums at a price of 3000$ per monthly subscription. The recorded information may be afterwards used to access banking accounts and perform transactions without the consent of actual owners. Escobar is a very devastating infection. Its presence may lead to many privacy issues and risks of losing the finance. Thus, it is important to delete it from your Android smartphone as soon as possible before it does even more damage.

Also known as FoxBlade, HermeticWiper is a devastating virus designed to erase system-stored data and prevent machines from responding or working completely. Malware with such capabilities is usually known as disk wipers. HermeticWiper was discovered attacking governmental bodies and business structures in Ukraine on February 24. Many researchers think HermeticWiper was given this name based on a digital certificate stolen from a company called Hermetica Digital Ltd. This certificate allows the virus to disguise itself as legitimate software to bypass the detection of Windows. Upon successful infiltration, HermeticWiper corrupts the majority of stored data and deletes Windows Shadow Copies as well. This functionality leads to permanent data loss making victims unable to recover it afterwards. As mentioned, HermeticWiper makes infected systems practically unusable - it does so by disrupting the Master Boot Record (MBR), an important Windows sector responsible for properly starting the system. As long as HermeticWiper holds control around your system, it can do almost whatever it wants - install additional malware, launch DDoS attacks, record keystrokes, audio, video, abuse system resources to mine cryptocurrencies, deploy remote commands, and many other disruptive actions. HermeticWiper is not the only but one of few viruses distributed within this geopolitical campaign on Ukraine.

AppLovin is an adware application that infects users of Android smartphones. Although it may look like a legitimate and world-famous video-sharing service called TikTok, there is nothing common between them. AppLovin is fake and designed to promote various ads, pop-ups, coupons, and download pages that run stealth infections using executable scripts. Whatever is spread by AppLovin should not be trusted and followed by users. A deeper investigation showed that AppLovin's main focus is set on Jio devices which are popular in India. Jio is an official Indian company providing Internet and smartphone products in India. AppLovin also displays a sign-in screen. The entered credentials may be recorded by the app to steal TikTok accounts or hack you on other websites registered using the same credentials. It was also discovered that AppLovin abuses the hijacked devices to send spam messages with download links to other Jio owners. In sum, AppLovin was clearly developed for causing privacy threats and downgraded smartphone performance. Users that are infected with this application, should instantly remove it before it does significant damage. You can follow our instructions below to do it correctly and without traces.

Medusa was analyzed and eventually assigned to the category of banking trojans. It infects Android users to grant cybercriminals with remote access over the device. From there, swindlers may be able to execute various commands - e.g. extract valuable data, force-open unwanted websites, or download other malware as well. On a general level, the trojan can do whatever it wants ranging across actions like viewing your screen, navigating through installed apps, unlocking the screen, recording keystrokes (to steal passwords), and also streaming both camera and audio in real-time. This specific feature is most likely used to perform malicious and fraudulent commands while nobody is using the phone. As mentioned, Medusa is categorized as a banking trojan meaning its main target is set on hijacking credentials to log into banking applications. This is therefore needed to perform transactions and steal users' money without consent. Medusa is one of those trojans leading to serious consequences related to privacy and financial risks. If you spotted your device began to act weird and without your consent, do not linger and remove the virus using our tutorial below.

Shlayer is a trojan-based infection designed to cause a chain of multiple malware infiltrations on your device. The number of malware may vary from typical adware or fake search engine tools to more dreadful types like Ransomware that inevitably encrypts users' data. Once the trojan sneaks into the system it starts running scripts that install malware along the way. For example, the adware can distribute deceptive on-screen advertisements that redirect users to malicious resources that trick inexperienced people into downloading malware. All of these methods are basically developed for gathering personal information like passwords, geolocations, credentials, and other data that is transferred to third parties for income purposes. Shlayer Trojan has been spotted bundling Chumsearch Safari browser extension, MyShopCoupon, and fake optimization utilities like Mac Cleanup Pro that can also put your data at risk. Getting rid of Shlayer Trojan is the number one thing that you should do to prevent further infections. Thereafter, you will have to uninstall everything caused by the trojan to relieve your device from malware pressure.

Also known as Client Service Runtime Process, Csrss.exe is a legitimate system process that is essential to Windows health. It can be found running alongside other background processes in Task Manager. The native location Csrss.exe is always rooted to C:\Windows\System32\. If you find it present in other directories, more likely it is a virus infection disguised as a legitimate process. Cybercriminals take the names of Windows processes to hide trojans or similar software. By doing so, they also obscure scanning algorithms of anti-malware software, which sometimes struggles to define it as malware. Despite this, it is quite easy to determine whether this process is malicious or not. You can find it amongst the list of background processes in Task Manager, right-click on it and choose "Open file location" to see where it is. If you suspect it is a virus indeed, make sure to follow our guidelines below. The Csrss.exe process is known to be exploited by malware developers to hide malicious software that steals personal data and triggers the installation of other programs as well. This is why it is necessary to remove it as soon as possible before it deals severe privacy damage.

AbstractEmu is a high-risk Android virus detected in 7 applications available across legitimate Android app stores. Upon successful installation and interaction with one of these apps, the hidden AbstractEmu malware roots the whole smartphone to grant itself privileged rights over the system. It does not require any remote control - the activation of malware happens immediately once people start using an app. By doing so, AbstractEmu will have access to everything present inside of a device. The virus will be able to act on its purpose running various actions on a compromised system. This means developers behind AbstractEmu can manipulate your smartphone however they want - e.g. gather sensitive data, open apps, read personal chats, surveil your front camera, or even install additional malware. Such virus abilities are quite similar to what we saw with the FluBot spyware - already discussed on our blog. The range of platforms that distributed AbstractEmu-related apps were Google Play, Amazon Appstore, Samsung Galaxy Store, Aptoide, and even APKPure.

Discovered by MalwareHunterTeam, AnarchyGrabber is a type of virus designed for Discord users. It is meant to alter the index.js file inside of the Discord directory (%AppData%\Discord\[version]\modules\discord_desktop_core\) and hijack your data. By changing the inner code of the original file, it allows cybercriminals to upload malicious JavaScript files. This file should contain just one line: module.exports = require('./core.asar');. Everything else is from a trojan. To get rid of the malware, uninstall Discord, then check for the %AppData%\Roaming\discord directory (if it exists, delete it), and then reinstall the client. If this does not help, read the full guide below. Thus, when users log in to their Discord account, extortionists receive access to your contacts, account, servers, messages, and other discord-based content. Oftentimes, it is hard to detect AnarchyGrabber since it hides its activity behind Discord files which get ignored by anti-malware software. If you are unable to remove it manually, we will aid you in doing so below.