Viruses

Also known as Exo Android Bot, Exobot is a dangerous and highly-disruptive piece of malicious software designed to infiltrate Android devices. Exobot is similar to functions carried out by many banking trojans. In essence, it settles within a system and performs a number of phishing actions aimed at extracting valuable information from users (e.g. bank card credentials; passwords, log-ins, and even identity information). It does so by accessing Accessibility Services and manipulating an infected device through WiFi or Mobile networks. Alternatively, if there is no internet connection available, Exobot, is also capable of performing device control through SMS messages, which expands its abuse potential. In order to trick users into entering their credentials, cybercriminals may create simulated layers of popular apps (Google Play; WhatsApp, Viber, etc.) that pop on the screen and hardly differ from authentic ones. Smartphone trojans are usually granted extensive permissions giving full freedom to threat actors on what they can do. This includes forced device locking, blocked access to certain applications, screen capture, SMS management, microphone, and camera manipulation along with other compromising features as well. Exobot is especially known for the botnet feature allowing developers to link a number of infected devices and control them together from the same server to execute malicious steps. In conclusion, malware like Exobot is very devastating as it may lead you to deal with serious privacy issues, financial risks, downgraded device performance, or even identity theft. Thus, we recommend you follow our guidelines below and get rid of this virus as soon as you are able to.

U2K is a ransomware virus designed to render files inaccessible and extort a recovery payment from victims. During encryption, it assigns the .U2K extension and resets icons of all affected files. To illustrate, a file initially titled 1.pdf will change to 1.pdf.U2K and lose its original icon as well. After getting things done with encryption, the virus triggers the creation of the ReadMe.txt text note. This note features instructions on what victims should do in order to return the blocked data. As stated inside the file, the only doable way of decrypting all data is to purchase a unique decryptor. To retrieve it, victims are guided to download Tor Browser, navigate to the attached website link, and open a support ticket with cybercriminals. After starting negotiations, extortionists will likely announce the price and instruct victims on further details for payment. Unfortunately, as experience shows, much damage (primarily encrypted files) is hard to recover without the help of cybercriminals.

Teabot is a trojan infection that seeks extraction of banking-related data. Based on publicly-available reports, it is known that TeaBot has been targeting more than sixty banks across Europe. Upon getting installed onto a smartphone, it demands users to allow certain Accessibility Features by sending a number of pop-up windows. Once the requested permissions are given, developers behind Teabot will become able to control the infected device using Remote Access Tool (RAT). This will allow cybercriminals to deploy any malicious commands they want (e.g. replicate log-in credentials, take screenshots, manage contacts and send messages, disable security layers, record audio, etc.). As mentioned, the main target of this trojan comes down to financial information meaning cybercriminals might be more interested in stealing data from crypto wallets, banking or insurance apps, and so forth. To conclude, the presence of Teabot may and will be extremely dangerous for all kinds of sensitive data unless it is removed from your device. We recommend you do it as soon as possible using our guidelines below. Step-by-step instructions will help you delete it without traces.

BianLian is the name of a banking trojan designed to exfiltrate mainly finance-related information. After successful installation, it bombards the device's screen with pop-up windows that request users to allow various Accessibility Features. Once the demanded permissions are granted, the trojan acquires an almost limitless range of malicious features. For instance, it might display fake interactable windows on top of various banking applications. This way, cybercriminals attempt to trick users into entering their log-in credentials and steal them eventually. BianLian was also discovered able to run USSD codes and perform calls; prevent users from using a device by force-locking the screen; enable screen recording, manage SMS text messages, and also create an SSH server for protecting its communication channels. Such modules used by the trojan are obviously dangerous and might lead users to significant financial losses, identity thefts, and other problems that no one would desire. Thus, it is important to remove the trojan infection and restore safety on your Android device. You should also change all your log-in credentials and even block your card at the bank to prevent financial abuse.

Lilith is a ransomware infection that encrypts system-stored data and demands payment for file decryption. While rendering files inaccessible, the virus also appends the new .lilith extension to each infected sample. For instance, a file named 1.pdf will change to 1.pdf.lilith and reset its original icon as well. After this, cybercriminals lay out instructions on how to acquire decryption in a text note called Restore_Your_Files.txt. It is said that victims have three full days to contact developers. This should be done using the Tox messenger in Tor Browser. Should victims get late with meeting these demands, cybercriminals threaten to start leaking the collected data, supposedly to dark web resources. Although the price for decryption is calculated on an individual basis depending on how much valuable data has been encrypted, it still might be quite high considering ransomware's tendency to target business organizations.

Bahamut is a malicious program that targets Android devices and is classified as spyware. Malware of such is designed to spy on users' sensitive data and misuse it for future financial benefits. Upon successful installation, the virus acts as a regular application and requests users to provide a number of "mandatory" permissions. This can include permission for accessing camera, reading messages and managing phone contacts, recording audio, accessing phone memory, and other suspicious permits that should not be given to doubtful software. The main goal of Bahamut is normally set on extracting potentially valuable information from popular messaging apps such as WhatsApp, Facebook Messenger, Telegram, Viber, ProtectedText, Imo, Secapp, and Signal as well. Cybercriminals do this by sending collected information to their remote Command & Control server. The same is used for deploying various commands to control the infected device as well. Having Bahamut installed on your system will by far lead to many security and privacy risks. This is why such software must be removed as soon as you see it. Do it using our guide below and also learn how its installation occurred.

JENNY is the name of a new file-locker discovered by MalwareHunterTeam. Malware of such is normally designed to restrict access to data and demand victims to pay a ransom in crypto. After successfully infiltrating the system, the virus encrypts important pieces of data and also assigns the .JENNY extension. This means a file like 1.pdf will change to 1.pdf.JENNY and reset its original icon to blank. After this part is done, the ransomware replaces desktop wallpapers and features a pop-up window right on the screen. Unlike other ransomware infections, JENNY developers do not provide any decryption instructions. Victims are left confused with absolutely no contact information to use for reaching the cybercriminals. The reason for that could be because this ransomware is still under development and is likely being tested. This means decryption with the help of developers is impossible and that a complete version of JENNY may be released some day in the future.

BlueSky Ransomware is a devastating file encryptor. It restricts access to data and requests victims to pay a fee for its return. While running encryption of system-stored data, the virus also assigns the .bluesky extension to each affected sample. For instance, a file named 1.pdf will change to 1.pdf.bluesky and reset its original icon. Since then, files will be no longer accessible. To make victims pay the ransom, cybercriminals layout identical decryption instructions in both # DECRYPT FILES BLUESKY #.html and # DECRYPT FILES BLUESKY #.txt text notes, which are created after encryption. Inside, extortionists say the only case when files can be recovered is if victims purchase a special decryption key and software. They also say that any third-party attempts to decrypt files without the help of cybercriminals may result in permanent damage to data. Victims are thereafter instructed to download Tor Browser and visit the provided web link. After following that, victims will be able to see the price for decryption and additional information such as how to create a wallet and purchase cryptocurrencies as well. The decryption price is set at 0.1 BTC ≈ $2,075 and is said to double in 7 days after the ransomware attack. Cybercriminals also offer to test decryption, as victims can send one blocked file and get it decrypted for free. Ransomware developers tend to do this in order to validate their trustworthiness and boost victims' confidence in paying the ransom.