Secret passage: how hackers attack smartphones with hidden viruses
Hackers can attack users' smartphones using hidden viruses, experts have warned. Such malicious software in the background is capable of performing a variety of tasks for intruders. Moreover, gadget owners themselves are often unaware of this dangerous activity. For more information about how hackers attack smartphones using hidden viruses, how dangerous such techniques are and how to protect yourself from them, read the Izvestia article.
What is known about the new attack with hidden viruses
At the end of last February, specialists from the research company IAS Threat Lab announced the discovery of a new coordinated Genisys attack, during which more than 25 million mobile devices were turned into a tool for generating fake advertising traffic without the knowledge of users.
As part of the attack, the attackers embedded malicious software (VPO) into applications that at first glance seemed legitimate, such as memory cleanup utilities, office tools, e-readers, and flashlights. After installation, these programs started opening hundreds of sites in hidden windows in the background, simulating the activity of real users.
At the same time, cybercriminals used the technique of substitution of application identifiers. Monitoring systems recorded traffic allegedly originating from thousands of different popular programs, although the real source remained a limited group of infected utilities. This approach made it possible to create noise and made it difficult to identify backdoors.
After the intervention and blocking of fraudulent applications, the volume of suspicious requests decreased by more than 95%, which confirmed the centralized nature of network management. As noted by cybersecurity experts, the Genisys attack has already become a symbol of the transition of advertising fraud to a new technological level.
How hackers infect smartphones with hidden viruses
The key difference between modern mobile high—tech for advertising fraud is that it is invisible to the user and has a legitimate appearance, Konstantin Gorbunov, a leading expert on network threats and web developer at Security Code, says in an interview with Izvestia. The virus no longer presents itself as aggressive advertising on the screen — on the contrary, it looks like a useful utility.
"While the user sees the familiar interface, the malicious module performs the tasks of intruders in the background — it generates fake advertising clicks and simulates network activity," says the specialist. — The purpose of such programs is not to compromise data, but to monetize device resources: CPU, battery, and advertising traffic.
Such viruses spread in several sophisticated ways, starting from the factory level and ending with everyday applications, says Ilya Pavlyuk, head of the information security engineering group at the League of Digital Economy. At the same time, one of the most dangerous options is the pre—installation of viruses at the production stage or "gray" import. For example, in Russia, Kaspersky Lab detected viruses such as Keenadu and Triada in new Android devices even before purchase: they were already in the system sections, showed ads and stole data in 13 thousand cases.
Another common channel is third—party APK files from phishing links in WhatsApp (owned by Meta, which is recognized as an extremist organization in the Russian Federation), SMS or Telegram, where users download "cracks" (malware for hacking software protection), VPN or games masking Trojans like Sturnus, which reads encrypted chats, says Ilya Pavlyuk.
—Even Google Play is not insured: 60 thousand adware applications under the guise of utilities and games spread traffic unnoticed, and Genisys hid in popular programs and installed background services without the knowledge of the owner," the specialist warns.
At the same time, according to Konstantin Larin, head of the cyber intelligence department at Bastion, you can "catch" a hidden virus on your smartphone even if you simply connect to suspicious USB drives in public places.
How cybercriminals used hidden viruses earlier
Attackers have been using hidden viruses for several years — the Genisys attack has become the latest, but far from the only one of its kind. One of the most dangerous cases in recent years is the malicious Triada software, pre-installed directly in the firmware of fake Android smartphones of well-known brands sold on marketplaces, says the head of the analysis group at the Solar 4RAYS Cyber Threat Research Center (Solar Group). Stanislav Pyzhov.
"The VPO is embedded in the system partition and is practically not deleted, controls most popular applications after launch, can intercept SMS messages, steal cryptocurrency and accounts in messengers and social networks, as well as perform other hidden operations, which makes such devices a serious threat to user security," says Izvestia's source.
In 2025, the Sturnus virus became a "hit" among banking Trojans: it penetrated through the WhatsApp messenger and hijacked chats in Telegram and Signal using remote access to the screen, Ilya Pavlyuk recalls. In addition, in 2021-2025, the LianSpy virus operated, which disguised itself as banking applications and stole screen recordings, as well as contacts of Russian users.
The main risk posed by hidden viruses is "burnout" and premature aging of the user's device, says Maxim Fedosenko, a leading engineer and analyst at the Gazinformservice cybersecurity analytical center. In other words, an infected phone literally recycles the attacker's shady work while its owner sleeps. As a result, the victim pays for the cybercriminals' activities with his own resources and finances.
— Another serious risk is preparing the ground for a full—fledged hacking: an application that has already established communication with the attackers' server becomes an "open door" through which hackers can at any time imperceptibly download more dangerous tools for surveillance and data theft, - adds Konstantin Gorbunov.
How to detect a hidden virus on an infected smartphone
It is often not so easy to recognize a secret "digital spy" on an infected device, but it is still possible to do this if you pay attention to obvious anomalies in the gadget's operation, Maxim Fedosenko points out. For example, a smartphone may start heating up at rest for no reason, the battery may run out rapidly, and application and network statistics will suddenly show a huge consumption of Internet traffic, often from legitimate applications.
— The essence of the latter lies in the fact that the culprit may be not only a dubious APK file of a malware downloaded from a third-party resource, but also a popular application from the official store, which suddenly uploaded malicious code through its vulnerabilities and began to mimic a legitimate process, — explains the interlocutor of Izvestia.
If the phone suddenly begins to live its own life, and it is poorly correlated with the daily activity of its owner, it is necessary to perform a number of specific steps. The first step is to go into the settings and find out which applications consume too much energy or Internet traffic for no apparent reason, recommends Konstantin Gorbunov.
— Be sure to pay attention to the permissions: if a regular "flashlight" or other simple utility requests access to notifications, camera, contacts or other special features, this is a serious reason for suspicion, — he warns.
The consumption of a large amount of charge by the application in the background is a reason to think about the quality of such software or remove it from the phone, emphasizes Alexey Kolesnikov, senior specialist at the PT Sandbox expertise department.
"The system will clean up the remaining artifacts by itself, and for additional reliability, you can reboot the device," advises the Izvestia interlocutor.
It is critically important to use reliable security solutions that will help detect MALWARE on the device, says Dmitry Kalinin, a cybersecurity expert at Kaspersky Lab.
Переведено сервисом «Яндекс Переводчик»
