Malware

Program.FakeMoney

Program.FakeMoney is a Dr.Web detection for unwanted Android applications that falsely claim users can earn real money by completing tasks or accumulating in-app rewards. According to the provided reporting, these apps were among the most widespread unwanted software observed in 2025. They are described as game-like or reward-based apps that promise users cashouts or conversion of virtual rewards into real money, but in practice no actual payouts are made. Dr.Web also notes that such apps were commonly encountered on protected devices in Q4 2025. A specific example cited is Program.FakeMoney.16, distributed on Google Play as Zeus Jackpot Mania, which promised conversion of virtual rewards into real money, collected user data, and did not pay users. The content does not attribute Program.FakeMoney to a specific threat actor or describe technical persistence, exploitation, or command-and-control behavior beyond the fraudulent monetization scheme.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

news drweb comNews

Jan 15, 2026

Dr.Web - Doctor Web’s review of virus activity on mobile devices in 2025

Scam/unwanted-app family that gamifies tasks and displays fake earnings, then blocks withdrawal or collects personal/banking details without paying out.

news drweb comNews

Jan 12, 2026

Doctor Web’s Q4 2025 review of virus activity on mobile devices

Fraudulent ‘earn money’ apps that simulate earnings and withdrawals but do not pay out; also used to detect similar unwanted software based on shared code.

news drweb comNews

Oct 1, 2025

Doctor Web’s Q3 2025 review of virus activity on mobile devices

Fraudulent/unwanted Android apps that simulate earning/withdrawal workflows to extract user data; victims cannot actually withdraw money.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.