Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Program.CloudInject

Program.CloudInject is Dr.Web’s detection name for Android applications modified using the CloudInject cloud service. According to the provided content, these modified apps were the most widespread unwanted software detected on protected Android devices in Q4 2025, and were also described as the most widespread unwanted software in Dr.Web’s 2025 Android threat review. CloudInject-modified apps are altered remotely through the CloudInject service, with changes made directly on a remote server. The resulting apps can receive dangerous system permissions and contain obfuscated code whose purpose modders cannot fully control. The content also states that modders can remotely manage or control the modified applications through the CloudInject service. Dr.Web detects the modified apps as Program.CloudInject and the associated utility itself as Tool.CloudInject. The content does not attribute Program.CloudInject to a specific threat actor, infection vector, industry targeting, or provide concrete indicators of compromise beyond the detection naming and the described behavior of remotely modified Android apps with dangerous permissions and obfuscated code.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
news drweb comNews
Jan 15, 2026
Dr.Web - Doctor Web’s review of virus activity on mobile devices in 2025

Cloud-based app modification ecosystem that injects obfuscated code and dangerous permissions into apps and enables remote control features (locking apps, custom dialogs, tracking installs/uninstalls).

Read more
news drweb comNews
Jan 12, 2026
Doctor Web’s Q4 2025 review of virus activity on mobile devices

Cloud-based service and tool that modifies Android apps, adding dangerous permissions and obfuscated code, allowing remote management and potentially malicious actions.

Read more
news drweb comNews
Oct 1, 2025
Doctor Web’s Q3 2025 review of virus activity on mobile devices

Apps modified via CloudInject service/utility; modifications are server-side and opaque to the modifier; results in apps with elevated permissions and remote management features (blocking, dialogs, tracking app install/remove).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.