F-Secure Antivirus Research Weblog
Weblog of F-Secure Antivirus Research Team
Post-PC Attack Site: Only Interested in Smartphones/Tablets
We've discovered a server that only attacks and/or spams smartphones and tablets — and not PCs.
A Swedish-based colleague of ours, Johan, was recently using his (Android) phone to search for boat trips in the Galapagos Islands. He found a site called Vagabond. And on Vagabond he found an entry with a link to: galacruises.com.
From a Windows-based browser, the link redirects to a site called islasgalapagos.travel.
But the results are much different if a mobile device is used…
Mobile browsers are redirected to a .info domain which in turn redirects yet again.
Sometimes it redirects to a popular game on Google Play:
But much of the time, it's NSFW sites (here seen from a Windows Phone):
And sometimes… malware! (As was the case for Johan.)
Here you can see that the malicious .APK file was blocked by one of our "online" detections.
Specific "disk" detection identifies the threat as a variant of FakeInstaller: Trojan:Android/FakeInst.AV.
Our Mobile Security Safe Browser blocks the offending website:
Note: visiting the .info site without the attack's parameter will result in a redirection to google.com.
A site with an index page that redirects to google.com? Always a clue something's afoot.
Be Safe Out There.
On 19/06/13 At 12:50 PM
Rogue Headlines in Google News
A spam campaign is currently abusing Google News.
Search Engine Optimization (SEO) black hats are injecting "jailbreak" headlines into an iOS thread.
Here's a view of the full coverage:
The so-called "news" link readers to schemes offering iPhone jailbreaks.
Here's an iPhone view:
The good news: it appears that current SEO abuse is limited to spammers.
The bad news: where spammers go — exploit kits are surely soon to follow.
Let's hope Google's search engineers plug this hole quickly.
On 17/06/13 At 09:12 AM
Fake Antivirus Scan Scam Via Google Play App Ads
Yesterday, we wrote about some very bad piggies: pirated Rovio software being used to push unwanted ads at Google Play users.
What kind of ads?
Here's an example from an ad-network we've been tracking since we came across it back in March.
Yesterday, the ad-network directed Finnish IP addresses to an ad for a poker game app.
But today, the ad redirects to a fake "antivirus" scam:
The scam's Finnish localization sucks…
…at least until you scroll down to the legal disclaimer at the bottom which claims it's all for "entertainment" purposes.
Just enter your phone number for the service and…
Fifteen euro a week? Do not want.
Stay Safe Out There
On 13/06/13 At 12:39 PM
Bad Bad Piggies On Google Play
One of these things is not like the others.
No, not the "Full Guide" — we're referring to the "Bad Pigs" by Dan Stokes.
The app's description:
Wow. More than 10,000 installs since May 25, 2013.
AppBrain, an Android app portal, doesn't correct for relevance, so "Bad Pigs" ranks first.
Dan's contact address is: firstname.lastname@example.org.
AppBrain has a very nice feature which lists "Concerns" as well as permissions required.
Boy, that's a long list of extra permissions. These particular piggies aren't just bad — they're evil.
Dan Stokes has a few other apps as well.
"Fruit Chop Ninja" also has more than 10,000 installs.
And here's an interesting note: the app ID, and therefore the URL, includes the word "Rovio".
Our Mobile Security product detects and blocks this as Android/FakeInst.CI.
We've reported the issue to Google (and Rovio) and the apps are no longer indexed by Google's search.
Stay safe out there.
On 12/06/13 At 03:11 PM
Not the Mobile Antivirus You Were Looking For
While browsing Malaysiakini (a popular Malaysian website) on an Android phone, one of our analysts spotted this advertisement:
Clicking on the ad led to an external site displaying the following:
Looks reminiscent of the kind of text we've seen for years on webpages pushing rogues for Windows systems (and sometimes Mac).
Clicking on the "Download and Scan Now" button leads to an image, which looks like an antivirus app:
Clicking on the image brings you to a page that asks for your phone number and displays some interesting text:
"This is an ongoing subscription service until you quit. You will receive 4 sms per week and chargeable at RM4 per message. Only [REMOVED] user will receives max 3 sms per week and chargeable at RM4 per message. Data charges are billed separately by mobile operators."
So, it's an SMS subscription service. Provide a phone number, and the user gets an SMS message with registration instructions for the service.
Once registered, another SMS is sent providing a download link. When we tried the link, the only thing we got was a message saying "Sorry, you have exceeded the allowed download limit." The site's index page claims to be "under construction."
Fortunately, the SMS with the registration instructions also included instructions for stopping the service.
We normally recommend users read the permissions requested when downloading a mobile app. In this case, reading the text before downloading would also be prudent. This was probably not the service a user was looking for when they clicked on the ad.
Our Browsing Protection feature currently rates the site hosting the supposed APK download as Suspicious.
Updated to add:
Like Windows-based Rogueware, this "Android Antivirus" scam recognizes other operating systems — but fails to fine tune the bait.
On 06/06/13 At 07:03 AM