Spam Leads to Multi-Platform Mobile Threat
Mobile threats can arrive via different methods. We have discussed at length the presence of malware in third-party app stores and even official app stores. We have also mentioned malware via text messages. We recently found one that took advantage of yet another method: spam.
We encountered samples of spammed messages that were supposedly WhatsApp notifications. The message says that the user has received new voicemail. The message tries to make it more believable by including details such as the time and length of the call.
Figure 1. Fake WhatsApp email
On a PC, once you click on the “play” button, you will be sent to a malicious site. This new site warns you that your browser is outdated and needs to be updated. Should you click the download button, malware will be downloaded onto your computer.
Figure 2. Download site with malware on Windows systems
However, it would seem like PCs were something of an afterthought. On a Windows PC, the site will download browser_update_installer.jar, detected as J2ME_SMSSEND.AF – which is a Java file for the mobile version. It is not a particularly well-suited file for a desktop.
On Android and iOS devices, it’s clear that mobile was considered the primary platfrom for this thread. On Android the malicious site will download browser_update_installer.apk, detected as ANDROIDOS_OPFAKE.CTD. The downloaded file is disguised as a browser named “Browser 6.5”. Once started, the .html file shown as Figure 3 opens. If a user mistakenly click the Agree button, this malicious app will send text messages to specific phone numbers. The malware will also try to convince you to download another app onto your device.
Figure 3. Screenshot of app posing as “Browser 6.5”
Apple users are not spared from this attack. Should an iOS user click on the “play” button, the screen will show a progress bar while downloading an app. However, because iOS devices (by default) can only install apps from the App Store, no app is actually installed. However, on jailbroken devices, this may pose a risk.
Figure 4. Download site on iOS site
We mentioned in our 2Q Security Roundup that OPFAKE was one of the most prevalent Android malware families and that Premium Service Abusers were the most common type of mobile threat encountered. It looks like Q3 will not be different. The paper Fake Apps, Russia, and the Mobile Web also discussed the risks from these PSAs. This threat also highlights how some cybercriminals have gone mobile; this threat was focused on mobile devices, with non-smartphones being an afterthought. Users need to recognize this and protect themselves accordingly.
With the additional analysis by Chloe Ordonia and Ruby Santos