December 5, 2013 By Dancho Danchev

Compromised legitimate Web sites expose users to malicious Java/Symbian/Android “Browser Updates”

We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware.

Sample screenshot of the landing page upon automatic redirection:

Compromised_Sites_Traffic_Exchange_Android_Java_Symbian_Malware_Fake_Browser_Update

 

Landing page upon redirection: hxxp://mobleq.com/e/4366

Domain name reconnaissance:
mobleq.com – 91.202.63.75

Known to have responded to the same IP, are also the following malicious domains:
700cams.com
adflyse.biz
android-loads.biz
androids-free.net
androiduptd.ru
androidwapupdate.info
antivirus-updatesup.ru
best-ponoz.ru
bests-cafe.ru
bilmobz.ru
bovkama.ru
chenyezhe.ru
clipsxxx-erotub.ru
critical-mobiles.ru
downapp.mobi
downloadit.biz
downloads-apk-games.ru
ero-home-tube.net
ero-odkl.ru
exmoby18.ru
ffmobistream.ru
ffreemob.ru
filemobileses.ru
flv-criticalnews.ru
galaxy-comp.ru
game-for-androis.ru
gdz-allnews.ru
gosal.ru
imobit.ru
javamix-games.ru
jmobf.ru
jmobi.net
jsfilemobile.ru
jugar-online.ru
kinope4ka.com
lobimob.ru
luganets.ru
mabilkos.ru
market-soft-android.ru
marketandroidplay.ru
mitstoksot.tk
mobi-klik-ok.ru
mobicheck2.ru
mobidick7a1.ru
mobilabs.biz
mobileup-news.ru
mobiseks.ru
mobitraf.net
moblabes.ru
mobleq.com
moblik.net
moblius.ru
moblob.ru
mobqid.ru
mobsob.ru
mobuna.net
moby-aa.ru
mobyboom.ru
mollius.ru
mombut.ru
mp3-pesni.ru
mp3-pesnja.ru
mtr7.ru
muzico-server4.ru
neolemsan.ru
odmobil.ru
odnoklassniki-android1.ru
odnoklassniki-android7.ru
odnoklassniki-androidmobi.ru
odnoklassniki-mobile1.ru
olcocom.ru
old-games.ws
omoby.net
otdacham.ru
pornforjoin.ru
pornushniks.ru
relaxtube.ru
rrmobi.net
s1.krash.net
sexpirat.ru
sfsss.ru
sotsialniiklimat.ru
tampoka.ru
tstomoby.ru
tubevubes.ru
vkoterske.ru
vpleer-server3.ru
vzlomaandroid.ru
waprus.tk
wildmob.net
wwwmobitds.ru
xlovs.ru
xmassne.ru
xmoblz.ru

Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 – detected by 13 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – detected by 4 out of 48 antivirus scanners as Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – detected by 0 out of 48 antivirus scanners

Webroot SecureAnywhere users are proactively protected from these threats.

Share Button
0 comments
true