{"id":15215,"date":"2013-12-05T10:11:18","date_gmt":"2013-12-05T17:11:18","guid":{"rendered":"https://www.webroot.com/blog/?p=15215"},"modified":"2024-01-23T11:09:56","modified_gmt":"2024-01-23T18:09:56","slug":"compromised-legitimate-web-sites-expose-users-malicious-javasymbianandroid-browser-updates","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/12\/05\/compromised-legitimate-web-sites-expose-users-malicious-javasymbianandroid-browser-updates\/","title":{"rendered":"Compromised legitimate Web sites expose users to malicious Java\/Symbian\/Android “Browser Updates”"},"content":{"rendered":"

We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised\/hacked legitimate Web sites<\/strong><\/a>, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious\/fraudulent content. In this particular case, a bogus “Browser Update<\/strong><\/a>“, which in reality is a premium rate SMS malware<\/strong><\/a>.<\/p>\n

<\/p>\n

Sample screenshot of the landing page upon automatic redirection:<\/strong><\/p>\n

\"Compromised_Sites_Traffic_Exchange_Android_Java_Symbian_Malware_Fake_Browser_Update\"<\/a><\/p>\n

 <\/p>\n

Landing page upon redirection:<\/strong> hxxp:\/\/mobleq.com\/e\/4366<\/em><\/p>\n

Domain name reconnaissance:<\/strong>
\nmobleq.com – 91.202.63.75<\/p>\n

Known to have responded to the same IP, are also the following malicious domains:<\/strong>
\n700cams.com
\nadflyse.biz
\nandroid-loads.biz
\nandroids-free.net
\nandroiduptd.ru
\nandroidwapupdate.info
\nantivirus-updatesup.ru
\nbest-ponoz.ru
\nbests-cafe.ru
\nbilmobz.ru
\nbovkama.ru
\nchenyezhe.ru
\nclipsxxx-erotub.ru
\ncritical-mobiles.ru
\ndownapp.mobi
\ndownloadit.biz
\ndownloads-apk-games.ru
\nero-home-tube.net
\nero-odkl.ru
\nexmoby18.ru
\nffmobistream.ru
\nffreemob.ru
\nfilemobileses.ru
\nflv-criticalnews.ru
\ngalaxy-comp.ru
\ngame-for-androis.ru
\ngdz-allnews.ru
\ngosal.ru
\nimobit.ru
\njavamix-games.ru
\njmobf.ru
\njmobi.net
\njsfilemobile.ru
\njugar-online.ru
\nkinope4ka.com
\nlobimob.ru
\nluganets.ru
\nmabilkos.ru
\nmarket-soft-android.ru
\nmarketandroidplay.ru
\nmitstoksot.tk
\nmobi-klik-ok.ru
\nmobicheck2.ru
\nmobidick7a1.ru
\nmobilabs.biz
\nmobileup-news.ru
\nmobiseks.ru
\nmobitraf.net
\nmoblabes.ru
\nmobleq.com
\nmoblik.net
\nmoblius.ru
\nmoblob.ru
\nmobqid.ru
\nmobsob.ru
\nmobuna.net
\nmoby-aa.ru
\nmobyboom.ru
\nmollius.ru
\nmombut.ru
\nmp3-pesni.ru
\nmp3-pesnja.ru
\nmtr7.ru
\nmuzico-server4.ru
\nneolemsan.ru
\nodmobil.ru
\nodnoklassniki-android1.ru
\nodnoklassniki-android7.ru
\nodnoklassniki-androidmobi.ru
\nodnoklassniki-mobile1.ru
\nolcocom.ru
\nold-games.ws
\nomoby.net
\notdacham.ru
\npornforjoin.ru
\npornushniks.ru
\nrelaxtube.ru
\nrrmobi.net
\ns1.krash.net
\nsexpirat.ru
\nsfsss.ru
\nsotsialniiklimat.ru
\ntampoka.ru
\ntstomoby.ru
\ntubevubes.ru
\nvkoterske.ru
\nvpleer-server3.ru
\nvzlomaandroid.ru
\nwaprus.tk
\nwildmob.net
\nwwwmobitds.ru
\nxlovs.ru
\nxmassne.ru
\nxmoblz.ru<\/p>\n

Detection rates for the multi mobile platform variants:<\/strong>
\nMD5: a4b7be4c2ad757a5a41e6172b450b617<\/strong><\/a> – detected by 13 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a
\nMD5: 1a2b4d6280bae654ee6b9c8cfe1204ab<\/strong><\/a> – detected by 4 out of 48 antivirus scanners as Java.SMSSend.780; TROJ_GEN.F47V1117
\nMD5: 2ff587ffb2913aee16ec5cae7792e2a7<\/strong><\/a> – detected by 0 out of 48 antivirus scanners<\/p>\n

Webroot SecureAnywhere<\/a><\/strong> users are proactively protected from these threats.<\/p>\n","protected":false},"excerpt":{"rendered":"

We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised\/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious\/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware.<\/p>\n","protected":false},"author":65,"featured_media":17052,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[16349,16321,16311,4811,3871,5257,16469,16749,3721,4065,5717,3523,23141,16751,16747,3919,6835,5721],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15215"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=15215"}],"version-history":[{"count":6,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15215\/revisions"}],"predecessor-version":[{"id":32559,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/15215\/revisions\/32559"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17052"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=15215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=15215"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=15215"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=15215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}