{"id":9463,"date":"2013-01-22T00:00:17","date_gmt":"2013-01-22T07:00:17","guid":{"rendered":"http:\/\/blog.webroot.com\/?p=9463"},"modified":"2018-10-05T16:11:56","modified_gmt":"2018-10-05T22:11:56","slug":"android-malware-spreads-through-compromised-legitimate-web-sites","status":"publish","type":"post","link":"https://www.webroot.com/blog/2013\/01\/22\/android-malware-spreads-through-compromised-legitimate-web-sites\/","title":{"rendered":"Android malware spreads through compromised legitimate Web sites"},"content":{"rendered":"

Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately\u00a0redirects and downloads premium rate SMS Android malware on the\u00a0visiting user\u00a0devices.\u00a0The affected Bulgarian website is only the tip of the iceberg, based\u00a0on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.<\/p>\n

More details:<\/p>\n

<\/p>\n

Sample screenshot of the executed Android malware:<\/strong><\/p>\n

\"Android_Malware_Fake_Adobe_Flash_Player_Fake_Android_Browser_Fake_Google_Play_Applications\"<\/a><\/p>\n

The first variation of the campaign attempts to trick Russian-speaking users into installing a fake version of Adobe’s Flash Player, followed by a second campaign using a\u00a0fake Android browser as a social engineering theme, and a third campaign which is attempting to trick mobile users into thinking that it’s a new version of Google Play.<\/p>\n

Sample malicious URLs displayed to Android users:<\/strong>
\nhxxp:\/\/adobeflashplayer-up.ru\/?a=RANDOM_CHARACTERS<\/em> – 93.170.107.184
\nhxxp:\/\/googleplaynew.ru\/?a=RANDOM_CHARACTERS<\/em> – 93.170.107.184
\nhxp:\/\/browsernew-update.ru\/?a=RANDOM_CHARACTERS<\/em> – 93.170.107.184<\/p>\n

Responding to the same IP (93.170.107.184) are also the following domains part of the campaign’s infrastructure:<\/strong>
\nflashupdate.org<\/em>
\nmobiserver-russia.com<\/em>
\nflash-news-systems1.net<\/em>
\nbruser-2012.net<\/em>
\nerovideo2.net<\/em>
\nfile-send09.net<\/em>
\ntankonoid.net<\/em>
\noneiclick.net<\/em>
\nfree3porn.net<\/em>
\nnashe9porevo.net<\/em>
\nfilemoozo.net<\/em>
\nflashupdates.net<\/em>
\nyandexfilyes.net<\/em>
\nerovidoos.net<\/em>
\nyandexfiloys.net<\/em>
\nanindord-market.net<\/em>
\napi-md-new.net<\/em>
\ngirlsexx.net<\/em>
\n1jan-unilo55.ru<\/em>
\nofficemb56.ru<\/em>
\nbrwsrupdate.ru<\/em>
\nandroid-mk.ru<\/em>
\nandroid-gt.ru<\/em><\/p>\n

Detection rate for the malicious .apk files:<\/strong>
\nflash_player_installer.apk<\/em> – MD5: 29e8db2c055574e26fd0b47859e78c0e<\/strong><\/a> – detected by 5 out of 46 antivirus scanners as Android.SmsSend.212.origin.
\nAndroid_installer-1.apk<\/em> – MD5: e6be5815a05c309a81236d82fec631c8<\/strong><\/a> – detected by 5 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Opfake.bo.<\/p>\n

Required\u00a0permissions\u00a0for flash_player_installer.apk:<\/strong>
\nandroid.permission.ACCESS_NETWORK_STATE<\/em>
\nandroid.permission.CHANGE_NETWORK_STATE<\/em>
\ncom.android.launcher.permission.INSTALL_SHORTCUT<\/em>
\ncom.android.launcher.permission.UNINSTALL_SHORTCUT<\/em>
\nandroid.permission.ACCESS_NETWORK_STATE<\/em>
\nandroid.permission.RECEIVE_BOOT_COMPLETED<\/em>
\ncom.android.alarm.permission.SET_ALARM<\/em>
\nandroid.permission.SYSTEM_ALERT_WINDOW<\/em>
\nandroid.permission.WRITE_SETTINGS<\/em>
\nandroid.permission.WRITE_SECURE_SETTINGS<\/em>
\nandroid.permission.ACCESS_WIFI_STATE<\/em>
\nandroid.permission.UPDATE_DEVICE_STATS<\/em>
\nandroid.permission.CHANGE_WIFI_STATE<\/em>
\nandroid.permission.WRITE_EXTERNAL_STORAGE<\/em>
\nandroid.permission.INTERNET<\/em>
\nandroid.permission.READ_PHONE_STATE<\/em>
\nandroid.permission.READ_SMS<\/em>
\nandroid.permission.SEND_SMS<\/em>
\nandroid.permission.RECEIVE_SMS<\/em>
\nandroid.permission.READ_CONTACTS<\/em>
\nandroid.permission.DELETE_PACKAGES<\/em>
\nandroid.permission.GET_PACKAGE_SIZE<\/em>
\nandroid.permission.INSTALL_PACKAGES<\/em>
\nandroid.permission.MANAGE_APP_TOKENS<\/em>
\nandroid.permission.PERSISTENT_ACTIVITY<\/em>
\nandroid.permission.GET_ACCOUNTS<\/em>
\nandroid.permission.WAKE_LOCK<\/em>
\nandroid.permission.WAKE_LOCK<\/em><\/p>\n

Used the following features once executed:<\/strong>
\nandroid.hardware.wifi<\/em>
\nandroid.hardware.telephony<\/em>
\nandroid.hardware.touchscreen<\/em>
\nandroid.hardware.screen.portrait<\/em><\/p>\n

Upon execution, the Android sample phones back to gaga01.net\/rq.php<\/strong> – 93.170.107.57 – Email: mypiupiu1@gmail.com\u00a0transmitting the following information back to the cybercriminals behind the operation:\u00a0oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED<\/strong><\/p>\n

Required permissions for Android_installer-1.apk:<\/strong>
\nandroid.permission.ACCESS_NETWORK_STATE<\/em>
\nandroid.permission.CHANGE_NETWORK_STATE<\/em>
\ncom.android.launcher.permission.INSTALL_SHORTCUT<\/em>
\ncom.android.launcher.permission.UNINSTALL_SHORTCUT<\/em>
\nandroid.permission.ACCESS_NETWORK_STATE<\/em>
\nandroid.permission.RECEIVE_BOOT_COMPLETED<\/em>
\ncom.android.alarm.permission.SET_ALARM<\/em>
\nandroid.permission.SYSTEM_ALERT_WINDOW<\/em><\/p>\n

Used the following features once executed:<\/strong>
\nandroid.hardware.wifi<\/em>
\nandroid.hardware.telephony<\/em>
\nandroid.hardware.touchscreen<\/em>
\nandroid.hardware.screen.portrait<\/em><\/p>\n

It also connects back to gaga01.net\/rq.php<\/strong> – 93.170.107.57 – Email: mypiupiu1@gmail.com\u00a0transmitting the following information back to the cybercriminals behind the operation:\u00a0oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSOR<\/em><\/em><\/em>ED<\/em><\/strong><\/p>\n

Android users of Webroot’s mobile products<\/strong><\/a> are proactively protected from this threat.<\/p>\n

You can find more about Dancho Danchev at his\u00a0LinkedIn Profile<\/strong><\/a>. You can also\u00a0follow him on \u00a0Twitter<\/strong><\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately\u00a0redirects and downloads premium rate SMS Android malware on the\u00a0visiting user\u00a0devices.\u00a0The affected Bulgarian website is only the tip of the iceberg, based\u00a0on the diversified portfolio of malicious domains known to have been […]<\/p>\n","protected":false},"author":65,"featured_media":17051,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[4037,5707,5701,13059,13053,13073,13063,9119,8697,3871,13067,13061,13055,13065,13075,13057,13071,13077,13079,13069],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/9463"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=9463"}],"version-history":[{"count":2,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/9463\/revisions"}],"predecessor-version":[{"id":26117,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/9463\/revisions\/26117"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/17051"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=9463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=9463"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=9463"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=9463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}