Panda Security uncovers massive attack on Android users via malicious ads on Facebook
March 10th, 2014

Fake version of Google Play used to mislead users into installing Trojans.

A massive new attack on Android devices has been discovered by Panda Security; a highly elaborate ploy that originates on Facebook, where cyber-criminals advertise a series of apps. “Panda Security have taken the necessary steps to warn Facebook about the malicious advertising campaign active on the platform,” says Jeremy Matthews, country manager for Panda Security

When users access Facebook from their Android mobile device, they will see different messages under the title ‘Suggested Post’ advertising WhatsApp tips like: “Want to know how to see your contacts’ chats on WhatsApp? Find out here!” or “Want to hide your WhatsApp connection status? Download this app so people can’t see you”. If the intended victim clicks on any of these ads, they are redirected to a fake version of Google Play, the Android app store. The user, thinking that this is the genuine site, downloads the free app, which is really a Trojan that subscribes users to a premium-rate SMS service without their knowledge.

“In this attack, cyber-criminals have taken advantage of Facebook’s targeted advertising options. We carried out tests using the same account from a PC, an iPad, an iPhone and Android and the ads were only displayed when using the Google operating system”, said Luis Corrons, Technical Director of PandaLabs at Panda Security.

The Trojan checks all inbound messages received on the device and if the sender is the premium-rate SMS service, the message is intercepted and deleted so the user is unaware. Yet this technique doesn’t work with the latest 4.4 (KitKat) version of Android, forcing the creators to come up with an ingenious trick: when the message is received, the phone volume is muted for two seconds and the inbound message is marked as read. The app’s in-built SMS counter reads the first message received from the premium-rate SMS service and registers the PIN on the corresponding website, activating the service.

“Malware continues to grow on all operating systems, with Trojans remaining the most pervasive threat worldwide. Android, currently the most popular mobile platform, has continued to suffer the majority of malware attacks targeting these devices,” says Matthews.

An interesting aspect of the attack is that the Trojan also deletes any messages sent from the number 22365, another number associated with premium-rate SMS services, although from a company apparently unrelated to this attack. All signs would suggest that this is designed to protect against a specific competitor: if another Trojan tried to register for an SMS service it wouldn’t be able to access the confirmation message and consequently it couldn’t access the PIN and activate the service.

Whatsapp isn’t the only app being used as bait, cyber criminals are also attracting users with topics like: “amazing videos”, “Candy Crush tricks” and “Angry Birds tricks”.

Users can help defend themselves against this type of malware with Panda Mobile Security’s ‘Privacy Audit’ feature. Any app with these potentially dangerous profiles will be classified as ‘Cost money’ and can be deleted directly from the Panda Mobile Security 1.1 app. That said, not all apps in this category are malicious: any app with sufficient permissions will be included in this category. If users discover an app installed that shouldn’t have these permissions, they should delete it immediately.


March 2014
« Feb    

© Copyright 2019 . All rights reserved.
Panda Security Press Office.