Android/FakeAdBlocker hijacks URL shortening services and iOS calendars to deliver Trojans to Android devices

ESET Research analyzed Android/FakeAdBlocker, an aggressive advertising threat that downloads malware from its operator's command-and-control server. Android/FakeAdBlocker usually hides its launcher icon after initial launch. It spreads unwanted scareware to falsely scare users, and adult advertisements, and creates unsolicited events for upcoming months in iOS and Android calendars. These ads often cost their victims money by sending premium text messages or subscribing to unnecessary services. They also cause the download of Android banking Trojans, SMS Trojans and malicious applications. Malware also uses URL shortening services to create links to advertisements, which in some cases monetize clicks.

According to ESET telemetry, Android/FakeAdBlocker was first spotted in September 2019. From January 1 to July 1, 2021, over 150,000 instances of this threat were downloaded to Android devices. The most affected countries are Ukraine, Kazakhstan, Russia, Vietnam, India, Mexico and the United States. In most cases, malware displays aggressive ads, but ESET has identified hundreds of cases in which various additional malware was downloaded and executed, including the Cerberus banking Trojan, which often impersonates Chrome, Android Update , Adobe Flash Player or Android Update, and which has been downloaded to devices in Turkey, Poland, Spain, Greece and Italy. ESET has also found that the Ginp Trojan has been downloaded in Greece and the Middle East.

"From our telemetry, it appears that many users tend to download Android apps outside of Google Play, which could lead them to download malicious apps delivered through aggressive advertising practices to generate revenue for their authors. ,” explains Lukáš Štefanko, researcher at ESET, who analyzed Android/FakeAdBlocker. Regarding the monetization of shortened URLs, Mr. Štefanko adds: “When a person clicks on such a link, an advertisement is displayed and generates income for the person who generated the shortened URL. The problem is that some of these link-shortening services use aggressive techniques, such as scareware-type ads that inform users that their device is infected with dangerous malware. »

ESET Research has also identified URL shortening services integrating events with iOS calendars and spreading Android malware/FakeAdBlocker which can be launched on Android devices. On iOS devices, in addition to flooding victims with unwanted ads, these links can create events in victims' calendars by automatically downloading an ICS calendar file.

“It creates 18 events a day, each lasting 10 minutes,” says Štefanko. “Their titles and descriptions suggest that the victim's smartphone is infected, the victim's data is exposed online, or a virus protection app has expired. Descriptions of each event include a link directing the victim to visit a scareware promotion website. This website again claims that the device has been infected, and offers the user to download dubious sanitizer apps from Google Play. »

For victims using Android devices, the situation is more dangerous as these scam sites can trigger a malicious app to be downloaded outside the Google Play store. In one of these scenarios, the website asks to download an application called "adBLOCK", which has nothing to do with the legitimate application of the same name, and even does the complete opposite of an ad blocker. In another scenario, when the victims proceed to download the requested file, they see a web page that describes the steps for downloading and installing a malicious application with the name "Your file is ready to download". In both scenarios, a scareware-type advertisement, or the Android Trojan/FakeAdBlocker, is served via a URL shortening service.

For more technical details and Android/FakeAdBlocker uninstall instructions, read the article “ Some URL shortener services distribute Android malware, including banking or SMS trojans ” on WeLiveSecurity .

The editorial staff of Africa CyberSecurity Mag