Over the past several years, we have seen the proliferation of malware targeting mobile devices such as Android and iOS.
The vast majority of the malware has been designed to target the former as Android’s “open” policy has provided a broader attack surface and has been much more relaxed (than iOS) in policing their app market. This matters because the majority of mobile malware has been disguised as an app. Cybercriminals have often designed mobile apps to appear to have one purpose when in fact there was a great deal of hidden functionality that could take advantage of the user.
Lately though, Android has been putting an increased effort into to policing their app market. And though malware is still lurking on these download sites, the malware distributors are looking to other methods to ramp up the distribution. One method they have turned to is the tried and true technique of spamming.
Over the past several months we have been seeing a unique malware campaign that poses a threat to PC users, Android users and some iOS users alike. The messages pose as notifications from WhatsApp (a smartphone messenger available for Android and other smartphones).
The messages attempt to lure the victim with a link to a “voice message”. Interestingly, these message not only target PC users but also Android and iOS users (if the phone has been jail-broken). Clicking the links in these messages from an Android device will lead to the install of a malicious app that will secretly send text messages to premium numbers and the victim will be left holding the tab.
This infection will also effect iOS users but only if their phone has been jail-broken, since Apple only allows apps to be installed from their own app store. By distributing their malware in this fashion cyber-criminals can reach the masses and without having to get past app store safeguards.
There is another wrinkle. Many of these links also contain functionality to initiate a malware install for Windows PC users as well. Some of the links we visited from the Windows OS resulted in a file being offered for download. The file being offered was personalized (presumably using geo-location) and was aptly named as Voicemail_NAMEOFCITY_randomnumbers.zip. Depending on where the machine that is being used to access the web page, you will be served with a file that is named accordingly. This is an effective technique since it provides some added customization that serves to make the whole process seem more legitimate. Inside the zipped file is a Trojan Downloader that can infect the system with many forms of malware in the future.
We have quarantined millions of these messages over the past several months but they are still coming in, which indicates that they must be “working” to an extent that is acceptable to the sender. Of course, we are blocking all variants of this threat.
Author: Troy Gill, AppRiver.