The mobile malware (are we gonna call it mobalware someday?) fashion seems to copy the regular malware one... maybe somewhat a little bit faster.
Anyway, I was keen on an app aiming to improve standard Android SMS reader/writer. The app is called ChompSMS. There is a free version, and a paid version. I'm going to talk here about the free one.
One day, recently, I noticed the add being displayed while browsing the SMS had changed.
Here are a few examples of the banners I find interesting:
See the banner right in the bottom of the screen?
So, if I click on it, the real part begins.
Obviously, I will not have the choice here... only the orange button ("next"). This is what I'm here for: let's click on it!
The displayed instructions are worth reading :) everything is done to convince the user to download, install, and activate whatever is gonna be downloaded... and by the way, they also recommend to enable "unknown sources" of software...!
What about the antivirus? well, not bad on that one.
Webroot will indeed detect and alert:
And DrWeb will do the same:
Note that even the file name is thoroughly defined: "battery_upgrade--tap_to_start", even with a reminder : "tap to start"!
Now, where does this come from?
Let's watch the network traffic that ChompSMS generates just after having opened/launched:
Bingo, here is the real and complete ad URL:
http://www.mmnetwork.mobi/s.php?sig=5942e84d7db11dc54eda6157a3c2bc7a&adid=480&banner=320_50&cid=89&advid=846&e=c8&d=92888&f=m&ua=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+fr-fr%3B+GT-I9100+Build%2FGINGERBREAD%29+AppleWebKit%2F533.1+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobile+Safari%2F533.1
It will return the exact banner we have seen at the bottom of the ChompSMS screen just above.
But having a look at the URL reveals something else:
- OS version, generic: value here is "linux"
- OS version, detailed: Android 2.3.3
- local language: fr-fr
- build version: Gingerbread
- browser rendering engine: AppleWebkit, 533.1?
- browser compatibility: KHTML like Gecko version 4.0
- browser internal name: Mobile Safari, 533.1?
All I can say so far, except that this is a real fingerprint of the device, is this will allow the ad (and the scareware) to target devices configurations, and be more efficient.
Same thing for this other URL:
http://ads.mojiva.com/ad?site=14717&ua=Mozilla%2F5.0+%28Linux%3B+U%3B+Android+2.3.3%3B+fr-fr%3B+GT-I9100+Build%2FGINGERBREAD%29+AppleWebKit%2F533.1+%28KHTML%2C+like+Gecko%29+Version%2F4.0+Mobile+Safari%2F533.1&ip=82.237.173.18&count=1&key=1&zone=19352&url=&premium=1&over_18=0&&udid=848053C87A05BDEB3EE36C8919CD4CD1&type=6
Then when we click the ad system will display a first picture, as an ad:
http://admarvel.s3.amazonaws.com/ads/c46767/13307072869253_UNL_st2_480x600_FR_everything.gif
And even a second one!
http://admarvel.s3.amazonaws.com/ads/c48174/13317172538745_LYRICPLAY_FR_480X600.gif
Then the ad system will do something I guess to be a "call home":
http://107.22.117.140/fam/ck.php?p=__pid=ef8a30b841b36346__sid=14488__bid=352249__cb=0654201044__h=1333491475__uid=292b5557482687e4__s=7789be62e6c35a07fe085f54d7d9fe26
http://107.22.117.140/fam/view.php?p=__pid=ef8a30b841b36346__sid=14488__bid=352249__cb=c32f363568__h=1333491475__uid=292b5557482687e4__s=782405e716ee038035c5457a2cb05672
http://adserver.adtechus.com/addyn/3.0/5326.1/2335977/0/0/ADTECH;noperf=1;loc=100;ip=82.237.173.18;key=Samsung_Galaxy+S2;kvip=82.237.173.18;kvcarrier=;misc=1333492265028;target=_self;kvmedition=$edition;kvos=Android;sub1=99f50d6b93f7d3f36b56c4d082a57a135d92caf8;sub2=8ADD4216FF9A40854591929EB3BC02CC081EA2FE;sub3=6568cf499469dbc79707fba422cfd36f;sub4=848053C87A05BDEB3EE36C8919CD4CD1;
I can even see here the mobile IP address, and the model (Galaxy S2!
Last, but not least, the download will start:
Url: https://s3.amazonaws.com/battery.supercharge/downloads/m--france--2012-03-28.a-en-9.apk?AWSAccessKeyId=AKIAIADYPOKA37DVGHGQ&Expires=1649026622&response-content-disposition=attachment;%20filename=Battery_Upgrade--Tap_to_Start.apk&response-content-type=application/vnd.android.package-archive&Signature=TZCWnCk5wbn%2BeoL1WCkcqfky3pw%3D FileName: /mnt/sdcard/.downloadTemp/Battery_Upgrade--Tap_to_Start.apk
About the file?
VirusTotal says 7 AV our of 42 detect it...
SHA1: afdf9c78e0e1bc41192664ba3040908c18d72a3a
MD5: 1e67b070accd8d71024f240504b59140
File size: 529.3 KB ( 541956 bytes )
File name: Battery_Upgrade--Tap_to_Start.apk
File type: Android
Detection ratio: 7 / 42
Analysis date: 2012-04-03 23:28:47 UTC ( 3 minutes ago )
More to come...
