I would believe we are back to Win 9x systems fashion, when adwares used to be legion (at least, in proportion compared to global threats trends at this time). But this case seems to concern any Android OS from 1.6 to 2.x, much more modern systems...
In a nutshell, this adware will:
- add an icon on the main screen of your phone, leading to a kindda "fake" Google search engine
- display adds within the top taskbar, suggesting you to download, or pay I should say, new apps, on a regular basis; therefore accessing the network through 3G connectivity
- remain active as a background service...
But what are we really talking about? This is all about a game: Helicopter Strike Force. See splashscreen of the game, while loading:
Most of the installed AV I've tested do not detect it:
- Norton (no screenshot available at the time of the test... :( )
- DrWeb
- Weebroot
- Kaspersky Lite
Note that KAV uses the "Kaspersky Security Network", to scan in the cloud the app before its first execution. Although I have installed (and uninstalled) the game twice, with several days between each install, the KSN did not find anything.
I even tried VirusTotal, but no real result. I'm wondering if the command line versions of AV engines that VT uses are able to use mobile-specific threat signatures.
But that's not all, this app will also install a service, that could be surprising for "just" a game...
Now here is the new icon on the main/first desktop:
But the thing is, this search engine is not what you may think. When you launch it, it will get access to livemobilesearch.com... which in turns does look like Google, but it's not!
Then:
(bottom of page)
You have to go read the "privacy" link, down the page, to confirm our expectations:
Last, but not least, the results this search engine provides do differ from the Google's ones. For instance, the keyword "music" will return:
While the "real" Google says:
Therefore I'd say that:
- yes, antimalware on some smartphones is more and more needed. I suggest everybody tries one...
- as we have been saying for years on regular computers, be careful regarding the links you click and the apps you download...
Update 1, 01/15/12:
Let's see what's going on deeper within Android:
It appears that "helicopterstrikeforce" launches 3 processes/services. One of them seems to have an interesting name: noolah.pushnotification.
Searching Google for it returns the following PDF document:
https://docs.google.com/viewer?a=v&q=cache:JD8QLTJaokAJ:forum.unity3d.com/attachment.php%3Fattachmentid%3D22799%26d%3D1311396784+&hl=fr&pid=bl&srcid=ADGEESjCxeNBKAr8al8ucNN9aYNB4e14wcIVSyGps1m98N4V28LCbBDok2MP00DAuK67r-VGip0kMbnUuwTYdYn62PuEsyqCnLJqbpv-kaoOZymAxhzFJ1NVYqIFeQ-TNyrJYCT_A5np&sig=AHIEtbR8kCBOiQlmRSpvniyC5MzAMoFo7w
Pretty interesting too, as it explains the ad's implementation:
There we go: service androidname="com.moolah.NotificationService"!
Therefore, this will act as the adware component, and will remain active even if the game is not being run.
Let's see the result:
"Android app offer", and "Live & work in the USA" are not related to the phone's own processes (or user's actions/RQ).
Here is an example of such advertised apps: once the user has clicked on it, he will be redirected to a website like:
Fortunately, this phone was using WiFi connectivity ATOW, but obviously wireless does not work while roaming (I mean, walking in the street, for instance), thus this ad will create extra (and most likely uncontrolled) data transfer over 3G!
If the mobile network operator does charge data in anyway, those apps may become painful for people's CC. So pay attention whenever an app requires full Internet connexion at install, while it is not necessary according to its type!
