Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
11 janvier 2012 3 11 /01 /janvier /2012 01:12

I would believe we are back to Win 9x systems fashion, when adwares used to be legion (at least, in proportion compared to global threats trends at this time). But this case seems to concern any Android OS from 1.6 to 2.x, much more modern systems...

In a nutshell, this adware will:

- add an icon on the main screen of your phone, leading to a kindda "fake" Google search engine

- display adds within the top taskbar, suggesting you to download, or pay I should say, new apps, on a regular basis; therefore accessing the network through 3G connectivity

- remain active as a background service... 

 

But what are we really talking about? This is all about a game: Helicopter Strike Force. See splashscreen of the game, while loading:

adware-heli-2012-01-11-005724-copie-1.png

 

Most of the installed AV I've tested do not detect it: 

- Norton (no screenshot available at the time of the test... :( )

- DrWeb 

drweb_device-2012-01-11-005326.png

- Weebroot

webroot_device-2012-01-11-005205.png

- Kaspersky Lite 

KAV-OK-2012-01-11-011915.png

Note that KAV uses the "Kaspersky Security Network", to scan in the cloud the app before its first execution. Although I have installed (and uninstalled) the game twice, with several days between each install, the KSN did not find anything.

 

I even tried VirusTotal, but no real result. I'm wondering if the command line versions of AV engines that VT uses are able to use mobile-specific threat signatures.

 

But that's not all, this app will also install a service, that could be surprising for "just" a game...

app-service-2012-01-11-011009.png

 

 

Now here is the new icon on the main/first desktop:

accueil_device-2012-01-11-005348-copie-1.png

 

But the thing is, this search engine is not what you may think. When you launch it, it will get access to livemobilesearch.com... which in turns does look like Google, but it's not!

Charge-recherch-2012-01-11-005628.png

Then:

recherch1-2012-01-11-005408.png

(bottom of page)

recherch2-2012-01-11-005420.png

 

You have to go read the "privacy" link, down the page, to confirm our expectations:

recherch-privacy-2012-01-11-005453.png

 

Last, but not least, the results this search engine provides do differ from the Google's ones. For instance, the keyword "music" will return:

result-music-2012-01-11-011631.png

 

While the "real" Google says:

google_music_110112.PNG

 

Therefore I'd say that:

- yes, antimalware on some smartphones is more and more needed. I suggest everybody tries one...

- as we have been saying for years on regular computers, be careful regarding the links you click and the apps you download... 

 

 

Update 1, 01/15/12:

Let's see what's going on deeper within Android:

DebugMon_app-process-service_14012012-copie-1.png

 

It appears that "helicopterstrikeforce" launches 3 processes/services. One of them seems to have an interesting name: noolah.pushnotification. 

Searching Google for it returns the following PDF document:

https://docs.google.com/viewer?a=v&q=cache:JD8QLTJaokAJ:forum.unity3d.com/attachment.php%3Fattachmentid%3D22799%26d%3D1311396784+&hl=fr&pid=bl&srcid=ADGEESjCxeNBKAr8al8ucNN9aYNB4e14wcIVSyGps1m98N4V28LCbBDok2MP00DAuK67r-VGip0kMbnUuwTYdYn62PuEsyqCnLJqbpv-kaoOZymAxhzFJ1NVYqIFeQ-TNyrJYCT_A5np&sig=AHIEtbR8kCBOiQlmRSpvniyC5MzAMoFo7w

 

Pretty interesting too, as it explains the ad's implementation:

moolah1_15012012.png

moolah2_15012012.png

There we go: service androidname="com.moolah.NotificationService"!

 

Therefore, this will act as the adware component, and will remain active even if the game is not being run.

Let's see the result:

 

apps-notification-full-2012-01-14-134438.png

 

"Android app offer", and "Live & work in the USA" are not related to the phone's own processes (or user's actions/RQ).

Here is an example of such advertised apps: once the user has clicked on it, he will be redirected to a website like:

app1-2012-01-11-005544.png

 

Fortunately, this phone was using WiFi connectivity ATOW, but obviously wireless does not work while roaming (I mean, walking in the street, for instance), thus this ad will create extra (and most likely uncontrolled) data transfer over 3G!

 

If the mobile network operator does charge data in anyway, those apps may become painful for people's CC. So pay attention whenever an app requires full Internet connexion at install, while it is not necessary according to its type!

Partager cet article

Repost0

commentaires