The mobile malware (are we gonna call it mobalware someday?) fashion seems to copy the regular malware one... maybe somewhat a little bit faster.
Anyway, I was keen on an app aiming to improve standard Android SMS reader/writer. The app is called ChompSMS. There is a free version, and a paid version. I'm going to talk here about the free one.
One day, recently, I noticed the add being displayed while browsing the SMS had changed.
Here are a few examples of the banners I find interesting:
See the banner right in the bottom of the screen?
So, if I click on it, the real part begins.
Obviously, I will not have the choice here... only the orange button ("next"). This is what I'm here for: let's click on it!
The displayed instructions are worth reading :) everything is done to convince the user to download, install, and activate whatever is gonna be downloaded... and by the way, they also recommend to enable "unknown sources" of software...!
What about the antivirus? well, not bad on that one.
Webroot will indeed detect and alert:
And DrWeb will do the same:
Note that even the file name is thoroughly defined: "battery_upgrade--tap_to_start", even with a reminder : "tap to start"!
Now, where does this come from?
Let's watch the network traffic that ChompSMS generates just after having opened/launched:
Bingo, here is the real and complete ad URL:
It will return the exact banner we have seen at the bottom of the ChompSMS screen just above.
But having a look at the URL reveals something else:
- OS version, generic: value here is "linux"
- OS version, detailed: Android 2.3.3
- local language: fr-fr
- build version: Gingerbread
- browser rendering engine: AppleWebkit, 533.1?
- browser compatibility: KHTML like Gecko version 4.0
- browser internal name: Mobile Safari, 533.1?
All I can say so far, except that this is a real fingerprint of the device, is this will allow the ad (and the scareware) to target devices configurations, and be more efficient.
Same thing for this other URL:
Then when we click the ad system will display a first picture, as an ad:
And even a second one!
Then the ad system will do something I guess to be a "call home":
I can even see here the mobile IP address, and the model (Galaxy S2!
Last, but not least, the download will start:
Url: https://s3.amazonaws.com/battery.supercharge/downloads/m--france--2012-03-28.a-en-9.apk?AWSAccessKeyId=AKIAIADYPOKA37DVGHGQ&Expires=1649026622&response-content-disposition=attachment;%20filename=Battery_Upgrade--Tap_to_Start.apk&response-content-type=application/vnd.android.package-archive&Signature=TZCWnCk5wbn%2BeoL1WCkcqfky3pw%3D FileName: /mnt/sdcard/.downloadTemp/Battery_Upgrade--Tap_to_Start.apk
About the file?
VirusTotal says 7 AV our of 42 detect it...
File size: 529.3 KB ( 541956 bytes )
File name: Battery_Upgrade--Tap_to_Start.apk
File type: Android
Detection ratio: 7 / 42
Analysis date: 2012-04-03 23:28:47 UTC ( 3 minutes ago )
More to come...