We’ve just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus “Browser Update“, which in reality is a premium rate SMS malware.

Sample screenshot of the landing page upon automatic redirection:

Compromised_Sites_Traffic_Exchange_Android_Java_Symbian_Malware_Fake_Browser_Update

 

Landing page upon redirection: hxxp://mobleq.com/e/4366

Domain name reconnaissance:
mobleq.com – 91.202.63.75

Known to have responded to the same IP, are also the following malicious domains:
700cams.com
adflyse.biz
android-loads.biz
androids-free.net
androiduptd.ru
androidwapupdate.info
antivirus-updatesup.ru
best-ponoz.ru
bests-cafe.ru
bilmobz.ru
bovkama.ru
chenyezhe.ru
clipsxxx-erotub.ru
critical-mobiles.ru
downapp.mobi
downloadit.biz
downloads-apk-games.ru
ero-home-tube.net
ero-odkl.ru
exmoby18.ru
ffmobistream.ru
ffreemob.ru
filemobileses.ru
flv-criticalnews.ru
galaxy-comp.ru
game-for-androis.ru
gdz-allnews.ru
gosal.ru
imobit.ru
javamix-games.ru
jmobf.ru
jmobi.net
jsfilemobile.ru
jugar-online.ru
kinope4ka.com
lobimob.ru
luganets.ru
mabilkos.ru
market-soft-android.ru
marketandroidplay.ru
mitstoksot.tk
mobi-klik-ok.ru
mobicheck2.ru
mobidick7a1.ru
mobilabs.biz
mobileup-news.ru
mobiseks.ru
mobitraf.net
moblabes.ru
mobleq.com
moblik.net
moblius.ru
moblob.ru
mobqid.ru
mobsob.ru
mobuna.net
moby-aa.ru
mobyboom.ru
mollius.ru
mombut.ru
mp3-pesni.ru
mp3-pesnja.ru
mtr7.ru
muzico-server4.ru
neolemsan.ru
odmobil.ru
odnoklassniki-android1.ru
odnoklassniki-android7.ru
odnoklassniki-androidmobi.ru
odnoklassniki-mobile1.ru
olcocom.ru
old-games.ws
omoby.net
otdacham.ru
pornforjoin.ru
pornushniks.ru
relaxtube.ru
rrmobi.net
s1.krash.net
sexpirat.ru
sfsss.ru
sotsialniiklimat.ru
tampoka.ru
tstomoby.ru
tubevubes.ru
vkoterske.ru
vpleer-server3.ru
vzlomaandroid.ru
waprus.tk
wildmob.net
wwwmobitds.ru
xlovs.ru
xmassne.ru
xmoblz.ru

Detection rates for the multi mobile platform variants:
MD5: a4b7be4c2ad757a5a41e6172b450b617 – detected by 13 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Stealer.a
MD5: 1a2b4d6280bae654ee6b9c8cfe1204ab – detected by 4 out of 48 antivirus scanners as Java.SMSSend.780; TROJ_GEN.F47V1117
MD5: 2ff587ffb2913aee16ec5cae7792e2a7 – detected by 0 out of 48 antivirus scanners

Webroot SecureAnywhere users are proactively protected from these threats.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This