Over the past 24 hours, our sensor networks picked up an interesting website infection affecting a popular Bulgarian website for branded watches, which ultimately redirects and downloads premium rate SMS Android malware on the visiting user devices. The affected Bulgarian website is only the tip of the iceberg, based on the diversified portfolio of malicious domains known to have been launched by the same party that launched the original campaign.

More details:

Sample screenshot of the executed Android malware:

The first variation of the campaign attempts to trick Russian-speaking users into installing a fake version of Adobe’s Flash Player, followed by a second campaign using a fake Android browser as a social engineering theme, and a third campaign which is attempting to trick mobile users into thinking that it’s a new version of Google Play.

Sample malicious URLs displayed to Android users:
hxxp://adobeflashplayer-up.ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS – 93.170.107.184
hxp://browsernew-update.ru/?a=RANDOM_CHARACTERS – 93.170.107.184

Responding to the same IP (93.170.107.184) are also the following domains part of the campaign’s infrastructure:
flashupdate.org
mobiserver-russia.com
flash-news-systems1.net
bruser-2012.net
erovideo2.net
file-send09.net
tankonoid.net
oneiclick.net
free3porn.net
nashe9porevo.net
filemoozo.net
flashupdates.net
yandexfilyes.net
erovidoos.net
yandexfiloys.net
anindord-market.net
api-md-new.net
girlsexx.net
1jan-unilo55.ru
officemb56.ru
brwsrupdate.ru
android-mk.ru
android-gt.ru

Detection rate for the malicious .apk files:
flash_player_installer.apk – MD5: 29e8db2c055574e26fd0b47859e78c0e – detected by 5 out of 46 antivirus scanners as Android.SmsSend.212.origin.
Android_installer-1.apk – MD5: e6be5815a05c309a81236d82fec631c8 – detected by 5 out of 46 antivirus scanners as HEUR:Trojan-SMS.AndroidOS.Opfake.bo.

Required permissions for flash_player_installer.apk:
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
com.android.alarm.permission.SET_ALARM
android.permission.SYSTEM_ALERT_WINDOW
android.permission.WRITE_SETTINGS
android.permission.WRITE_SECURE_SETTINGS
android.permission.ACCESS_WIFI_STATE
android.permission.UPDATE_DEVICE_STATS
android.permission.CHANGE_WIFI_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.INTERNET
android.permission.READ_PHONE_STATE
android.permission.READ_SMS
android.permission.SEND_SMS
android.permission.RECEIVE_SMS
android.permission.READ_CONTACTS
android.permission.DELETE_PACKAGES
android.permission.GET_PACKAGE_SIZE
android.permission.INSTALL_PACKAGES
android.permission.MANAGE_APP_TOKENS
android.permission.PERSISTENT_ACTIVITY
android.permission.GET_ACCOUNTS
android.permission.WAKE_LOCK
android.permission.WAKE_LOCK

Used the following features once executed:
android.hardware.wifi
android.hardware.telephony
android.hardware.touchscreen
android.hardware.screen.portrait

Upon execution, the Android sample phones back to gaga01.net/rq.php – 93.170.107.57 – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Required permissions for Android_installer-1.apk:
android.permission.ACCESS_NETWORK_STATE
android.permission.CHANGE_NETWORK_STATE
com.android.launcher.permission.INSTALL_SHORTCUT
com.android.launcher.permission.UNINSTALL_SHORTCUT
android.permission.ACCESS_NETWORK_STATE
android.permission.RECEIVE_BOOT_COMPLETED
com.android.alarm.permission.SET_ALARM
android.permission.SYSTEM_ALERT_WINDOW

Used the following features once executed:
android.hardware.wifi
android.hardware.telephony
android.hardware.touchscreen
android.hardware.screen.portrait

It also connects back to gaga01.net/rq.php – 93.170.107.57 – Email: mypiupiu1@gmail.com transmitting the following information back to the cybercriminals behind the operation: oard=unknown;brand=generic;device=generic;imei=CENSORED;imsi=CENSORED;session_id=1;operator=XXX;sms0=CENSORED;sms1=CENSORED;sms2=CENSORED;time=CENSORED;timezone=CENSORED

Android users of Webroot’s mobile products are proactively protected from this threat.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.