The Latest in IT Security

Searching for “Windows Android Drivers” Leads to Malware and Bogus Google Play Markets

08
Dec
2012

If you’re on the lookout for Android USB drivers for your Windows OS, be very careful. Such strings like “Windows Android Drivers” or combinations of these may bring up results that you would rather stay away from.

Our researchers in the AV Labs have found this peculiar search result on Yahoo!:

click to enlarge

Visiting the Russian URL, bestdrivers(dash)11(dot)ru, automatically downloads a file called install.exe.

click to enlarge

Running the .exe file, which is a Trojan that we detect as Trojan.Win32.Generic!BT, allows it to modify the start page of the user’s IE browser to 94(dot)249(dot)188(dot)143/stat/tuk/187, a sign-up page for a Russian “escort” site. It does this so users are directed to the page by default whenever they open their IE browser.

click to enlarge

The auto-download happens when the user visits the malicious link via a computer. If a user accesses the bestdrivers(dash)11(dot)ru page via an Android mobile device, however, they are led to varying websites. In this case, the user is directed to any of the following six Russian sites, which contain fake search results:

  • androidmegf(dot)ru
  • androidsex(dot)ru
  • androidbeksl(dot)ru
  • androidfre(dot)ru
  • androidmaxi(dot)ru
  • androidrte(dot)ru

These sites resemble the below screenshot:

click to enlarge

All links on the search pages direct users to one of five fake Google Play markets, which are still up as of this writing. Below are screenshots of two of these bogus markets as seen on an Android mobile device:


click to enlarge

Thinking that they’re on the actual Google Play website, it is highly likely that users may end up downloading malware onto their mobile devices.

Our researchers found out that there are two kinds of Android Trojan premium SMS apps being distributed from these markets. These Trojans act like Boxer, thus SMS sent to premium numbers will happen; however, these variants will not redirect users to legitimate download sites of the apps they’re after.

VIPRE detects these two kinds of Trojan (MD5: 6eeddfd3edcec0920dbb0d9c99c4ec2c, MD5: 336ae743a3d667d242c3e067b710276d) as Trojan.AndroidOS. Generic.A.

These fake markets are looking more and more sleek and professional, so extra care is advised. Only visit and download genuine apps from the real Google Play website by keying in play.google.com to the address bar of your mobile or PC internet browser. This ensures that you will not be directed to sites that merely look like the actual site. This also ensures that the readily available apps you wish to download are not malicious.

Jovi Umawing (Thanks to Randall for finding this)

Leave a reply


Categories

TUESDAY, NOVEMBER 21, 2017

Featured

Archives

Latest Comments

Social Networks