There’s a site located at getwapi(dot)com offering up lots of Android files. As you may have guessed, there’s a bit of a twist involved. Here’s the site in question:
There are versions of pretty much everything you can think of, including YouTube apps, games, Facebook tools and more besides. However, regardless of what you try to grab, all of the apps download the same dex file and are identical apart from one configuration file that calls the “cracked” program.
After download and install, it loads a screen where the end-user either clicks the LeadBolt advertisement to start the program download link automatically, or waits for the next step to kick into life (LeadBolt is an ad network that can push ads to the notification bar like Airpush. However, unlike Airpush, it can also display advanced overlays ads and like other ad networks that push adverts outside of the app, LeadBolt stays active and has to be force closed or uninstalled to stop.)
“Please wait 170 second (sic), or click the advisiting (sic) for instantly (sic) download”
In testing, after clicking the ad the timer didn’t stop counting down. After waiting, however, the link that says “Download Full Version” became active. Clicking that link only brought up an error box, then sent us through the currently active LeadBolt ad.
As for the “Cracked” app, well, we appear to be burning the midnight oil and most of the morning too:
As you can see, the above is all about making money via advert clicks and this is one collection of mobile downloads you can afford to miss out on. We detect the “Cracked apps” as Adware.AndroidOS.Leadbolt with VIPRE Mobile.
Randall Griffith, Junior Threat Researcher
Leave a reply