The Latest in IT Security

New Twitter Spam Run Leads to Android Rogue AV


For some time, we’ve seen site URLs with the dot TK (.tk) extension being spammed by bogus accounts on Twitter to random users. One of our threat researchers in the AV Labs found these particular Tweets quite noteworthy:

Computer view (click to enlarge)

Smartphone view (click to enlarge)

Such Tweets are equally accessible to computer (desktop, laptop, and tablet) and smartphone users. There is no doubt, however, that smartphone users on Android are particularly targeted by these spam. Let me elaborate.

Once users click either good(dash)graft(dot)tk/ or POSY(dash)PUSY(dot)TK, they are then directed to the Russian Web page, googleapi17(dot)ru/l(dot)php?l=os&ampr=5519&ampa=29#.

Computer view (click to enlarge)

Smartphone view (click to enlarge)

Users who accessed and used this purported scanner are then given the option to download and install a file, which vary depending on whether the target is a PC or a phone. Computer users will be able to download VirusScanner.jar, smartphone users will be able to download VirusScanner.apk. Outcomes are different, too. On the one hand, the .jar file yields an error when executed. On the other hand, the .apk file, which is actually a rogue AV app, is successfully installed. From the screenshot below, notice that it uses the logo of Kaspersky.

click to enlarge

Note that the criminals behind these Twitter spam runs may change the destination of the .tk URLs. As of this writing, it leads to this particular rogue AV variant. GFI VIPRE Mobile Security detects it as Trojan.Android.Generic.a.

This isn’t the first time that we encounter applications for Android purporting to be free virus scanners. As such, we encourage you, dear Reader, to only use legitimate AV scanners for your smartphone, and there are a lot of them available in the market right now. We also implore that you avoid clicking or even visiting sites with the .tk extension being spammed on Twitter or on other social networking sites as majority of the domains there were found to be run by spammers and scammers.

Stay safe!

Related posts:

Jovi Umawing (Thanks to Matthew for finding this)

Leave a reply


TUESDAY, JUNE 18, 2024

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments