For some time, we’ve seen site URLs with the dot TK (.tk) extension being spammed by bogus accounts on Twitter to random users. One of our threat researchers in the AV Labs found these particular Tweets quite noteworthy:
Such Tweets are equally accessible to computer (desktop, laptop, and tablet) and smartphone users. There is no doubt, however, that smartphone users on Android are particularly targeted by these spam. Let me elaborate.
Once users click either good(dash)graft(dot)tk/swig.ph or POSY(dash)PUSY(dot)TK, they are then directed to the Russian Web page, googleapi17(dot)ru/l(dot)php?l=os&r=5519&a=29#.
Users who accessed and used this purported scanner are then given the option to download and install a file, which vary depending on whether the target is a PC or a phone. Computer users will be able to download VirusScanner.jar, smartphone users will be able to download VirusScanner.apk. Outcomes are different, too. On the one hand, the .jar file yields an error when executed. On the other hand, the .apk file, which is actually a rogue AV app, is successfully installed. From the screenshot below, notice that it uses the logo of Kaspersky.
Note that the criminals behind these Twitter spam runs may change the destination of the .tk URLs. As of this writing, it leads to this particular rogue AV variant. GFI VIPRE Mobile Security detects it as Trojan.Android.Generic.a.
This isn’t the first time that we encounter applications for Android purporting to be free virus scanners. As such, we encourage you, dear Reader, to only use legitimate AV scanners for your smartphone, and there are a lot of them available in the market right now. We also implore that you avoid clicking or even visiting sites with the .tk extension being spammed on Twitter or on other social networking sites as majority of the domains there were found to be run by spammers and scammers.
Jovi Umawing (Thanks to Matthew for finding this)
Leave a reply