The surest way to know that an attack method is working for a malware gang is seeing the method repeated over a period of several months. In Commtouch’s October Trend Report we described an attack targeting Android users. Last week saw a repeat of the attack with a few refinements. The main elements:
- Single link emails sent from the compromised Yahoo accounts
- Links lead to compromised websites which redirect to “distribution sites”
- Distribution sites direct the visitor based on the browser type
- PC visitors sent to diet scam pages
- Android visitors sent to malware download page
The flow of servers and emails is illustrated in the diagram below:
The emails, received from a legitimate Yahoo user, look like this:
In this case the site “thedivschool.com” is a legitimate website (teaching life insurance classes) that has been hacked. The hacked website redirects to a distribution website. The distribution website has a hidden iframe that detects what kind of device is accessing the webpage. If the device accessing the webpage uses an android browser the user is redirected to a site and the code is injected through the device browser. The Android device then automatically downloads the malware (security.update.apk). The .apk extension describes a packaged Android app.
This is the code that the android browser receives which results in the download of the .apk file to the android device.
The downloaded file “security.update.apk” does not install automatically, but rather requires the user to activate the installation by touching on the filename. The file is shown in the download folder above. The filename “update.apk” is generic enough to fool many users, especially since Android routinely downloads and updates many of the apps on the device.
The malware – detected by Commtouch’s Antivirus as AndroidOS/NotCom.A – acts as a proxy so it’s able to transmit and receive network data through the infected android device. This means it can steal all kinds of sensitive data sent or received through the device network connection. Alternatively, the network access could allow communication with botnet command and control servers.
If the browser accessing the distribution site is from a PC then the browser is redirected to a diet scam site.
Leave a reply