Fake scam web page advertisements are posting in various forums which is related to pharmaceutical ads, and phony prizes scams with malicious links that lead to installing nasty apps.
Scams are pointing to other web pages that scary users in many other ways ‘you need to update your device!’ or ‘you need to install this antivirus to save your device!’.
These malicious web page not only play the role to generate ads revenue but it also will perform the malicious information stealing actvities.
Researchers from RiskIQ attempt to crawl malicious web page to identify the potential scams and find one redirection that redirect victims who click to Google Play, where they are served as a malicious app.
How Does it Works
The scam page code is a very direct way to reach victims and there is no attempts at obfuscation techniques and initially, it checks the user’s language.
if it doesn’t find any languages then select the English as a default language and once the language setting will be completed then it leads to popup the following page.
Later it forces vicitms to click the install to clean the desktop but if the user clicks on the ‘install’ or ‘cancel’ buttons, a user gets sent to another server owned by the operators which forward us to the Google Play store.
Finally, it landing the battery saving ad-clicker and it seeking the following device permission while user download and trying to install it.
- Read sensitive log data
- Receive text messages (SMS)
- Receive data from Internet
- Pair with Bluetooth devices
- Full network access
- Modify system settings
According to RiskIQ, interesting to note is that the app does actually perform the functions it mentions:
- Reduces battery strain in an attempt to lengthen the life of the battery
- Kills off processes using a lot of battery resources during low battery charge
- Monitors battery status
Currently, this app installed around 60,000 users device and it also controlled by around 15 bots via C&C server, so it had at least 60,000 android devices under its control.