Android/Torec by Fake Flash Malvertising

Another fake flash malvertising leading to malicious APK.
Android/Torec is a Trojan that steal some informations and able to send SMS.
This Trojan is using TOR nework : http://securelist.com/blog/incidents/58528/the-first-tor-trojan-for-android/ or https://blog.malwarebytes.org/mobile-2/2014/02/android-botnets-hop-on-the-tor-train/

ero_advertising_malicious_APK2
ero_advertising_malicious_APK3

URLs :

http://adevclick.com/2/index.htm?[...]
http://tds.ueriol.com/click
http://adevclick.com/video_flash_player.apk

ero_advertising_malicious_APK

ero_advertising_malicious_APK_domain

TDS at http://tds.ueriol.com/click owned by Russian :

Registry Tech ID:
Tech Name: Ruslan Bakanaev
Tech Organization:
Tech Street: Bulvarnay 53
Tech City: Svobodniy
Tech State/Province: Amurskaya obl
Tech Postal Code: 676450
Tech Country: Russian Federation
Tech Phone: +7.9141837996
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: ruslan-bakanaev@mail.ru

http://adevclick.com/video_flash_player.apk : https://www.virustotal.com/fr/file/74cbbaaad648718be2c6b3cc94ae70fbff95e9aa9dcd58b3436c59bc348b7407/analysis/1427283339/
(a lot of Android.Locker but it’s not a Locker)

SHA256: 74cbbaaad648718be2c6b3cc94ae70fbff95e9aa9dcd58b3436c59bc348b7407
Nom du fichier : apk.apk
Ratio de détection : 26 / 56
Date d’analyse : 2015-03-25 11:35:39 UTC (il y a 0 minute)
Antivirus Résultat Mise à jour
Ad-Aware Android.Trojan.SLocker.A 20150325
AegisLab Agent 20150325
AhnLab-V3 Android-Malicious/Slocker 20150324
Alibaba A.H.Rog.Pletor.A 20150325
Avast Android:Locker-BD [Trj] 20150325
Baidu-International Trojan.Win32.Agent.AaA 20150325
BitDefender Android.Trojan.SLocker.A 20150325
CAT-QuickHeal Android.SmForw.BY 20150325
Comodo UnclassifiedMalware 20150325
Cyren AndroidOS/GenBl.F9E458BE!Olympus 20150325
DrWeb Android.Banker.51.origin 20150325
ESET-NOD32 a variant of Android/Torec.C 20150325
Emsisoft Android.Trojan.SLocker.A (B) 20150325
F-Secure Android.Trojan.SLocker.A 20150325
Fortinet Android/Torec.A!tr 20150325
GData Android.Trojan.SLocker.A 20150325
Ikarus Trojan.AndroidOS.FakeInst 20150325
Kaspersky HEUR:Trojan-Banker.AndroidOS.Agent.ad 20150325
McAfee Artemis!F9E458BE2943 20150325
MicroWorld-eScan Android.Trojan.SLocker.A 20150325
NANO-Antivirus Trojan.Android.BankBot.dkzuaf 20150325
Qihoo-360 Win32/Trojan.DoS.e1b 20150325
Sophos Andr/Torec-A 20150325
Tencent a.rogue.simplocker.a 20150325
TrendMicro-HouseCall Suspicious_GEN.F47V0227 20150325
Zoner Trojan.AndroidOS.SIMLocker.B 20150323

The APK is able to send SMS :

ero_advertising_malicious_APK_sms

ero_advertising_malicious_APK_access2 ero_advertising_malicious_APK_access
seems this APK is not using TOR but

http://5.61.41.87:6081/forms/
http://xxxmobiletubez.com/video.php
ero_advertising_malicious_APK_ip

Plugrush (prpops.com) and popcash networks : malvertising

PlugRush and Popcash networks are two ads networks unable to keep their network clean.
I report every days malvertising to them, the support reply fast, (sometime for popcash, bad advertising are running for all the Week-end) but they are unable to filter the good from the bad.
so i think, if i stop to report them, they will delivering bad advertising.
Most of the time, when an ads network is hitten by malvertising, they take some cautions after that (submit domain to VirusTotal etc).

For PlugRush & Popcash, that made severals years and still the same loop.
Malvertisings pay better than usual, so you dont know if some ads network let them to make more cash or if they are just unable to detect it (or they simply dont care).
At the users end, the results are the same. So i decide to blacklist them to VirusTotal.

Thoses two networks are already red in WOT.

https://www.mywot.com/en/scorecard/plugrush.com is red with a lot of malwares mentions, so they move to prpops.com

Popcash is also red in VirusTotal : https://www.mywot.com/en/scorecard/popcash.net
There are a lot of “good site comments” but if you look well, there are all on 06/08/2015, so i think someone pay to post these fake comments.

popcash_mywot3 popcash_mywot2 popcash_mywot

That made a long time, i report malvertising to PlugRush.
2013 – Fake police Ransomware on PlugRush :

Today they have often part of all the bad malvertising such as :

Here a screenshots of the Fake Virus Alert : http://malvertising.stopmalwares.com/2014/07/mobile-malvertising-fake-virus-alert/

Plugrush_popcash_malvertising

Bellow some requests to PlugRush network :

PlugRush_network_support

 

And popcash :

 

popcash_twitter_malvertising_report2 popcash_twitter_malvertising_report

 

and sometimes : https://twitter.com/malekal_morte/status/580294074437148672

popcash_aggessive_ads

just because they make more $ with it.

EDIT – May 2015 : still a lot of bad advertising at Popcash

still some bad ads at PlugRush, seems there is some improvments, but still a LOT malvertisings at Popcash.
Fake Flash Malvertising, Android Locker, Scam Support malvertising.

PlugRush :

Popcash – on the same day :

EDIT – still bad ads at popcash.

Still and still :

9 days after the first tweet, bad ads are still online : https://twitter.com/malekal_morte/status/601369159075766272

EDIT – September 2015 : Many efforts have been made

Some Efforts has been made by popcash & Plugrush network.
So less malvertising / bad advertisements.

Index of Android Locker

Some Android Locker active now.
We are back in 2013 for Fake Police Ransomware : Antivirus are a bit imature on Android, it’s new, so some differents lockers are made.
Probably in some months, some gonna dead.

When you are surfing in adult website, an ads is offering an APK, if you install it (you have to enable unsecure source), the Android Locker is installed.

PornDroid / Koler

by digusting malvertising :

Porndroid_malvertising

Porndroid_malvertising_fiddler

Porndroid_locker

 

Another campaign : https://twitter.com/malekal_morte/status/596703083176075264
Koler_malvertising_campaign
Koler_malvertising_campaign2
Koler_malvertising_campaign3

Koler_malvertising_campaign4
Detection example :

https://www.virustotal.com/en/file/6cb1f5a08d330018c8d2214772dce2c88d090dd00aeeb71143f6d2c196feb354/analysis/1427108345/

Related links :

http://malware.dontneedcoffee.com/2014/05/police-locker-available-for-your.html

http://malware.dontneedcoffee.com/2015/01/inside-android-lockout-system-aka.html

Malvertising : Android/Svpeng / Android/Crosate / Android/Deng

See : http://malvertising.stopmalwares.com/2015/03/malvertising-androidsvpeng-androidcrosate-androiddeng/

by Fake Flash Malvertising :

android_locker android_locker_deng4

Detection example :

SHA256: f396f49397affa9e9ea158b0caf908ab99857db98b780fdd565fbdd13b68864a
Nom du fichier : adobe_flash_player_15.10.4.apk
Ratio de détection : 7 / 57
Date d’analyse : 2015-03-16 21:54:41 UTC (il y a 10 heures, 27 minutes)
Antivirus Résultat Mise à jour
AVG Android/Deng.CJE 20150316
Avira Android/Svpeng.A.18 20150316
Cyren AndroidOS/GenBl.99C13486!Olympus 20150316
DrWeb Android.Locker.12.origin 20150316
ESET-NOD32 a variant of Android/Crosate.P 20150316
Kaspersky HEUR:Trojan-Banker.AndroidOS.SvPeng.a 20150316
McAfee Artemis!99C134869A64 20150316

Android/Fusob / Android/Slocker & Browlock Ransomware

very active, offer an APK then redirection to Browlock Ransomware – see : http://www.malekal.com/2013/10/07/en-browlock-ransomware-malvertising-campaign/

via PornoDroidTube malvertising :

scheme is :

malvertising URL
APK via domain/s=mpWs
Browlock via domain/5/9 (or another numbers)

Detection example : https://www.virustotal.com/fr/file/929994b5ca3824b8090083b309b13c2118afbd993c7f6aedc09bb19d7552378d/analysis/1427106215/

SHA256: 929994b5ca3824b8090083b309b13c2118afbd993c7f6aedc09bb19d7552378d
Nom du fichier : get_player.php?s=mpWk
Ratio de détection : 15 / 57
Date d’analyse : 2015-03-23 10:23:35 UTC (il y a 48 minutes)
Antivirus Résultat Mise à jour
AhnLab-V3 Android-Malicious/Slocker 20150323
Alibaba A.H.Pri.Gaudy 20150323
Avira Android/Fusob.A.32 20150323
Cyren AndroidOS/SLocker.R 20150323
DrWeb Android.Locker.97.origin 20150323
ESET-NOD32 Android/Locker.AZ 20150323
Emsisoft Trojan.Android.Locker (A) 20150323
F-Prot AndroidOS/SLocker.R 20150323
Fortinet Android/Fusob.A!tr 20150323
Ikarus Trojan.AndroidOS.Locker 20150323
K7GW Trojan ( 6b49d20b1 ) 20150323
Kaspersky HEUR:Trojan-Ransom.AndroidOS.Fusob.a 20150323
McAfee Artemis!AA5C29F72FF0 20150323
Sophos Andr/PornLock-A 20150323
TrendMicro-HouseCall Suspicious_GEN.F47V0320 20150323

EDIT – September 2015 : Android Locker still very active

Still a lot of malvertising, also some new malvertising with fake virus message : https://twitter.com/malekal_morte/status/643884457695543300

also they improve the locker with menu etc :

 

Another variant :

Android:SMSreg / AndroidOS.SMSreg Malvertising

I open a new topic for Android:SMSreg / AndroidOS.SMSreg
According Kaspersky, it was the second threat in 2014 : http://securelist.com/analysis/quarterly-malware-reports/67637/it-threat-evolution-q3-2014/
Fortiguard give a good description : http://www.fortiguard.com/encyclopedia/virus/#id=2831267
At the end of the description, Fortiguard say : ial/SmsReg!Android exists in multiple versions, customized for various countries.

Avast! made an entry in his blog – they clearly class it as malware : https://blog.avast.com/2014/12/12/mobile-advertising-firms-spread-malware-by-posing-as-official-google-play-apps/

Theses programs permit to access to porn video (that you can get for free) via a pay-service even if you dont use it (the application send SMS to taxed phone number).

The application can be customize, so some probably are clean or very border line, and some abuse users.

Depend where you put the cursor, but you have to take cautions with theses kind of programs because some probably abuse, some can show EULA and some just only a little message at a bottom of a long texte to say that they will send pay SMS. .
also they can evoluate in the time, at the beginning there was no EULA, and after antivirus flag it, some can add EULA to be more legitime etc.

Also the SMS are sent in background, even if you dont use the service, so users dont notice anything, you have to uninstall the apps to stop the SMS sending.
And sometimes, you got problem to get ride of it :
http://www.htcmania.com/showthread.php?t=544888
http://www.htcmania.com/archive/index.php/t-548904.html

EULA example :

Eula

Also theses programs requiert big Access; could be a privacy problem.
This is the problem with unsecure application (not in Google Store), you cant be exactly sure of what you install.

Android_SMSreg_EULA2 Android_SMSreg_EULA

 

 

 

 

 

 

 

 

APK are around 15/20 on VirusTotal : https://www.virustotal.com/fr/file/583628d0d244b47201e1b7593d521118fa53c5115adab78d4bc6f00debde9aeb/analysis/
Most of the time, they detect the SMS code part.

SHA256: 583628d0d244b47201e1b7593d521118fa53c5115adab78d4bc6f00debde9aeb
Nom du fichier : youpornxxx_-_MBCOOL_-_90024248245414_-_.apk
Ratio de détection : 17 / 54
Date d’analyse : 2015-03-20 12:59:57 UTC (il y a 3 heures, 19 minutes)
Antivirus Résultat Mise à jour
AVG Android/Deng.ISA 20150320
AegisLab Pawen 20150320
Avast Android:SMSreg-AKO [PUP] 20150320
Avira SPR/ANDR.SMSreg.3907 20150320
Baidu-International Hacktool.Android.SMSreg.II 20150320
CAT-QuickHeal Android.Pawen.A (Suspicious) 20150320
Cyren AndroidOS/GenPua.FEC6300D!Olympus 20150320
DrWeb Android.Dialer.5.origin 20150320
ESET-NOD32 a variant of Android/SMSreg.II potentially unsafe 20150320
Ikarus Unsafe.Adware.AndroidOS 20150320
K7GW Trojan ( 004b56dc1 ) 20150320
Kaspersky HEUR:Trojan.AndroidOS.Pawen.a 20150320
McAfee Artemis!FEC6300D9B34 20150320
NANO-Antivirus Trojan.Android.SmsSend.dgqqwi 20150320
Qihoo-360 Win32/Trojan.DoS.5ff 20150320
Tencent a.gray.ikangoo 20150320
TrendMicro-HouseCall Suspicious_GEN.F47V0211 20150320

In France in 2014 : http://www.malekal.com/2014/07/08/malwares-android-sur-sites-pornographiques-android-smsreg-android-trojan-vidro-etc/

Most of the times with theses kind of programs, there are users complaints :

http://www.listaspam.com/busca.php?Telefono=995858&page=2
http://www.htcmania.com/showpost.php?s=c847367e67de40813b9baa4229aaba0e&p=8171812&postcount=7
http://androidspain.es/cuidado-con-las-aplicaciones-de-suscripcion/
http://answers-en.bianminchaxun.com/HQRw5nqXpvw=_i/

some campaign that push theses kind of programs …

ads.bettyads.com

Active in clickadu network and Adsterra (vipcpms.com) – already gave all the details

According Clickadu network, it has been removed.
I dont have contact with Adsterra.
Thoses ones targets mostly US users.

 

In Spain

active in Exoclick network and ero-advertising, so very big.
Two differents actors :

http://clix2pix.net
http://id.waiads.com

Example of detection : https://www.virustotal.com/fr/url/6f39764e5737d397ad5bc20b56969fb9fe86294bc496821e0ff4a0eba71a29ca/analysis/1426694700/

Trojan_SMSreg_spainTrojan_SMSreg_spain3

and popcash.net via reporo.net :

Trojan_SMSreg_spain_popcash

Trojan_SMSreg_spain_youpornxxx

the first one is not very interresting – same

clix2pix.net has address 94.75.199.176
clix2pix.net has address 94.75.199.174
clix2pix.net has address 94.75.199.172
clix2pix.net has address 94.75.199.178

The second is more interresting :

id.waiads.com has address 37.187.27.119

Trojan_SMSreg_spain2

and ikangoo / m-hunter :

waiads.com has address 5.135.154.45
waiads.com mail is handled by 0 mail2.m-hunter.com.
waiads.com mail is handled by 5 mail2.ikangoo.com.

mobile marketting stuffs :

Trojan_SMSreg_spain_m-hunter_ikangoo2 Trojan_SMSreg_spain_m-hunter_ikangoo

 

a search give another APK reported as phishing – registered by m-hunter.com.
Lead to Android:SMSReg : https://www.virustotal.com/fr/url/0e9079144bf0ec6e41d59fb1b7f50ae89f3b2b16ff102201606aa18ab0e592fb/analysis/1426705141/
and OVH too : android2.ikangoo.com has address 5.39.66.149

Trojan_SMSreg_spain_ikangoo2 Trojan_SMSreg_spain_ikangoo

back to the fiddler logs, so we have :

http://nl1.ero-advertising.com/speedclicks/[…]
http://nl1.ero-advertising.com/speedclicks/[…]
http://nl1.ero-advertising.com/speedclicks/[…]
http://id.waiads.com/visit.php?[…]
http://download.gf2fuck.com/apps/youpornxxx/landings/directa/[…]

see : https://www.virustotal.com/fr/url/6f39764e5737d397ad5bc20b56969fb9fe86294bc496821e0ff4a0eba71a29ca/analysis/1426705340/

Same IP as ikangoo :

download.gf2fuck.com has address 5.39.66.149
Registered by m-hunter.com :

Domain Name: GF2FUCK.COM
Registrar: ENOM, INC.
Sponsoring Registrar IANA ID: 48
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS.REDIR.DNSYSTEM.COM
Name Server: NS2.REDIR.DNSYSTEM.COM
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Updated Date: 06-oct-2014
Creation Date: 06-oct-2014
Expiration Date: 06-oct-2015

Registrant Name: IVAN IVAN
Registrant Organization: INTERACTIVE MARKETING CONSULTING, SLNE
Registrant Street: C JAUME ROIG, 28. ENTLO. 5
Registrant City: VILA-REAL
Registrant State/Province: CASTELLON
Registrant Postal Code: 12540
Registrant Country: ES
Registrant Phone: +34.964100445
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: IVAN@M-HUNTER.COM

some spanish users complaints :

http://www.htcmania.com/showpost.php?s=c847367e67de40813b9baa4229aaba0e&p=8171812&postcount=7
http://androidspain.es/cuidado-con-las-aplicaciones-de-suscripcion/

Exoclick, popcash and ero-advertising has been notified.
OVH too.

 

EDIT – Portugal – Espabit Android.SMSReg – kimia.es via slimspots.com

Ero-advertising then :

http://spaces.slimspots.com/mobiledirect/[...]
http://adserver.kimia.es/get/iad/[...]
http://www.69.tv/[...]
http://www.69.tv/v2/[...]
http://www.69.tv/[...]
http://websexy.mobi/[...]
http://appsexy.mobi/landings/sexyface_pt/[...]
http://appsexy.mobi/apk/d.php?[..]
http://apps-123.com/downloads/sexyface_hbebob9l3seoxm9j.apk

https://www.virustotal.com/fr/domain/apps-123.com/information/

android_smsreg_kimia

Espabit : https://www.virustotal.com/fr/file/bf3843f9ace6a9fd6e29ce4e765c4b7200c346d31848f059e1df0ab157bf5a21/analysis/

com.espabit.essexyfacePT.Disclaimer
com.espabit.appmaker.activities.Ocultadora
com.espabit.appmaker.activities.OcultadoraW
com.espabit.appmaker.activities.Dmb
com.espabit.essexyfacePT.PantallaCarga
com.espabit.appmaker.activities.Enhorabuena

JUANJO@ESPABIT.COM :

Admin Name: SISTEMAS INFORMATICOS ESPABIT S.L.
Admin Organization: SISTEMAS INFORMATICOS ESPABIT S.L
Admin Street: AVD. JERONIMO ROURE 49, 2B
Admin City: PUERTO DE SAGUNTO
Admin State/Province: VALENCIA
Admin Postal Code: 46520
Admin Country: ES
Admin Phone: +34.902909246
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email: JUANJO@ESPABIT.COM

 

espabit

EDIT – Italy : Slimspots & kimia.es

same sources

  • slimspots (via ero-advertising) that is loading the well know ads.bettyads.com
  • kimia.es is loading trk.billysrv.com – no information about it, the whois is protected.

Binary : https://www.virustotal.com/fr/file/d492188a2c8f82a2e7fe64b6994c0952481785e9a9a75037bebac11bdaa38573/analysis/1426753723/

kimia_android_smsreg  slimspot_bettyads_IT

 

slimspot_bettyads_IT2

 

EDIT – still a lot Android:SmsReg Malvertising in Spain

Still a lot in Spain :

  • via ero-advertising / slimspots : r.COOLMOBILE.BIZ (5.39.66.156) – seems to belong to mobobeat ads.
  • adamoads network & Plus Rush is loading id.waiads.com (see above)
  • popcash network via www.theylike.org (106.187.90.72) – no information
  • Adsterra (vipcpms.com) via r.leadzu.com (217.13.124.96) – mobusi mobile ads

android_smsreg_slimspots_coolmobile android_smsreg_popcash android_smsreg_adamoads

plugrush_smsreg_slimspots_coolmobile

Malvertising : Android/Svpeng / Android/Crosate / Android/Deng

yesterday i tweet two malvertising on ero-advertising and popcash :

popcash_locker

The Malvertising lead to a Fake Flash malvertising that offer an APK – of course it’s an Android Locker :

http://malwaredb.malekal.com/index.php?hash=340894eaff7de957442955d3c4698add
http://malwaredb.malekal.com/index.php?hash=b6cba65e248d89718e16719c8f2ed7be

SHA256: f396f49397affa9e9ea158b0caf908ab99857db98b780fdd565fbdd13b68864a
Nom du fichier : adobe_flash_player_15.10.4.apk
Ratio de détection : 7 / 57
Date d’analyse : 2015-03-16 21:54:41 UTC (il y a 10 heures, 27 minutes)
Antivirus Résultat Mise à jour
AVG Android/Deng.CJE 20150316
Avira Android/Svpeng.A.18 20150316
Cyren AndroidOS/GenBl.99C13486!Olympus 20150316
DrWeb Android.Locker.12.origin 20150316
ESET-NOD32 a variant of Android/Crosate.P 20150316
Kaspersky HEUR:Trojan-Banker.AndroidOS.SvPeng.a 20150316
McAfee Artemis!99C134869A64 20150316

android_locker

Screenshots of the Screenshot locker (thanks to kafeine for the screenshots) :

android_locker_deng
android_locker_deng2

android_locker_deng3

android_locker_deng4

android_locker_deng5

android_locker_deng6

 

There are now a lot of Android Ransomware :

PornotubeDroid Malvertising are far to be the most active and trying to push malvertising on ero-advertising, hornyspot, popcash, popads networks – see : http://www.malekal.com/2013/10/07/en-browlock-ransomware-malvertising-campaign/

PUP.InstallIQ / PUP.InstallX : Fake Flash / Fake Java Malvertising

A new thread for another PUP / Adware installer that use Fake Flash / Java malvertising.
Was active on yobt.com sometimes ago via vicpms.com network (see http://malvertising.stopmalwares.com/2015/02/yobt-com-and-vipcpms-com/ ).

Today it’s on motherless.com (~900 global rank at Alexa). Yesterday i tweet it : https://twitter.com/malekal_morte/status/575338785883492352
I give more details bellow about this malvertising, before some details about this PUP.InstallQ

(more…)

Clickadu Network : bad advertising

A lot of bad advertising on this network.

Fake Java malvertising and Fake scam support :

https://twitter.com/malekal_morte/status/572507303972372480
https://twitter.com/malekal_morte/status/573155437966725120

alrady came accross this zeroredirecting in the past on vipcpms if i remember well.

http://clickadu.com/afu.php?zoneid=209987
http://go.feedxfeed.com/xmlfeed/rq.php?geo=US&zone=209987&banner=454413&a=ZeroparkCa
http://zf.zeroredirect1.com/zcvisitor/a71c54c4-c125-11e4-be54-0ac42b4053c3
http://track.99girls.com/zpchat?dv1=india-tsk-LfVlrTx3&dv2=okhuaxen.com
http://scan-tips.com/techsupport/?sence=Bjchooclcc

also a lot of fake virus mobile in France :

clickadu_fakevirusmobile clickadu_fakevirusmobile2

(more…)