Researchers have identified a tricky Android malware spreading via facebook advertising.
When Facebook is accessed from an Android device, users may see messages under Facebook adverting under “Suggested Post”.
Some of the identified ads read as
- “WhatsApp tips like: “Want to know how to see your contacts’ chats on WhatsApp?”
- “Want to hide your WhatsApp connection status?”.
When a Android user clicks on those ads , the user is taken to a malacious google play store with a free app on it. Once the user installs the app, his device will be infected with the Trojan. Once the device is infected, the Trojan checks for all inbound messages and if the sender is the premium-rate SMS service, the message is intercepted and deleted so the user is unaware.
Yet this technique doesn’t work with the latest 4.4 (KitKat) version of Android, so the creators have come up with an ingenious trick to overcome this: when the message is received, the phone volume is muted for two seconds and the inbound message is marked as read. The app includes an SMS counter, so when the first message is received from the premium-rate service, it reads it to get the confirmation PIN and registers the user on the corresponding website to activate the premium-rate SMS service.
“In this attack, cyber-criminals have taken advantage of Facebook’s targeted advertising options. In this case, the ad is only shown to Spanish Facebook users who are accessing the social network from an Android mobile device. We carried out tests using the same account from a PC, an iPad, an iPhone and Android and the ads were only displayed when using the Google operating system”, said Luis Corrons, Technical Director of PandaLabs at Panda Security.