We've discovered a server that only attacks and/or spams smartphones and tablets — and not PCs.
A Swedish-based colleague of ours, Johan, was recently using his (Android) phone to search for boat trips in the Galapagos Islands. He found a site called Vagabond. And on Vagabond he found an entry with a link to: galacruises.com.
From a Windows-based browser, the link redirects to a site called islasgalapagos.travel.
But the results are much different if a mobile device is used…
Mobile browsers are redirected to a .info domain which in turn redirects yet again.
Sometimes it redirects to a popular game on Google Play:
But much of the time, it's NSFW sites (here seen from a Windows Phone):
And sometimes… malware! (As was the case for Johan.)
Here you can see that the malicious .APK file was blocked by one of our "online" detections.
Specific "disk" detection identifies the threat as a variant of FakeInstaller: Trojan:Android/FakeInst.AV.