<<<
NEWS FROM THE LAB - Thursday, June 6, 2013
>>>
 

 
Not the Mobile Antivirus You Were Looking For Posted by SecResponse @ 07:03 GMT

While browsing Malaysiakini (a popular Malaysian website) on an Android phone, one of our analysts spotted this advertisement:

mkini_scam_ad

Clicking on the ad led to an external site displaying the following:

mkini_scam_ad_download_screen

Looks reminiscent of the kind of text we've seen for years on webpages pushing rogues for Windows systems (and sometimes Mac).

Clicking on the "Download and Scan Now" button leads to an image, which looks like an antivirus app:

mkini_scam_ad_download_screen_2

Clicking on the image brings you to a page that asks for your phone number and displays some interesting text:

mkini_scam_ad_number_submission

"This is an ongoing subscription service until you quit. You will receive 4 sms per week and chargeable at RM4 per message. Only [REMOVED] user will receives max 3 sms per week and chargeable at RM4 per message. Data charges are billed separately by mobile operators."

So, it's an SMS subscription service. Provide a phone number, and the user gets an SMS message with registration instructions for the service.

Once registered, another SMS is sent providing a download link. When we tried the link, the only thing we got was a message saying "Sorry, you have exceeded the allowed download limit." The site's index page claims to be "under construction."

Fortunately, the SMS with the registration instructions also included instructions for stopping the service.

We normally recommend users read the permissions requested when downloading a mobile app. In this case, reading the text before downloading would also be prudent. This was probably not the service a user was looking for when they clicked on the ad.

Our Browsing Protection feature currently rates the site hosting the supposed APK download as Suspicious.

Updated to add:

Like Windows-based Rogueware, this "Android Antivirus" scam recognizes other operating systems — but fails to fine tune the bait.

iOS:

mkini_scam_iPod

Windows Phone:

mkini_scam_lumia620