A banner delivered by an InMobi advertising SDK included in several legitimate applications for Android smartphones was found deploying a scareware-type attack on innocent users, Bitdefender researchersÂ Â uncovered.
This scam appeared as a pop-up ad delivered by an advertising SDK that can be found in a lot of legitimate applications, among which an older version of the legitimate Brightest Flashlight Free Â® app available on Google Play.
When users download an app containing the advertising module delivering this scam, an alarmist banner pops-up out of the blue on the handset screen making users believe their devices are infected with malware and prompts them towards purchasing a useless disinfection tool.
Most likely the providers of the advertising module are not aware their service is delivering a malicious banner. It appears to be a case of an invalidated ad that accidentally reached the market.
A sudden message pop-up on their Android smartphone or tablet hints users that their handsets are working too slowly possibly because they are infected with malware. Â The same pop up informs owners they should consider testing devices for possible malicious code.
Tapping the suggested ad redirects users towards a web page that invariably finds all devices packed-full with e-hazards and to get rid of them, users need to download a disinfection tool from the Internet.
Since downloading malware would often fail on a device that does not allow sideloading, cyber-crooks have taken a different approach. In order to get the promised Android antivirus, the user needs to enter their phone number in a form, then press Download. But instead of getting the Android device cleaned up, they get signed up with a premium-rate ringtone and wallpaper service that charges â‚¬3.00 per week plus taxes (â‚¬ 4.06 plus taxes) until the user unsubscribes manually.
This clever con has a global reach, as the webpage redirects are based on geolocation, so the premium service partner is chosen from the ones available in the victimâ€™s location. Which means that if a user in Spain installs the app, he will receive messages written Spanish, and if the user is in Germany or Australia, the banners will be in German and English, respectively.
As Bitdefender researchers accessed the app from an IP from Romania, they received only messages written in Romanian and were redirected towards a webpage with content in Romanian. In the above screenshot, displays the following messages: â€œYour Android device is slow because of the viruses!â€; â€œAndroid Notification: Your phone has no protection! Potential malware on your device. Download the most recent app to get rid of the viruses!â€; â€œType in your phone number to protect your smartphone!â€
Scareware is the name of an online scam that scares people into thinking their terminal is infected with malware â€“ very popular with Windows and Mac OX systems. The scary messages try to convince people to purchase a Fake AV and they end up using their credit cards to pay for a disinfection tool that will be of no use to them since nothing is wrong with their systems.
If you have no security software installed on your device, there should be no pop-up message informing you about infections, and if you are using a dedicated antivirus for your Android terminal rest assured that no legitimate application will ask for extra money to block or remove malware from your system.
If this scenario happened to you:
- unsubscribe right away by sending a SMS message to the number mentioned in the Terms and Conditions section of the website
- uninstall immediately the apps you downloaded recently
- use a dedicated security tool for mobile terminals running a Googleâ€™s Android operating system, such as Bitdefender Mobile Security, that blocks the dangerous URL
- Bitdefender also recommends Clueful for Android, a free app that offers an expert opinion on how apps treat your privacy once you install them on your handset.
This article is based on the technical information provided courtesy of Bitdefender Clueful Team.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.