14 DAY TRIAL // Fake download pages for the scanner that determines if an Android device is impacted by the Installer Hijacking vulnerability are used by cybercriminals to expose mobile visitors to persistent advertising, adware, and premium SMS scams.
The vulnerability was described in late March by Palo Alto Networks, which said that almost half of all the Androids are affected. The scanner is available in Google’s official app store.
Clingy pop-up difficult to shake off
Security researchers at Trend Micro found three fraudulent websites that claim to provide a link to the tool but instead include redirects to risky locations either when tapping on the download spot or anywhere else on the page.
In one instance, the crooks set up an aggressive pop-up that kept being displayed even if the web browser was restarted.
The researchers first tried to turn it off by hitting the “Ok” button, which should have taken to the next stage of the scam, but nothing happened. A subsequent attempt consisted of closing the web browser, but relaunching it showed that the trick had no effect either.
More than this, it seems that the persistence of the pop-up and the tab that generated it was not broken when clearing the memory, as the tab was still present upon starting the browser.
“It should be noted that no file was downloaded to the mobile device,” fraud analyst Gideon Hernandez said in a blog post on Monday.
Harmful apps download risk
In a second case, the download button would lead to the legitimate app on Google Play, but only after redirecting the user to a different website first.
However, the researchers observed a different, riskier behavior when tapping outside the download button, as the browser loaded websites pointing to online surveys or alleged software updates.
Apart from this, Hernandez says that APK (Android application package) files were automatically downloaded on the device, one of them subscribing the mobile user to a premium SMS service, while another brought adware on the device. A third file seen by the researcher was a legitimate app.
The third online location purporting to offer a download for the Installer Hijacking Scanner loads a suspicious location, but it attempts to investigate the redirects thwarted by “bad error requests.”
Hernandez believes that this is a defense mechanism against efforts to investigate the scam, since dead links do not present any interest.
“Rather than finding threats that exploited the Android vulnerability, what we found were threats that exploited the fear over the bug. Taking advantage of a hot topic or current event is par for the course for social engineering,” he says.
Users are advised to access only reputable websites where the packages are subject to security checks before being published.
