Solera Networks researchers have analyzed the attack

Aug 27, 2013 11:00 GMT  ·  By

Security researchers from Solera Networks, a Blue Coat company, have come across an interesting malware that’s currently being utilized to advertise a shady Android spy application on Craigslist.

It all starts with a Trojan disguised as a browser add-on called Adobe Photo Loader.

When installed, the threat downloads and executes a genuine Flash Player update to avoid raising any suspicion. In the meantime, it starts posting ads on Craigslist to advertise a site that hosts the Android spy application.

So how does the Trojan manage to post ads on Craigslist?

When executed, the bot contacts its command and control server hosted on myemail3.info. The server provides it with the text of the advertisement that will be published on Craigslist and an outlook.com email address that’s used to post the spam message.

The email address is needed because messages become visible on the classified ads website only after the poster clicks on a validation link received via email.

The bot receives the content of the validation email and “clicks” on the validation link to publish the spam message.

“The bot tries to fly under the radar by only posting one message per 24 hour period in the localized edition of Craigslist nearest the infected user’s computer,” Blue Coat Director of Threat Research Andrew Brandt wrote in a blog post.

“Other payloads dropped in the course of the same infection connect to the (privately registered) Web domains tryadfinc.com, weddingstalkers.com, and insure2family.com — all hosted on 184.168.91.119, the same IP address where myemail3.info is hosted,” he added.

The messages posted on Craigslist read something like “Is you man cheating? If you have a feeling you might be being cheated on it better to know the truth” and they lead to a website advertising an Android app called Stealth Nanny.

Subscription to the service, which allegedly allows users to monitor up to 4 devices, costs $10 (€7.5) per year. The app is capable of accessing SMS messages, call logs, photos, and location – tasks for which it requires numerous permissions.

However, as Brandt points out, the app’s capabilities are not the issue.

“Even if it were the best commercial phone monitoring software in the world, would you trust a company that resorts not only to spam, but to customized malware, as a method of getting their marketing message out to an audience of potential customers?” the expert explained.