Panda security recently discovered a new mass attack on Android users. This time it’s a much elaborated Facebook-originated campaign in which cybercriminals post ads promoting different applications. Panda Security already contacted Facebook to warn them about this malware campaign in the popular social network.
Users navigate Facebook on their Android devices and find different posts on the Wall called “Suggested Advertising,” announcing Whatsapp utilities such as “Would you like to know how to see your friends’ Whatsapp conversations? Find out here!” or “Do you want to hide your Whatsapp connection? Download the app so people can’t see you.” Victims who click on these ads are redirected to a fake version of Google Play, the Android app store. Then, thinking they’re in the original site, they’ll download the free app, which is actually a Trojan that will subscribe them to a Premium SMS service without notice.
The Trojan monitors all text messages received and if the sender is the Premium SMS service number, it intercepts it and eliminates it so there’s no trace of it. However, this technique does not work on the latest Android 4.4 version (KitKat), so the Trojan authors came up with a tactic to overcome this obstacle: as the victim receives a message, the phone goes to silent mode for a couple of seconds and then the message gets marked as read on the inbox. The application includes an SMS counter so, when the first message from the SMS Premium service is received, it can read it to obtain the necessary PIN, registering it in the corresponding confirmation website to activate the paid messaging service.
Cybercriminals don’t only use Whatsapp, but use the same technique with any theme that could work, such as: “shocking videos”, “Candy Crush tricks”, “Angry Birds tricks”, etc.
Source: Alta Densidad