24th July 2021, Kathmandu
Android malware and banking or SMS trojans installed through some URL shortener.
URL shortener has been very popular due to various reasons in present days which has given a number of advantages for users. On the other hand, clickjacking and phishing attacks are highly increasing due to it as users can define the link as it is different and shorter than the original URL hiding domain name.
The majority of the link shortener services use scareware ads that inform users that their devices are infected with malware provide a low-quality protection app, offer different service subscriptions, and win prizes. When someone clicks on such a link, an advertisement will appear, similar to the examples in Figure 1, which will earn income for the person who created the abbreviated URL.
We’ve even seen link shortener services distributing Android malware and pushing “calendar” files to iOS devices – in fact, we discovered one piece of malware called Android/Fake ADBlocker that downloads and executes additional payloads (such as banking trojans, SMS trojans, and aggressive adware) received from its C&C server.
Those links are regularly used in social media which are now used to redirects to a malicious destination which is easy for cybercriminals. It infects devices and leads them to participate in suspicious surveys or redirecting them to download a malicious app. That malicious app get installed with other app and hides its launcher app and continuously creates spam events and messages on IOS and Android calendars.
Some users get trapped in it and download it. Users should not construct shortened links to transfer files that contain viruses, spyware, adware, trojans, or other malicious code, according to the terms of service of one of the URL shortener providers. We’ve noticed that their ad partners are doing it, on the contrary.
The problem is more complicated for Android users because these fraudulent websites may offer a dangerous application for download outside of the store. Google Play is a search engine that allows you to search for the website in one of the cases examined requests the download of an application called “ADBLOCK,” which has nothing to do with the genuine application and, in fact, does the opposite of blocking ads.
Despite the fact that the malware typically displays aggressive advertisements, ESET has identified hundreds of cases in which malicious payloads were downloaded and executed, including the Cerberus banking Trojan which was under various names such as Chrome, Android Update, Adobe Flash Player, and Update Android. In addition, ESET discovered that Gimp trojan downloaded in Greece and the middle east.
According to ESET’s telemetry, this type of issue first appeared in September 2019 and has been progressively increasing since then. ESET recorded 150,000 incidents of Android malware downloads using exploited URL shortener providers in 2021 alone.
This indicates that the problem’s scope is already quite large and that prompt regulation is required. To make matters worse, the ESET-analyzed C2 servers can disseminate a variety of payloads, indicating that this is a well-organized yet unpredictable operation.