Look-out For Android Ad Scams

The Sports-ISAO threat hunting teams have identified a series of Ad Scams that are currently targeting viewers of Women’s World Cup 2019 websites.  One of the most sophisticated we have run across we are calling StremBot.  It is a fraud scheme where the threat actors promote alternative streaming video websites that serve as malware infection vectors for Android mobile devices and Windows-based operating systems.

The most recent malware dropper sites for the Android Trojans are sitting on servers with IPs that fall within the purview of Chunghwa Telecom, a Taiwan-based telecommunications infrastructure.  It should be noted, however, that this appears to be a very sophisticated and widely distributed malicious infrastructure with servers located in Singapore, Manchester UK, and Manhattan, NY serving up other malware components.

Although our investigations are ongoing, and our findings are very preliminary, we believe that, due to the upcoming semi-final and final games of the Women’s World Cup, it was prudent to send out this alert to alert fans all around the world to beware of this campaign.

Web surfers and social media users should beware of efforts designed to induce you to find a free streaming service for a World Cup match. As shown in this screengrab, Sports-ISAO has seen heavy Twitter activity aimed at driving traffic to malicious sites. Moreover, these tweets are deleted after the match! This suggests a few things: it confirms the malicious objective of the scheme; it shows the attackers want to go undetected and protect their fraudulent scheme; and it shows organization.

The design of the campaign appears to include two key components:  1) an initial infection using weaponized ads targeting sports fans that redirects them to a pirated live-streaming website, and 2) a distributed Ad Fraud campaign to misappropriate Ad Spend resources of online advertisers.

Initial Infection

When a visitor to a legitimate site clicks on one of the weaponized ads for alternative video streaming of the Women’s World Cup games he or she is redirected to:  https://www[.]livestrems[.]cf/.  Fans of women’s soccer are hereby forewarned that this video streaming site is a fraudulent site and that the ads [to watch the game from that streaming site] are lures to persuade you to click on the links.  The site promotes itself as one that has made “crypto advertising easy” as seen on the  screenshot; ostensibly promoting online betting in jurisdictions where betting is illegal.

Once at the pirated site, push ads from popads[.]net are sent to the victim machine.  If a user clicks on one of the pop-up ads a line of javascript is then pushed to the victim machine:

“`pa.src = ‘//c1.popads.net/pop.js’;“`

Coupled with some error handling code this .js redirect ultimately takes the user to ‘c.adsco.re’ which serves up malware for a wide-spread Ad Fraud campaign. It also serves up invasive spyware malware that requests the following APK permissions:


These are highly invasive and should not be required for displaying advertising apps. But, the threat actor is counting on the social engineering technique of displaying the permissions with the knowledge that many people will indiscriminately approve these permissions and install the spyware/malware.

Although we have not fully explored an apparent alternative infection vector, it also appears as though sports fans that visit the video streaming site from a web browser may also be subject to infection via another route.  This may stem from the recent VLC Media Player vulnerabilities that were patched June 6, 2019.

The Motherlode

This campaign appears to also be sharing malicious infrastructure that is targeting Windows32 operating systems and Android cellurar phones.  The following hashes have been identified and are active as of the beginning of the Women’s World Cup games.  The top four hashes are for malware targeting Windows-based hosts.  The last malware hash is for a payload targeting Androids.

IOC Type Value


This is a very active threat that is targeting fans of the Women’s World Cup 2019.  Users should make sure Android devices are protected with an anti-virus App. Also, users that stream video using the VLC Video Player should immediately apply the patch. Users should also avoid visiting non-official live video streaming sites.

You must be logged in to post a comment Login