Look-out For Android Ad Scams


The Sports-ISAO threat hunting teams have identified a series of Ad Scams that are currently targeting viewers of Women’s World Cup 2019 websites.  One of the most sophisticated we have run across we are calling StremBot.  It is a fraud scheme where the threat actors promote alternative streaming video websites that serve as malware infection vectors for Android mobile devices and Windows-based operating systems.

The most recent malware dropper sites for the Android Trojans are sitting on servers with IPs that fall within the purview of Chunghwa Telecom, a Taiwan-based telecommunications infrastructure.  It should be noted, however, that this appears to be a very sophisticated and widely distributed malicious infrastructure with servers located in Singapore, Manchester UK, and Manhattan, NY serving up other malware components.

Although our investigations are ongoing, and our findings are very preliminary, we believe that, due to the upcoming semi-final and final games of the Women’s World Cup, it was prudent to send out this alert to alert fans all around the world to beware of this campaign.

Web surfers and social media users should beware of efforts designed to induce you to find a free streaming service for a World Cup match. As shown in this screengrab, Sports-ISAO has seen heavy Twitter activity aimed at driving traffic to malicious sites. Moreover, these tweets are deleted after the match! This suggests a few things: it confirms the malicious objective of the scheme; it shows the attackers want to go undetected and protect their fraudulent scheme; and it shows organization.

The design of the campaign appears to include two key components:  1) an initial infection using weaponized ads targeting sports fans that redirects them to a pirated live-streaming website, and 2) a distributed Ad Fraud campaign to misappropriate Ad Spend resources of online advertisers.

Initial Infection

When a visitor to a legitimate site clicks on one of the weaponized ads for alternative video streaming of the Women’s World Cup games he or she is redirected to:  https://www[.]livestrems[.]cf/.  Fans of women’s soccer are hereby forewarned that this video streaming site is a fraudulent site and that the ads [to watch the game from that streaming site] are lures to persuade you to click on the links.  The site promotes itself as one that has made “crypto advertising easy” as seen on the  screenshot; ostensibly promoting online betting in jurisdictions where betting is illegal.

Once at the pirated site, push ads from popads[.]net are sent to the victim machine.  If a user clicks on one of the pop-up ads a line of javascript is then pushed to the victim machine:

“`pa.src = ‘//c1.popads.net/pop.js’;“`

Coupled with some error handling code this .js redirect ultimately takes the user to ‘c.adsco.re’ which serves up malware for a wide-spread Ad Fraud campaign. It also serves up invasive spyware malware that requests the following APK permissions:

android.permission.GET_ACCOUNTS
android.permission.INTERNET
com.google.android.c2dm.permission.RECEIVE
android.permission.USE_CREDENTIALS
android.permission.ACCESS_NETWORK_STATE
android.permission.WRITE_EXTERNAL_STORAGE
android.permission.ACCESS_FINE_LOCATION
android.permission.CAMERA
android.permission.READ_EXTERNAL_STORAGE
android.permission.READ_CONTACTS
android.permission.WAKE_LOCK
android.permission.INSTALL_SHORTCUT

These are highly invasive and should not be required for displaying advertising apps. But, the threat actor is counting on the social engineering technique of displaying the permissions with the knowledge that many people will indiscriminately approve these permissions and install the spyware/malware.

Although we have not fully explored an apparent alternative infection vector, it also appears as though sports fans that visit the video streaming site from a web browser may also be subject to infection via another route.  This may stem from the recent VLC Media Player vulnerabilities that were patched June 6, 2019.

The Motherlode

This campaign appears to also be sharing malicious infrastructure that is targeting Windows32 operating systems and Android cellurar phones.  The following hashes have been identified and are active as of the beginning of the Women’s World Cup games.  The top four hashes are for malware targeting Windows-based hosts.  The last malware hash is for a payload targeting Androids.

IOC Type Value
SHA256
1d777372010272339e7e4da5ed4cbffbb8bb57c9ad73e2e0945edba865c1fdc7
SHA256
884d7c94c21bd8b28dd57a27b2eb57d4db331a8c820ee39a586bbf28556b50bb
SHA256
7ed857c2f5528b1db0894d96a2adde0f6f4438bb9f410e580c768264934f031d
SHA256
4d339ce8fd6b42762b4f6aa66b58570b4227e6aeee87833b49889874f64b19bf
SHA256
02f32a0deac2d56479111a3675ad0aa0b068f255050db8f09770b147c4abe99a

Recommendations

This is a very active threat that is targeting fans of the Women’s World Cup 2019.  Users should make sure Android devices are protected with an anti-virus App. Also, users that stream video using the VLC Video Player should immediately apply the patch. Users should also avoid visiting non-official live video streaming sites.

You must be logged in to post a comment Login