Mobile Malvertising : Fake Virus Alert

Mobile Malvertising : Fake Virus Alert

Fake Java/Flash have decreased in France, so now, i will hit an other thread : Malvertising in mobile that show Fake Virus Alert.

Fake Virus Alerts are an old social engineering attacks, probably from 2005.
It was used by malware like Zlob (Hello S!Ri) and others malwares using Rogues/Scarewares.
The goal is to show fake virus alert and offer an executable as a solution.After that, hacked websites (LizaMoon Massive SQL injection attacketc) redirect to fake Virus Alert to push Rogue/Scarewares.
You can find some examples of Fake Alert in this topic : http://forum.malekal.com/rogues-alertes-securite-t7139.html

Since some months, Fake Virus Alert malvertising target mobile.
I made a post (in French) with some screenshots :http://www.malekal.com/2014/01/04/publicites-pourries-sur-tablettesmobile/

Below two examples in english :

  

This one redirect to the PlayStore and offer the programm Clean Master (cheetah mobile), not new, already mentionned on this link : http://www.malekal.com/2014/01/04/publicites-pourries-sur-tablettesmobile/

From now, i identify 3 ads network involved in Fake Virus Alert campaign :

• Adcash (a lot from them)
• PlugRush (Adult)
• JuicyAds (Adult)

Some FidderLogs : http://malvertising.stopmalwares.com/fiddlerlogs/Android_FiddlerLogs.zip

Here some Landing URLs :

http://cleanmaster.mobilebatterysolution.com/3265.html (23.200.87.206 - 23.200.87.181)
http://android.com-2.mobi/lp/france/afflib.php?aep=wifi&nid=100&rcid=6171&sid=56926&cat=wired&ts=7472&rb=5&rid=26 (162.159.252.99 - 162.159.253.99)
http://wap.fumblo.com/fr/antivirus3/?cpid=61_e2c4x244f4v2y2_858953b4635a4d3385ebbaac2b7af13b&publisher=CD12814 (46.255.106.32)
http://androidsecurityfree.mobi/fr/av/index.php (8.36.40.76)
http://android-guard.com/av/fr/s03/index_gl_01.php (94.199.251.101)
http://mobile.com-fm.net/antivirus/fr/index.php?r=ac&s=252964277 (72.9.156.206)