Scammers have been using shady link-shortener services to expose victims to scareware ads that lead to downloads of advertising-based malware.

A malware called Android/FakeAdBlocker was spotted in its debut back in September 2019, and by the first half of this year, more than 150,000 instances of this threat were found to have been downloaded to Android devices.

Based on ESET telemetry, the most affected countries have been the Ukraine; Kazakhstan, Russia, Vietnam, India, Mexico, and the United States.

In most cases the malware displays aggressive ads, but hundreds of cases also showed different malicious payloads were downloaded and executed, including the Cerberus banking trojan, which was variously disguised as Chrome, Android Update, Adobe Flash Player, or Update Android, and downloaded to devices in Turkey, Poland, Spain, Greece, and Italy. In Greece and the Middle East, ESET also saw the Ginp trojan being downloaded in Greece and the Middle East.

Modus operandi

The aggressive advertising-based malware usually hides its launcher icon after initial launch, delivers unwanted scareware or adult content advertisements, and creates spam events for upcoming months in iOS and Android calendars. These ads often cost their victims money by sending premium rate SMS messages, subscribing to unnecessary services, or downloading Android banking trojans, SMS trojans and malicious applications.

Additionally, the malware uses URL-shortener services to create links to ads, which in some cases monetize their clicks.

Said one of the firm’s researchers, Lukáš Štefanko, who analyzed the malware: “Based on our telemetry, it appears that many users tend to download Android apps from outside Google Play, which might lead them to download malicious apps delivered through aggressive advertising practices that are used to generate revenue for their authors: when someone clicks on such a shortened URL link, an advertisement will be displayed that will generate revenue for the person who generated the link. The problem is that some of these link-shortener services use aggressive advertising techniques such as scareware ads informing users their devices are infected with dangerous malware.”

For victims using Android devices, the situation can be more dangerous because these scareware websites may provide a malicious app to download from outside the Google Play store. In one scenario, the website requests to download an application called ‘adBLOCK’ which is not an ad blocker. In another scenario, when the victims proceed to download the requested file, they are shown a web page describing the steps to download and install a malicious application with the name “Your File Is Ready To Download.” In both scenarios, a scareware advertisement, or the Android/FakeAdBlocker trojan, is delivered via a URL-shortener service.

Top 10 countries with Android/FakeAdBlocker detections (January 1, 2021 – June 1, 2021)

Be scared of scareware

On iOS devices, malicious link-shortener services can push events to iOS calendars and distribute the Android/FakeAdBlocker malware that can be launched on Android devices. Besides flooding victims with unwanted ads, these links can create events in victims’ calendars by automatically downloading an ICS calendar file.

“It creates 18 events happening every day, each of which lasts 10 minutes,” Štefanko said. “Their names and descriptions suggest that the victim’s smartphone is infected, the victim’s data is exposed online, or a virus protection app has expired. Descriptions of each event include a link that leads the victim to visit a scareware advertisement website. That website again claims the device has been infected, and then offers the user an option to download shady cleaner applications from Google Play.”