Black SEO with mobile overtones
Recently, mobile Internet users can’t even take a step so as not to run into lightning-fast infection of the system. A lot has already been said about this. In this post, we examined one of the popular queries on Google and found out that the results on it are very interesting. For research, we used the Mozilla Firefox browser with the "User Agent Switcher" plugin installed. In this plugin, you can set an arbitrary user-agent. In order to simulate the work of the smartphone, a user-agent was set up as if the browser was running from a mobile device running Android:
To find Malware, a rather popular request “opera mini download” was entered into Google:
Immediately surprised by the lack of an official Opera site. Instead, on the first line there is an announcement “OperaMini for free”, which supposedly leads to the website www.ebay.ru , but in fact, if you click on the link, it will switch to ebay *****. Biz, from which the malware will be downloaded. Already at first glance it can be seen that most of the other links lead to malicious resources. Some domains are located in .in, .ws domain zones, and some are called like “getoperafree”, etc. All these sites are made the same way, and all contain a link to the Opera Mini download. As expected, a malicious .apk file is downloaded. Its main purpose is to send SMS to a short number. The contents of the config containing numbers and message text are encoded with base64:
After the conversion, it looks like this:
The code that sends messages looks like this: The
mobile Internet sector is now just full of infection and you can detect a malicious link to almost any request on the first page of Google. For two requests that are not even related to software, pages are still issued from which you can get malware. Therefore, you should be careful - use an antivirus, do not install unknown applications, look at the rights that the application requires.
“userAgent : Mozilla/5.0 (Linux; U; Android 1.5; de-ch; HTC Hero Build /CUPCAKE) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1”To find Malware, a rather popular request “opera mini download” was entered into Google:
Immediately surprised by the lack of an official Opera site. Instead, on the first line there is an announcement “OperaMini for free”, which supposedly leads to the website www.ebay.ru , but in fact, if you click on the link, it will switch to ebay *****. Biz, from which the malware will be downloaded. Already at first glance it can be seen that most of the other links lead to malicious resources. Some domains are located in .in, .ws domain zones, and some are called like “getoperafree”, etc. All these sites are made the same way, and all contain a link to the Opera Mini download. As expected, a malicious .apk file is downloaded. Its main purpose is to send SMS to a short number. The contents of the config containing numbers and message text are encoded with base64:
After the conversion, it looks like this:
The code that sends messages looks like this: The
mobile Internet sector is now just full of infection and you can detect a malicious link to almost any request on the first page of Google. For two requests that are not even related to software, pages are still issued from which you can get malware. Therefore, you should be careful - use an antivirus, do not install unknown applications, look at the rights that the application requires.