The ESET Research Team analyzed Android/FakeAdBlocker, an aggressive ad-based threat that downloads malware. Android/FakeAdBlocker abuses URL shortener services and iOS calendars. It distributes trojans to Android devices.
Android/FakeAdBlocker usually hides the launcher icon after first launch. It offers unwanted fake app or adult content ads. It creates spam events in the coming months on iOS and Android calendars. These ads often cause victims to lose money by sending paid SMS messages, subscribing to unnecessary services, or downloading Android banking trojans, SMS trojans and malicious apps. Additionally, the malware uses URL shortener services to generate ad links. Users lose money when clicking the generated URL links.
Based on ESET telemetry, Android/FakeAdBlocker was first detected in September 2019. Between January 1 and July 1, 2021, more than 150.000 instances of this threat were downloaded to Android devices. The most affected countries include Ukraine, Kazakhstan, Russia, Vietnam, India, Mexico and the United States. While the malware displayed offensive ads in many instances, ESET also detected hundreds of cases where different malware was downloaded and executed; These include the Cerberus trojan, which appears to be Chrome, Android Update, Adobe Flash Player or Update Android and is downloaded to devices in Turkey, Poland, Spain, Greece and Italy. ESET has also determined that the Ginp trojan has been downloaded in Greece and the Middle East.
Be careful where you download apps
ESET Researcher Lukáš Štefanko, who analyzed Android/FakeAdBlocker, explained: “Based on our telemetry, many users tend to download Android apps from sources other than Google Play. This, in turn, can lead to the spread of malicious software by aggressive advertising practices used by authors to generate revenue.” Commenting on monetization of shortened URL links, Lukáš Štefanko continued: “When someone clicks on such a link, an ad is displayed that generates revenue for the person who created the shortened URL. The problem is that some of these link shortening services use offensive advertising techniques, such as fake software that tells users their devices are infected by dangerous malware.”
The ESET Research Team has detected events generated by link shortening services that send events to iOS calendars and activate the malware Android/FakeAdBlocker that can be launched on Android devices. In addition to flooding the user with unwanted ads on iOS devices, these links can automatically download an ICS calendar file and create events on victims' calendars.
Users are cheated
Štefanko continued: “He creates 10 events that take place every day, lasting 18 minutes each. Their names and descriptions create the impression that the victim's phone is infected, that the victim's data has been exposed online, and that the antivirus application has expired. The descriptions of the events contain a link that directs the victim to visit the fake adware website. That website again claims that the device is infected and offers the user the option to download supposedly cleaner apps from Google Play.”
The situation is even more dangerous for victims using Android devices; because these fraudulent websites can lead to malicious app downloads from outside the Google Play store. In one scenario, the website asks for an app called “adBLOCK” to be downloaded, which has nothing to do with legal practice and does the opposite of blocking ads. In another scenario, when victims proceed to download the requested file, a web page appears with steps to download and install the malicious application called “Your File Is Ready To Download”. In both scenarios, fake adware or Android/FakeAdBlocker trojan is being sent via the URL shortening service.