Three friends sitting on the couch as they look at the message on their phone in shock

Fake Android Virus Alert Blames Chinese Hackers

China, eh? They get blamed for everything.

Well, here’s another one to add to the pile – in the form of a fake infection warning on what may be a compromised website. Clearly, whoever put this one together is watching all those APT news stories with glee and weaving them into their efforts below.

The page, located at paulgrenwood(dot)com/US/smart/index(dot)html, displays the following to anyone passing through:

China did it!

Warning! Your phone is attacked by severe virus that can steal your privacy which created by Chinese hackers on [date].

Please clear this virus immediately.

 

The next page is another fake warning message, complete with phony “Android App on Google Play” button underneath the message and “infections” listed:

Warning message...

Warning: you may be at risk

Virus and Malware affecting Android

SMS Spy GeiNiMi VIRUS MSO.PJApps.T a.payment.SkullKeyll.a

Remove Now Android App on Google Play

 

There is no app here; instead, we have a rotator URL which sends visitors to a variety of random adverts depending on geographical location. The URL in question is

clmbtrk(dot)com/?a=17990&c=81777&s1=

Continuing with the mobile theme, we found that visiting the URL with a standard desktop setup would, more often than not, lead to a blank page. Changing the browser user agent to something resembling a mobile worked wonders, however.

The bulk of the pages seen were dating sites with a lot of flesh on display, and even one hardcore pornography site:

Elsewhere, we saw a splash for a site which sort of resembled a Google Play page except with some odd wording (“The best games of undefined…”) and a “Get it free” button which didn’t lead anywhere:

The best games of undefined...

There was also this enigmatic page with nothing but a link to a privacy policy:

Privacy policy

Finally, we had this one which didn’t seem to work at time of testing:

No idea.

A mixed bag of landing pages, then, and no virus infection (or removal tool) in sight.

Terrifying messages of impending doom on a mobile device are always more worrying than on a desktop, because many device owners may not be locking down their phones the way they do their PCs.

It’s even worse if on a mobile data package, because nobody wants to end up on premium rate services or websites and contend with spurious charges. Once the popups and redirects take hold, it’s sometimes hard to keep your composure and get a handle on multiple tiny screens doing weird things.

In the above case, there’s no infection to worry about so no need to panic. Advert redirects to unwanted locations are always a pain – especially if younger members of your family happen to be on the phone at the time the redirects happen – but you’ve generally got to work at it to infect a mobile device with something bad.

Keeping the “Allow installs from unknown sources” checkbox unticked and the “Very Apps” checkbox ticked won’t make your phone bulletproof, but it will go a long way towards keeping you secure.

Christopher Boyd (Thanks to Adam for the heads up)

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.