OFFICIAL SECURITY BLOG
March 25, 2014 | BY Christopher Boyd
Up above, you can see a (sanitised) screenshot of a web-browser shortly after installing a “SoundCloud Downloader”.
The non-sanitised version has the words “spank me” written across the middle, and the mouse moves a hand – no, really – until you perform said task and are directed to what appears to be a porn / adult dating sign-up page.
And that’s before we get to the really wild stuff. Be advised that if you go looking for tunes, you may be in need of a tune-up.
How did all of this come about?
says it is the “easiest way to download songs directly to your computer….you can download any song on Soundcloud”.
At first it seems like a fairly standard install, with the usual assortment of programs that end-users may or may not want (probably “not”, given all they want to do is download music. But there’s always a trade-off…)
InstallPath Install Manager takes care of the “download and installation process of this file”, and additional software comes in the form of Surftastic, Mobogenie and Awesomehp.
Worth noting that if you read all of the listed EULAs and policy pages, you’re looking at something like 18,000 words to plough through. I say “something like”, because one of the pages isn’t text you can tally up – it’s one gigantic screenshot of text instead. Here’s the zoomed out version of the image:
I have to admit, that’s a new one on me.
Anyway, back to the install. This is where things took an unusual turn:
“…we would like to install on your machine the following program that uses your CPU for virtual currency mining and other computational activities when it is idle / standby, this program does not interfere with normal operations of the processor while you are working on the machine”
Well, that sounds straightforward enough. But should you click the EULA, you may find yourself feeling a little…uncomfortable?
1) “…not approved for use and may not be used within the countries of Canada, the United States of America, Spain, France, England, Ireland, Scotland, Germany, Italy”.
It doesn’t say why, but apparently the program won’t work if located in those countries and you need to both remove and delete all copies of the software. Here’s the bit that made me sit up and take notice:
2) “…may do but not limited to the following actions to your personal computer: utilize all computing processing unit and graphics processing unit, power, random access memory, virtual memory…network capacity and bandwidth and any other resources it sees fit, activate all fans and generate an unlimited amount of heat, and utilize an unlimited amount of electricity (outlet and battery). This may damage and cause irreparable harm to your computer”
That sound you hear is the ever increasing distance of my footsteps, breaking into a mad dash for freedom.
Elsewhere, I spotted some text I thought I’d seen somewhere before:
COMPUTER CALCULATIONS, SECURITY: as part of downloading the PCDataApp software, your computer may do mathematical calculations for our affiliated networks to confirm transactions and increase security. Any rewards or fees collected by PCDataApp or our affiliates are the sole property of PCDataApp and our affiliates.
On the one hand, the people behind this bundle are being surprisingly upfront about the system stressing possibilities of a miner (assuming you click the links in the installer, otherwise you’re going to miss it). On the other hand, who would read all of the above and think “Yes please, sign me up”?
It’s very peculiar.
The VirusTotal score for the initial installer is 12 / 50, and Malwarebytes Anti-Malware detect it as PUP.Optional.Amonetize.A. Here are some of the more unique additional names being used by the executable, courtesy of the VirusTotal Additional Information tab:
The Palestine Israel Conflict Downloader__3687_i465117495_il3646208.exe
Grave Robber from quot Repo the Genetic Opera quot Zydrate Anatomy__3055_il3228117.exe
Grave Robber from quot Repo the Genetic Opera quot Zydrate Anatomy__3055_il3228561.exe
You may also want to take a look at the Malwr.com sandbox analysis.
The mining EULA from this particular install is certainly a little eyebrow raising, and then there’s the issue of your web browser displaying an amazingly overt “this has nothing to do with me” advert sitting in the middle of the page (good luck explaining that one to whichever random relative happens to be in the room at the time).
If you want to listen to music on Soundcloud, you’re probably better off just streaming it like everybody else.
Christopher Boyd (Thanks to Jerome and Adam for additional information)