Android Trojan FakeApp masquerading as legitimate

“Your Android is Expired!”

We’ve seen reports of a dubious URL being served up via mobile advertising over the last day or two. This is certainly the kitchen-sink approach to making a URL look as “legit” as possible:

paly(dot)google(dot)com(dot)store(dot)apps(dot)siteadvisor(dot)club/5MBivfkif2mmhxluoImYurMuwz/pl/

The first part is supposed to look like the Play Store URL (play(dot)google(dot)com), and they’ve also thrown in a random mention of Siteadvisor for those sweet, sweet credibility chops. Unfortunately, the definition of “credibility” is being strained somewhat [1], [2], [3]. There are a few older examples floating around which sport a slightly different URL, while retaining the “paly” part [1], [2].

Here’s the landing page for the (current) site in question:

Update Android...

Your Android is expired!

Update to the latest version of Android

The old system program will cause the system to slow down. you do not upgrae to the latst version will lead to system failure.

How to update

Step 1: For security reasons, ap the button, download the tool from google play, about 1MB in size.

Step 2: Install the downloaded application, your system will be more faster and safer.

Install Now

There’s also a popbox box which says

WARNING: Your Android system is expired!

Well, that doesn’t sound very good.

Clicking the button took us to a download, but only if our name was down on the “You’re coming in” geolocational guest list. Here’s one of the many occasions where it wasn’t:

Not available!

Some error was happened [sic]

Sorry, the APP cannot be downloaded in your country

After a bit of trial and error, we were eventually sent to the below Play Store “Junk Clean” app:

Play Store

We had another go, and the results were a bit different (and Polish).

Polish popup

My hopefully not-too-mangled Google Translate attempt:

Found 4 viruses!

Step 1: Click the button below to download the latest antivirus software.

Step 2: Confirm your phone number and perform a scan of your phone (together with the scan SIM card).

Found 4 viruses! Your phone has been infected with four viruses, and could be damaged.

We have detected that recently visited pornographic sites, 28.1% of the data on the phone was infected by malicious viruses. The virus can damage the SIM card. Your private data I leaked, photos and a list of contacts can be lost.

2 minutes and 54 seconds.

If you do not immediately remove the virus can lead to even greater damage.

Please follow the steps below:

Step 1: Click the button below to download the latest antivirus software ...!

Step 2: Confirm your phone number and perform a scan of your phone (together with the scan SIM card).

Clicking the button takes us to something which resembles a ringtone-style sign up page, but offering a security product instead of, er, ringtones.

Sign up time

Protect Your Phone Android software solutions antivirus Mc Safety Virus Protection Protection while surfing anti Theft Accept calls / SMS
Yes service is a subscription service. Intended only for people over 18 years of age. Its terms and conditions specified in the regulations. Subscribe to our site, and each week you will have access to apps, music, ringtones, wallpapers and games - you can download unlimited (the fee is 6,15 PLN gross / SMS, you will receive 3 SMS / week, every Tuesday, Thursday and Saturday approx. h. 16.00). The total monthly cost is: 73,80 PLN gross. In addition, after the registration of the Service, Client will receive one paid message in the price of PLN 6.15 gross

…wait a minute…

you will have access to apps, music, ringtones, wallpapers and games

….oh.

There seem to be quite a few problematic mobile adverts doing the rounds at the moment (here’s four or so pages of complaints just from one website), and many device owners report being trapped on the page / locked into redirects. If that happens to you and there’s no way out, it may well be safer to just switch off the phone and reboot than try your luck in a game of “Dodge the Advert”.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.