A network of sites that spread viruses under the guise of instructions and firmware for mobile phones

( Image source )

It all started with the fact that I needed a spare mobile phone. Understanding the need for a backup “dialer” came after the smart (literally) discharged at the end of the day before losing consciousness, for the second time left unconnected in a critical situation. One way or another, but the choice fell on the MTS-252. Despite the fact that I did not intend to use the phone with other operators, the hacker in me demanded to look for information about the possibility and method of “unlinking” from MTS.


')
At the request of mts 252 unlocking, the third in issue was the link i-manuals.ru/mod_4234/MTS-252. Following the link, I was surprised that for such a simple phone - even without WAP and Java support, there are five firmware versions (and judging by the dates - the new versions are released up to 3 times a month), two programs for PC are service and usual and even a special version of QIP. At first, I didn’t notice the trick, especially remembering that at one time, not only games and programs were added to the wonderful Siemens SL45 phone by reflashing, but even Java support and (incredible, but fact!) SIM-card emulator. I decided to download all versions of firmware just in case. A bit strange, though, the size of the downloaded files was the same up to byte, but in the case of firmware this happens. Finally everything became clear after downloading the instructions for connecting the phone to a computer - it also turned out to be a ZIP archive with the same size as the “firmware”. After this, the result of scanning the “firmware” at virustotal did not seem unexpected.

Further - more interesting. If you look closely at the site i-manuals.ru, then it becomes clear that in front of us is a fake for “fitting” Malvari under the guise of instructions and firmware to the phones. If you search by keywords from the site , the scale of the epidemic becomes clear: only on the 1st page of issue are 7 different domains with exactly the same content.

Honestly, apart from the main goal - to warn the community, I also ask knowledgeable people to suggest possible ways to counter this dirty trick. The fact is that, unlike the recent scammers who sent Java-Trojans under the guise of MMS , for takedown, which only one abuzy was enough - the creators of this “service” know how to store eggs in different baskets: the hostings and recorders of all domains are different ( since two , three , four , etc.). Honestly, only the black lists of search engines (“this site can harm your computer”) come to mind from the ways of fighting, but where should I write so that all the fake websites are there? It’s still kind of like there are representatives of the antivirus industry here - can they somehow contribute?

UPD: The result of behavioral analysis came from GFI Sandbox. Those interested can be found . Judging by the screenshot, it looks like it’s probably not a virus, but an archive-fake: most likely, if you click "Extract" you will be asked to send an SMS to get the password to the archive. But why then strange network activity, interception of the keyboard and strange entries in the registry? In general, the topic is in dire need of attention from representatives of antivirus companies. Hey! Call out please!

UPD2: As can be seen from the commentary - in the files there really was a fake archive with the requirement to send SMS.

UPD3: Added a link to the source of the picture.