Black SEO with mobile overtones
Recently, mobile Internet users cannot even take a step in order not to run into lightning-fast system infection. Much has already been said about this. In this post, we looked at one of the popular requests to Google and learned that the results on it are very interesting. Mozilla Firefox browser with the User Agent Switcher plugin installed was used for the study. In this plugin, you can set an arbitrary user-agent. To imitate the work of the smartphone, such user-agent was set up, as if the browser was working from a mobile device running Android:
In order to find malvar, the popular mini opera mini download query was introduced to Google:
Immediately surprised by the absence of the official website of Opera. Instead, the first line contains the ad “OperaMini for free”, which supposedly leads to the site www.ebay.ru , but in fact, if you click on the link, it will switch to ebay *****. Biz, from which will download the malware. Already at first glance it can be seen that most of the other links lead to malicious resources. Some domains are located in the domain zones .in, .ws, and some are called like “getoperafree”, etc.
')
All these sites are made of the same type, and all contain a link to the Opera Mini jump. As expected, the malicious .apk file is being downloaded. Its main purpose is sending SMS to a short number. The contents of the config containing the numbers and the text of the messages are encoded with base64:
After conversion, it looks like this:
The code itself, which sends messages, looks like this:
The mobile Internet sector is now just full of contagion, and almost any request on the first page of Google can detect a malicious link.
For two requests that are not even related to the software, pages are still issued from which you can get the malware. Therefore, you should be careful - use antivirus, do not install unknown applications, look at the rights that are required by the application.
“userAgent : Mozilla/5.0 (Linux; U; Android 1.5; de-ch; HTC Hero Build /CUPCAKE) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1”In order to find malvar, the popular mini opera mini download query was introduced to Google:
Immediately surprised by the absence of the official website of Opera. Instead, the first line contains the ad “OperaMini for free”, which supposedly leads to the site www.ebay.ru , but in fact, if you click on the link, it will switch to ebay *****. Biz, from which will download the malware. Already at first glance it can be seen that most of the other links lead to malicious resources. Some domains are located in the domain zones .in, .ws, and some are called like “getoperafree”, etc.
')
All these sites are made of the same type, and all contain a link to the Opera Mini jump. As expected, the malicious .apk file is being downloaded. Its main purpose is sending SMS to a short number. The contents of the config containing the numbers and the text of the messages are encoded with base64:
After conversion, it looks like this:
The code itself, which sends messages, looks like this:
The mobile Internet sector is now just full of contagion, and almost any request on the first page of Google can detect a malicious link.
For two requests that are not even related to the software, pages are still issued from which you can get the malware. Therefore, you should be careful - use antivirus, do not install unknown applications, look at the rights that are required by the application.
Source: https://habr.com/ru/post/135501/
All Articles