A Couple of Interesting Mobile Malware Sites

June 28, 2013 - By Chris Larsen

Although mobile malware has been a hot topic for a couple of years now, we're still very much in the early phase of adapting to life on this new frontier. In some ways, the mobile malware world is quite different from traditional desktop/laptop malware.

One of these ways is in the lifespan of malicious sites, and today I'll highlight a couple of examples that illustrate this.

 

The first site was mentioned in a blog post last week from F-Secure -- I'd missed the article originally, but found it linked in a weekly "summary" e-mail I was skimming through this morning.

When I checked our database for this evil domain (mobile-mobi.info), I found that it had been rated in our database as Suspicious for four and a half months. That's a long time for a malicious site to be left on line -- these days, a malware site used in traditional attacks on Windows and Mac computers tends to live less than a day, on average. Lifespans measured in months, not hours, is how malware sites worked back in the old days...

 

The second site came from their mention of a specific .APK malware file used in the attack (kmsw_605_fk.apk).

I went back and checked a couple of weeks of log traffic to see if we'd seen that file. We had indeed -- I found a dozen or so hits, all from the domain shown in their screenshot (4amig03s.com), and our logs showed that we'd correctly rated all of these requests as Suspicious.

Going back in the logs, I found that 4amig03s.com had been mostly dormant in 2012, but had really kicked into gear in January this year, averaging about a hundred hits a month ever since then. Nearly all of these were requests for various APKs, all of which had been flagged by WebPulse.

 

While it isn't quite as unusual for a relay type site (as in the first example) to be in use for a relatively long time in the normal malware world, I'd say that four and a half months is still much longer than average. And it is very unusual for a payload site to hang around for over six months! (Unusual enough for a blog post, anyway...)

 

 

Another point worth commenting on is that when I did a quick check of the referring sites to 4amig03s.com, I found that all the domains in my sample set were rated as Porn in our database -- many with "m." domain prefixes, indicating sites with content specifically designed for mobile phones. This matches F-Secure's observation of relays to "NSFW content", as well as what we've noticed in the past, including in our "Mobile Malware Report" earlier this year.

 

--C.L.

@bc_malware_guy