A little over a week ago while cleaning up my friend's computer I found he had a bunch of installers in his downloads folder that
were being labled as "Install Core adware" which were able to install Android apps directly to Android phones/tables without the
usual Android security/install prompts.
I called another friend whose a web/PHP developer and we figured out that these installers were using a cross-site/cross-app
request forgery attack against the Google Play Store. These "adware" installers are scanning PCs for Google login cookies and
then taking data from the cookies and sending it to the Play Store to make it appear that you are using your web browser to view the
Play Store and install Android Apps.
We also discovered these installers were able to install Chrome extensions without Chrome showing any security prompts. Some of
the extensions that were being secretly installed pop ad windows/tabs, inject graphical and text ads on every page you are
visiting. In some cases, these extensions were installed into Chrome (as well as Firefox and IE) without any disclosure at all.
Vonterra "Safe" Ad was one of the extentions that installed with a search toolbar called MySearchDial which apparently is also from
the company that makes these Install Core installers.
My friend and I emailed over a dozen reputable antivirus/antimalware companies all the information we had. Then I
waited a few days before publicly posting this information on the Malwarebytes forum (I couldn't find a direct way to contact them).
In that time a lot of the AV makers we contacted replied to us saying that these installers are trojans, not just adware. Here is
in that report is available for download from: hxxp://www.filefacts.com/google-chrome-download. This filefacts
site is where my friend admitted downloading programs from.
I'm posting this information to warn people so they can help themselves and their friends and family from getting infected. I
also want people with technical skills to help investigate what these installers are really doing and help report it to antivirus
companies so they can protect as many people as possible from getting infected. So far a lot of the security companies seem to
understand how serious this threat is, but companies like Microsoft aren't doing anything to detect or block these installers.
If you are not a security researcher amateur or professional, do not mess around with this stuff. If you are, then you will find
that these Install core installers have some method of detecting if they're running on virtual machines (such as VMWare) so you
will need a spare isolated physical machine to see what is really getting installed.
Edited by gnarusvenandi, 19 May 2014 - 11:28 AM.