Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HELP!"Adware" installers silently install Android Apps, Chrome exts,crazy adware


  • Please log in to reply
No replies to this topic

#1 gnarusvenandi

gnarusvenandi

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 19 May 2014 - 12:41 AM

A little over a week ago while cleaning up my friend's computer I found he had a bunch of installers in his downloads folder that 
were being labled as "Install Core adware" which were able to install Android apps directly to Android phones/tables without the 
usual Android security/install prompts. 
 
I called another friend whose a web/PHP developer and we figured out that these installers were using a cross-site/cross-app 
request forgery attack against the Google Play Store. These "adware" installers are scanning PCs for Google login cookies and 
then taking data from the cookies and sending it to the Play Store to make it appear that you are using your web browser to view the 
Play Store and install Android Apps. 
 
We also discovered these installers were able to install Chrome extensions without Chrome showing any security prompts. Some of 
the extensions that were being secretly installed pop ad windows/tabs, inject graphical and text ads on every page you are 
visiting. In some cases, these extensions were installed into Chrome (as well as Firefox and IE) without any disclosure at all. 
Vonterra "Safe" Ad was one of the extentions that installed with a search toolbar called MySearchDial which apparently is also from 
the company that makes these Install Core installers. 
 
My friend and I emailed over a dozen reputable antivirus/antimalware companies all the information we had. Then I 
waited a few days before publicly posting this information on the Malwarebytes forum (I couldn't find a direct way to contact them). 
In that time a lot of the AV makers we contacted replied to us saying that these installers are trojans, not just adware. Here is 
the Virustotal report for one of the files found on my friend's computer (this is after I re-scanned it in Virustotal after reporting it to AV companies):  https://www.virustotal.com/en/file/ce4e4df9bf6b046d68ba6cdbd2a6aedf569c831a7fedecd85e6397c85953af51/analysis/1399856080/ . The file 
in that report is available for download from: hxxp://www.filefacts.com/google-chrome-download. This filefacts 
site is where my friend admitted downloading programs from.
 
I'm posting this information to warn people so they can help themselves and their friends and family from getting infected. I 
also want people with technical skills to help investigate what these installers are really doing and help report it to antivirus 
companies so they can protect as many people as possible from getting infected. So far a lot of the security companies seem to 
understand how serious this threat is, but companies like Microsoft aren't doing anything to detect or block these installers.
 
Here is the thread I posted on the Malwarebytes forum: https://forums.malwarebytes.org/index.php?showtopic=148446 and 
 
If you are not a security researcher amateur or professional, do not mess around with this stuff. If you are, then you will find 
that these Install core installers have some method of detecting if they're running on virtual machines (such as VMWare) so you 
will need a spare isolated physical machine to see what is really getting installed. 

Edited by gnarusvenandi, 19 May 2014 - 11:28 AM.


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users