Malware Distributors Abuse URL Shortener Services to Spread Dangerous Apps

  • URL shortener services are being increasingly abused by malware distributors who exploit the lack of policy enforcement.
  • Users are typically tricked into downloading risky apps through the serving of “scareware” ads.
  • The apps request the granting of extremely risky permissions, and in tens of thousands of cases per year, they get approval.

URL shortener services are always a gamble as you can never be sure about what comes out of the machine if you don’t actually test it. As it is to be expected, there are quite a few platforms with loose policies that allow malicious individuals to take advantage of the URL transformation and infect those who click on the “shortened” links with malware, banking trojans, and info-stealers. The latest ESET report from malware analyst Lucas Stefanko dives deeper into the problem, presenting some of the most active real-world examples right now.

Source: ESET

The problems start with the delivery of “scareware” ads to the person who clicked on the shortened URL, informing them that their mobile devices have been infected with malware. To respond to the risk, the users are urged to download an app from the Google Play Store or the Apple App Store (depending on the platform). In the case of Android, the apps that are downloaded are basically banking trojans and adware under disguise, while on iOS, calendar-event-creating items are being downloaded.

Source: ESET

In the following video, Stefanko demos an example of a URL shortener service message which urges the user to download another APK file from a source outside the Play Store. The names used for these APKs are always deceitful, pretending to be something useful like an adblocker or a security utility. In some cases, if the victim clicks on the download button twice, they will get the correct installation file on the second try.

The abused URL shortener services do mention that the transmission of malicious files is prohibited, but they do nothing to enforce the policy or investigate cases of potential abuse. The ads that their partners are using are solely their responsibility, so the platforms give them full freedom to do whatever they want, including distributing malware.

Source: ESET

ESET’s telemetry shows that this particular type of problem started all the way back in September 2019 and has been growing steadily. In 2021 alone, ESET recorded 150,000 instances of Android malware downloads happening through abused URL shortener platforms. This tells us that the scale of the problem is already pretty big, and some regulation needs to be enforced immediately. To make matters worse, the C2 servers analyzed by ESET have the ability to distribute different payloads, so this is a well-organized operation of an unpredictable nature.

If you have downloaded any apps of this kind following the advice of an unexpected pop-up, go ahead and manually uninstall it immediately. Then, run a full system scan using a mobile security tool from a reputable vendor. If you’re on iOS, use a Calendar cleanup tool.

Latest
How to Watch European Beach Volleyball Championships 2022 Online From Anywhere
The 2022 European Championships are in full swing, and the European Beach Volleyball Championships are about to reach crunch time. With 128...
How to Watch Homicide Hunter: Never Give Up Online From Anywhere
Lt. Joe Kenda enthralled audiences with tales from the hundreds of murder cases he investigated throughout the 9 seasons of Homicide Hunter....
How to Watch Hotties Online From Anywhere: Stream the Blind Date Food Competition Series
If you like blind date reality shows as much as cooking competitions and extremely spicy food, you'll most probably love this new...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]
[class^="wpforms-"]