Fake mails claiming to be from Viber used to infect malware
Just recently, a spike in the number of spam emails coming from the messaging service Viber have come to the attention of security researchers at Trend Micro. Viber is a messaging application with versions of its app available for almost every platform including the desktop. The spam trail starts when a user receives an email stating that they have received a new voice mail. The unique bit about this spam, is the way it changes itself depending on the platform you are currently using.
PC
If you click on this link using a PC, the link redirects you to download a backdoor malware app detected as BKDR_KULUOZ.VLU. Once this app has been downloaded onto the system, the system can be remotely accessed anytime by the attacker using this backdoor. This leaves your entire machine vulnerable at any time.
Mobile
The users who click on the link from the mobile devices are redirected to different URLs based on the platform. Rather than drop any malware, the user is redirected to different websites, such as a random URL, a search engine site, or even official app stores. Most Mobile users seemed to be redirected to a streaming site. Investigations revealed that this site has been linked to suspicious activities. For example, the site covertly charges the credit card number users must give during registration. Some users were redirected to the site by clicking a “Flash Player” update advertisement.
Android
As said above the redirections change depending upon the platform of the device. Android users were at times redirected to the GO Launcher page in the Play Store. Redirections based on platform are not limited to official app stores. Android users who click the link were sometimes redirected to what appears to be a blank page. After checking the source code of the page, we found that it contains links that lead to a URL with an .APK file, detected as ANDROIDOS_PAWEN.HBT.
This app contains links to various adult sites. In addition, it also monitors the user’s incoming and outgoing calls, taking note of any numbers and sending it to a URL hardcoded in the app. The purpose of these URLs is patently clear from their URLs:
https://{malicious domain}/scripts/app_tracking_manager.php
https://{malicious domain}/scripts/app_call_tracking_manager.php
iOS
Users on the Apple platform were taken to a Chinese app in the iTunes store. It is to be noted that none of these 2 apps mentioned are infected in any way themselves. At times, iOS users were also redirected to some adult sites.
Precautions
Messaging services are a common social engineering lure for attacks such as this one. Perhaps what makes this one more plausible than others is that Viber does have a desktop client. For users who receive the email, it wouldn’t be a far stretch for a recipient to assume that the voice mail exists. We advise users to be cautious when opening emails. Emails can be easily spoofed by spammers and other cyber criminals. Clicking links in emails should be avoided as much as possible. It’s far better for users to directly type the URL of the site on the address bar than rely on the embedded link.
Resource : TrendLabs
