A variant of Android/Trojan.FakeApp is stealing the identities of popular applications (apps) such as TrueCaller and Torque Pro.
As soon as the FakeApp is installed a shortcut with an icon stolen from one of these popular apps is created, and a notification pops up. The notification also appears whenever the shortcut icon is clicked.
The code that creates the notification is pretty simple, and points to the domain apx.avazutracking(dot)net which redirects to another website.
Click the notification and the redirect from apx.avazutracking(dot)net will send you through a list of several other redirects, which are all randomly determined by the last.
Some of these redirects are to ad sites so the scammers can gain a little revenue from pay-per-click browsing. Eventually the redirects end on a series of different websites. Sometimes it even ends on Google PLAY itself; pointing to the details page of a specific app to install. Here are some examples:
If a user installs the app offered the scammers get a little more revenue. If a user fills out the information for the sweepstakes they supposedly “won”, once again they get paid, but with the addition of a third-party gaining personal information about the user.
There are hundreds of variants of FakeApp like this out there being distributed thousands of times, and it only takes a small percentage of people to be tricked for the people behind it to make many.
Don’t get fooled by such shenanigans yourself; if it looks phishy, it probably is.
RELATED ARTICLES
April 24, 2012 - WARNING: The information included in this tutorial could be used for malicious purposes in the wrong hands, please expect to be yelled at by people who think you are a bad guy if you start talking about this or asking questions. Also, please use responsibly. Hello everyone! Today I am going to give a detailed...
April 24, 2012 - Security Level: Light Purpose: To hide who you are while performing research through your browser. Benefits: Hide your IP Easy to set up Can be run off of a USB stick Drawbacks: Drive-by attacks can still lead to the infection of your host system. Can only hide traffic going out of HTTP port(s). Not meant...
April 27, 2012 - Security Level: Medium Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks. Benefits: Hide your IP Protect the host system by running in a virtual environment Execute malware in a safe environment (non-traffic capture) Drawbacks: Not as easy to setup Need to gather...
April 27, 2012 - Security Level: High / Hardcore Purpose: To hide who you are while performing research through your browser AND protecting your host system from drive-by download attacks AND being able to perform dynamic malware analysis and capture malicious traffic moving between the malware and the C&C. (Whew, that’s a lot of ANDs. =D) Benefits: Hide your...
May 22, 2012 - Since December of 2011, the spread of malicious advertisements, or “Malvertisements”, has drastically increased. Along with this trend is the increased spread of some pretty nasty malware. One in particular is called Happili, an adware trojan that installs a browser extension to re-direct legitimate search queries to ad sites.
