ThreatSTOP Blocks Android Malware Drive-By
May 3, 2012 Leave a comment
The Lookout Moble Security blog posted a story about some new Android based malware that seems to be set up as fake driver update. This drive by works the same way as classic ones do on Windows PCs (or Macs with Flashback malware) in that if an Android phone visits the infected website it is redirected a couple of times before ending up at a place where it tries to download a new “update” that users are tricked to install.
It turns out that the domain hosting the malware is “androidonlinefix.info” and that has usually resolved to the IP addresses 126.96.36.199 and 188.8.131.52. The good news for ThreatSTOP subscribers is that anyone using their smartphone to browse the internet from behind a ThreatSTOP protected firewall would not be infected because we already knew about and blocked those IP addresses. In fact we’ve been blocking them for over a year because they have been used by many different criminals for many different scams as they are a part of the “Russian Business Network”.
This isn’t the only link to the RBN, the initial domain – gaoanalitics.info – is hosted by a Ukrainian ISP that also hosts 17 other IP addresses associated with the RBN, as well as a number of other malicious entities, indicating that it is probably a “bulletproof” hosting facility used by all sorts of criminals.
PS Talking of the “Russian Business Network”, we have an interesting video from their President of Vice Business Development.