featured

Snapchat Spam Promoting Android Malware

By James Green ~ June 2nd, 2014 6:00 AM MST

Snapchat-logo

One of the most popular photo messaging applications for sharing goofy and occasionally risqué photos has been exploited by cybercriminals to promote Android malware. These Snapchat spammers have adopted a classic social engineering technique, free stuff. Snapchat users with public privacy settings received a snap from user “teanvuxedxtuzc” and discovered that they had been selected for the Google “Glass Explorer Program” and were eligible to receive a free pair of Google Glasses, courtesy of GlassforSnap.com.

GlassForSnapAccording to this snapspam, winners simply visit GlassforSnap.com and enter their Snapchat username to claim their free pair of Google Glasses. The reality was much more devious. Visitors have a very difference experience depending on whether they visit using a computer or mobile device, which type of operating system (OS) the device uses, and the device location. Visiting GlassforSnap.com from a computer simply redirects to the official Google Glass sales page where no pair of Glasses can be found for less than $1,500. But visiting SnapforGlass.com from a mobile device provides an entirely different experience.

The first two pages of GlassforSnap.com request personal information (Snapchat username, first/last name). These two pages are the same for all mobile visitors, thereafter things change depending on the mobile device OS and location. A popup box appears after completing the second page stating one final sponsor offer must be completed to unlock the free Google Glasses.

iPhonetimeline

iPhone users worldwide are prompted to complete an offer by downloading an app (in our experience the app was hotels.com but this may change). Clicking the offer to download the app redirects the visitor through several webpages before they are eventually told the offer is no longer available. Sorry iPhone users, no free Google Glasses for you.

When visiting GlassforSnap.com from an Android device it becomes clear that this Snapchat spam campaign is designed with Android users in mind. GlassforSnap.com targets individuals in Europe, Asia and South America, regions in which Android is the dominant smartphone OS. Depending on the geographical location of the device GlassForSnap.com redirects visitors to either a website peddling expensive premium SMS subscriptions, or a website distributing Android malware.

GlassforSnap.com targets users in Europe and Asia, two regions in which Android is the dominant smartphone OS. When Android users from these locations click to complete the final offer they are redirected to a either a website designed to subscribe the visitor to an expensive premium SMS service or a website that automatically downloads Android malware to the device.

premium SMS sample

During our investigation we discovered numerous premium SMS campaigns being promoted by GlassforSnap.com. These campaigns ranged from battery enhancing services to SMS diet plans and occasionally promised free prizes in return for registration. Premium SMS services have historically been a prime moneymaker for cybercriminals. The charges for these “services” vary, the most expensive campaign we witnessed offered services for $5.35 per day with a max of $37.45 per week and a one time $10.70 sign up fee. These incredibly expensive premium SMS services commonly re-bill until the victim cancels the service.

Visitors of GlassforSnap.com who are lucky enough not to be redirected to a premium SMS racket are unfortunate enough to be redirected to a website distributing some form of Android malware. In numerous countries the final offer to receive the free pair of Google Glasses is to download a Potentially Unwanted Program (PUP) called MoboGenie (please note this MobieGenie offer was also purposed to individuals redirected to premium SMS websites). Clicking the final offer begins a whirlwind of redirects that conclude on a website prompting the victim to download one of two types of Android malware; PUP mobogenie_152140508.apk, or a series of apps that are widely detected as MinimobSMS.

MoboGenietimeline

The Android MoboGenie PUP has a desktop cousin that also has a history of downloading itself automatically onto computers without permission. According to their website, MoboGenie is “an Android synchronization softwares and applications developer” but requires a laundry list of sensitive permissions which raise both security and privacy concerns. MoboGenie is capable of establishing a network connection on its own and connects to Voga360.com, a website that receives a 0% trust rating from ScamAdviser.com. Performing a quick Google search on MoboGenie reveals the internet is raft with suspicion regarding this PUP on any operating platform. MoboGenie has a tainted reputation and it certainly won’t be helped by being linked to this Snapchat spam campaign.

flappytimeline

The second form of Android malware distributed by GlassforSnap.com is MinimobSMS. This threat is much more malicious and is capable of subscribing victims to expensive premium SMS services. GlassforSnap.com redirects the device’s browser to “applist.lp.badabee.com/[censored]/[censored]” where numerous applications by developer BadaBee are listed. The webpage does not offer a disclaimer, and has neither a privacy policy nor terms of service; there are no outward links on this webpage at all. None of the applications listed have a description and all are detected as MinimobSMS malware.

Clicking on any of the applications will begin the download process. Once installed MinimobSMS threats collect a significant amount of information from the device (device ID, carrier, network operator, phone model, longitude, latitude, etc). The information collected is transmitted to a remote command and control (C&C) server where it is used to determine a compatible premium SMS service to subscribe the device to. The C&C server relays the premium SMS number to the MinimobSMS threat to send SMS messages from the device to subscribe to the premium SMS service.

getsmscode

The cost of the premium SMS subscription varies between region. In our investigation we discovered premium SMS services that billed daily and weekly. The total cost of these services ranged from $6.90 USD to as much as $40.50 USD per month. All of the premium SMS services involved with the MinimobSMS threat use recurrent billing and must be actively canceled by the victim. The following chart outlines the cost in the local currency and in USD and highlights the monthly cost of these premium SMS services. If you believe that you have been infected with a MinimobSMS Trojan we have also included instructions on how to cancel the premium SMS services in different regions.

graph

Premium SMS fraud is one of the most popular tactics used by cybercriminals because it’s profitable and often goes unnoticed for an extended period of time. It is important to review mobile phone bills carefully to make sure there are no erroneous charges. Contact the customer service department of your mobile service provider if you have questions about charges or need help reading your bill.

New Android Malware Infection Mechanism

Snapchat spam is a fairly new concept in itself but this is the first time we have seen Snapchat spam used to promote and distribute Android malware. GlassforSnap.com is novel in that it appears only to mobile visitors and redirects to the legitimate Google Glass website for desktop visitors. However, the Android malware that GlassforSnap.com distributes is par for the course, premium service fraud and potentially unwanted programs (PUPs) are some of the most common forms of Android malware.

As with all spam it is important to be skeptical, common sense is the strongest tool we have to avoid falling victim to Nigerian spam scams or Snapchat spam. A few general rules to keep in mind:

  • Never download programs or applications that you did not actively seek out
  • Always research applications and developers prior to downloading an app or program to establish credibility
  • If something sounds too good to be true (for instance free Google Glasses) then it probably is

Snapchat Privacy Settings

The Snapchat spam problem has cropped up in the past and the problem is isolated to users who have public privacy settings. Snapchat provides two privacy settings that determine who can send Snapchat messages to a particular account; users can receive snaps from “everyone” (public), or restrict their accounts to receive snaps from “my friends only” (private). Changing the privacy settings to private is the easiest way to prevent this type of Snapchat spam.

SnapChatSettings

The Snapchat settings menu is located in the top right corner of the incoming and outgoing Snapchat stream. Under the “Who can” menu heading the “Send Me Snaps” option is essentially the Snapchat privacy settings. If you are comfortable handling Snapchat spam (or are a security professional, like myself, who actually wants to receive and explore spam) you can opt to receive snaps from “Everyone.” For the rest of the world, if you want to avoid Snapchat spam you can select “My Friends” to block strangers, or spammers, from sending you unwanted Snapchat messages.

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email: James@ArmorforAndroid.com; Twitter: @James_AfA