Armor.Trojan.Airpush

Aliases

  • BitDefender: Android.Trojan.Coolpaperleak.A
  • ESET-NOD32: Android/Adware.AirPush.A (More)
  • Sophos: Android Airpush (More)
  • Avast: Android:CoolWall-B [PUP]
  • TrendMicro: AndroidOS_ADWAIRPUSH.AB (More)
  • AhnLab-V3: Android-PUP/Airpush
  • Kingsoft: Android.Troj.Adspush.a.(kcloud)
  • AVG: Android/AirPush (More)
  • Fortinet: Adware/AirPush.LZ (More)
  • NANO-Antivirus: Trojan.Airpush.bwhjkv

Category: Trojan

  • This is a threat.
  • Can cost money.
  • May be a privacy threat.
  • Potentially unwanted behavior.

Top Relevant External Sources

Summary

Armor.Trojan.Airpush is an advertising framework that aggressively pushes ads to the devices notification bar and can drop shortcut icons on the device’s home screen. These advertisements can unknowingly exract money from users.

Some of the advertisements delivered by the Airpush Trojan are designed to trick the user into signing up for a premium paid SMS service. These premium SMS services incur monthly charges of $9.99.

A variety of ways are used to mislead users into supplying the necessary information to subscribe to a premium SMS services. The following are three commonly seen misleading advertising campaigns:

1) Fake Market
2) Phony FREE Phone
3) System Notification Impersonation

These advertising campaigns all use false pretenses to request the user’s phone number. The phone number will be subscribed to premium SMS services which will incur monthly charges to the mobile phone bill.

1) Fake Market

Advertisements are sent to the device suggesting that a new Android Market is available. When the advertisement is clicked the user is taken to a masked website that requests the user’s phone number. In return the user will receive access to the new Android Market, this webpage makes no mention anywhere of potential charges.

If the same webpage is visited directly, instead of via the falsified advertisement, the very fine print states there will be charges applied for entering the telephone number and completing the enrollment process.

Example of a malicious Airpush Ad in the notification bar
an example of the modified malicious website
The same website as viewed when not visiting via the Airpush Ad

After entering the phone number the user is taken to a new screen requesting a PIN number, again there is no mention of charges. The user will receive a text message with a PIN number where an obscure mention of charges is first found.

If the user enters the PIN number from the SMS message into the website the subscription is automatically confirmed and monthly charges will be applied to the mobile phone bill.

A confirmation SMS message is received once the subscription has been confirmed, this does not clearly state the user has been billed or that a paid monthly subscription has been confirmed.

The message received after entering the mobile phone number into the website
The page to enter the Pin# to subscribe which still is unclear that this is a paid SMS service
The confirmation SMS message received again unclear about the monthly subscription

2) Phony FREE Phone

Misleading notifications advertising that the user has won a free phone or device are used to trick android users into subscribing to paid premium SMS service.

These ads lead the user to a website that requests the phone number; in return they will receive a free device.

An example of a misleading AirPush advertisement
The webpage landed on after clicking on the AirPush advertisement
After clicking continue the website now request the user's mobile phone number

The same opt in process is completed were a PIN number is sent via SMS message and entered by the user into the fake website. Once completed, the user will begin receiving monthly charges to the mobile phone bill of $9.99 extra per month.

3) System Notification Impersonations

These advertisements disguise themselves as system notifications and appear to be generated by the device. When the advertisement is clicked the user is prompted to download an application. When installed, this application will automatically send a SMS message to subscribe the user to a paid premium SMS service.

Unlike the previous processes, there is little to no action required by the user to confirm the subscription to the premium SMS service. Charges will begin to appear on the mobile phone bill of $9.99 monthly.

Another malicious advertisement this time directed at increasing network speed
The application makes no mention that is a paid service
The Application once installed discreetly advises the user that there will be a 9.99 monthly charge

Additional Details

The information collected by Airpush from a device is as follows:

  • device ID
  • device make and model
  • device IP address
  • mobile web browser type and version
  • mobile carrier
  • real-time location information
  • email address
  • phone number
  • list of the mobile applications on the device

This information is encrypted using MD5 hashing which creates a unique hash for the information. MD5 is not a recommended method of encryption for sensitive data as there is a inherent weakness that allows the information to be decrypted with relative ease.

Below are the required permissions that are taken directly from installation instructions on Airpush.com. Despite information such as the user’s email address and location not being required, Airpush recommends by that the additional information be collected to “enhancing your revenue stream”. The collection of this information is a privacy concern.

Permissions required and suggested taken directly from AirPush's website

Users should be careful when downloading applications from third party Android markets. Android users should only download applications from trusted sources such as the Google play and Amazon markets.

Always check permissions of an application prior to installation and make sure that there are no unusual permissions being requested.

Repair Instructions

It is recommended to uninstall any apps containing the Airpush Trojan. If you are concerned that you have been victim to any of the malicious activity of the Airpush Trojan it is also recommend that you carefully review your mobile phone bill for any additional charges. The following service numbers (or short-codes) represent premium SMS service that may have affiliation with the malicious activity of Airpush.

  • 87891 – Appomega
  • 69477 – Myzappy.com
  • 81857 – Appfires
  • 55163 – unknown
  • 45259 – Tipsteria
  • 99779 – unknown
  • 76363 – unknown
  • 86656 – Txtacy

Android users should only download application from a trusted source. It is advised that users download and use antivirus software to keep their android device safe and information secure.

Using antivirus software:

  • Run a full scan of your device
  • Locate the any infected application
  • Uninstall the infected application from the device.

Manual Uninstall:

  • Open the Android Device Menu
  • Go to the Settings icon
  • Select Applications
  • Next, click Manage or Application Manager
  • Select the application and click the Uninstall button