Android users targeted on Facebook and porn sites, served adware

Android users, be on your guard against adware trying to infect your device.

The adware—known as MobiDash—is spreading via several channels, according to ThreatDown research.

One of the characteristics that makes MobiDash stand out is that it can be added to legitimate apps without changing how the original app functions. Say, for example, you install a calculator app: You still get the calculator, but you get adware served to you on the side.

Another devious feature is that MobiDash often waits for a few days before it becomes active, making it harder for the user to work out where the ads are coming from. The app they downloaded works, and because there’s no immediate sign of infection there is no reason to suspect that app.

The ThreatDown investigation started by researching a domain that recently popped up in a phishing campaign. We found that besides the phishing campaign, links to this domain were being spread on Facebook.

Link in Facebook post
Link in Facebook post

But not just Facebook, we found that MobiDash was also being spread on certain sites that specialize in explicit content.

link on site with explicit content

When victims click the link, it starts a chain of redirects (lookebonyhill.com > apkretro.com > 3-dl-app.com) that ends in the automatic download of an .apk file, although some users reportedly had to use the Download button.

Download website

Within a few days, the user will start to see ads pop up out of nowhere, until the app is uninstalled.

How to avoid/remove adware

  1. Be careful what you click on: In the Facebook example above, you can see there is an unusual looking link. Don’t be tempted to click on a site you don’t know.
  2. Don’t install apps from unknown sources: Use the Google Play Store as much as you can.
  3. Look out for the Download website we posted a screenshot of above: The fact that the site displays no name for the apk you just downloaded should be a red flag that it’s not be the one you wanted or that it has extra adware attached to it.
  4. Use Malwarebytes for Android. We’ll detect and remove MobiDash from your device, as well as block the start of the redirect chain.
Malwarebytes blocks lookebonyhill.com
Malwarebytes blocks lookebonyhill[.]com

https://blog.malwarebytes.com/feed/