Fake download pages for the scanner that supposedly determines if an Android device is suffering from the Installer Hijacking vulnerability end up used by attackers.
These pages expose mobile visitors to persistent advertising, adware, and premium SMS scams.
Palo Alto Networks uncovered the vulnerability in late March. Researchers said almost half of all the Androids suffer from the issue. The scanner is available in Google’s official app store.
Security researchers at Trend Micro found three fraudulent websites that claim to provide a link to the tool but instead include redirects to risky locations either when tapping on the download spot or anywhere else on the page.
In one instance, attackers set up an aggressive pop-up that kept displaying even if the web browser restarted.
The researchers first tried to turn it off by hitting the “Ok” button, which should have taken to the next stage of the scam, but nothing happened. A subsequent attempt consisted of closing the web browser, but relaunching had no effect either.
The persistence of the pop-up and the tab that generated it was not broken when clearing the memory, as the tab was still present upon starting the browser.
“It should be noted that no file was downloaded to the mobile device,” Trend Micro’s researcher Gideon Hernandez said in a blog post.
In a second case, the download button would lead to the legitimate app on Google Play, but only after redirecting the user to a different website first.
However, the researchers observed a different, riskier behavior when tapping outside the download button, as the browser loaded websites pointing to online surveys or faux software updates.
Apart from this, Hernandez said APK (Android application package) files automatically downloaded on the device, one of them subscribing the mobile user to a premium SMS service, while another brought adware on the device. A third file seen by the researcher was a legitimate app.
The third online location purporting to offer a download for the Installer Hijacking Scanner loads a suspicious location, but it attempts to investigate the redirects thwarted by “bad error requests.”
Hernandez said this is a defense mechanism against efforts to investigate the scam.