Attacks on Twitter contain links to websites hosted on .tk domains, which hide malicious elements that target not only PC users, but also Android owners.
While PC users end up served broken .jar files, the attack tricks Android customers into installing a fake antivirus application whose icon replicates the one of products provided by Kaspersky, GFI Labs researchers said.
First, the attackers tweet in Russian or English about all sorts of materials, mainly adult content. All the tweets contain a link to a site such as “good-graft.tk.”
Once clicked, the links open a Russian site designed for smartphone and computer owners. Depending on the device from which the users accesses the website, the potential victim is served a file called VirusScanner.jar (for PC), or VirusScanner.apk (for Android).
Experts said right now the .jar file seems to be broken, since an error displays when executed. However, this may change at any time.
VirusScanner.apk is a rogue antivirus application which displays the Kaspersky logo when installed.
Identified as Trojan.Android.Generic.a by GFI’s VIPRE Mobile Security, the piece of malware reveals its true purpose during the installation process when it asks permission to access phone calls, messages and even services that cost money.
A solid rule of thumb is to not click on Twitter links if they look suspicious and addresses that end in .tk are usually up to no good.
If you do end up on suspect site, don’t install anything pushed to your device.