Facebook’s Suggested Posts are Advertising Android Malware

A "suggested post" is Facebook's funny way of saying advertising. Now suggested posts are being used by malware authors as a funny way to advertise Android malware. Facebook's advertising method has been spotted promoting Android applications that are actually SMS Trojans. SMS Trojans are old hat in terms of malware but this is a brand new infection mechanism.

The suggested post advertising method allows advertisers to target very specific groups of Facebook users. Malware developers are exploiting this by electing to display their malicious advertisements to Facebook users who are browsing on an Android device located in a specific region. This ensures that the malware advertisement will only be displayed to Facebook users who own a compatible device and live in a region where the malware will be effective.

Popular applications such as WhatsApp, YouTube, Candy Crush, etc are advertised in these malicious Facebook ads. Clicking on the advertisement will lead the victim to a web page that is specifically designed to look like Google Play.

Facebook’s Suggested Posts are Advertising Android Malware

The fake Google Play page is designed to trick visitors into thinking that the advertised application is legitimate. The fake Google Play page includes a high star rating with thousands of fake positive reviews but inaccuracies begin to appear if we review this page closely. The star rating reads 4.5 stars but only three and a half stars are filled. It was also pointed out by Panda Security expert Luis Corrons that the star rating is based off of 35,239 total votes but the total number of votes per individual star rating added together is 44,060.

Users who actually download an application from one of these advertisements will be disappointed that the application will commit premium service fraud and does not function as advertised. The Trojans have little functionality other than sending SMS messages from the infected device to one of three premium SMS phone numbers (797024, 795964, 797025) without the victim's knowledge or consent. These premium SMS services place an additional charge on the mobile phone bill, often these are recurrent charges that will be applied monthly until the service is canceled.

A PIN number is sent to the infected device from the premium SMS service, this PIN number must be entered into a specific website to activate the premium SMS service. An SMS counter is included in these Trojans to read the received SMS messages and determines the PIN number. The Trojans then enters the PIN number in to the corresponding website.

From the malware authors' standpoint it would be beneficial if the device user never received any SMS messages from the premium SMS service as it may alert them to the illicit activity. In that effort these Trojans register a receiver with the highest priority on the infected device to monitor all incoming SMS messages. Any messages received from one of the three premium service number will be intercepted and deleted before being delivered to the device. On the newest version of the Android OS (4.4 KitKat) the Trojan is unable to intercept and delete SMS messages. In this case the Trojans briefly silence the device when a message is received and then mark the message as read.

Android users need to be conscious of malicious Android applications. Mobile malware is at an all time high and more than 98% of mobile malware targets the Android platform. Keep the following tips in mind to stay safe and avoid Android threats when browsing the web on an Android device.

  • Always install and use an antivirus application on your Android devices. Keep the antivirus application up to date to ensure that it protect you from recently discovered threats.
  • Stay current with all other applications and operating system updates, these often include patches to newly discovered security vulnerabilities.
  • Avoid downloading or purchasing applications from suspicious sources.
  • Review application permissions and read user reviews prior to downloading an app. Suspicious permission requirements or poor reviews can be a sign that the application is actually malware. ♦

James Green is a mobile security researcher who has worked in the Android security field for several years providing privacy and security advice to Android users. Email:James@ArmorforAndroid.com; Twitter:@James_AfA