[Warning] New Malware Type on Android App Ads

JerryScript

Daydream Believer
Mar 8, 2011
2,055
1,559
0
Visit site
There is a new type of malware that is masquerading as the Android Market place via in app ads.

The ads have to be clicked on, and they then will take you to a webpage designed to look just like the Android Market. Once there, they will prompt you to install an update, and this update will sign you up for a messaging service that costs real money.

Learn the difference between the real market and the browser, and you will be fine. If you only use the market for apps (no Amazon market or other sideloading markets), just uncheck the box for allowing non market app installs and you will be fine.

For those that are rooted, use AdFree to update your host files, and you will block most ads anyway.

http://www.cnn.com/2011/TECH/mobile/06/21/android.malware.fake.market.gahran/
 

mmarz

Well-known member
Mar 9, 2011
1,130
447
0
Visit site
Unfortunately, the host file won't protect against apps that have IP addresses built into them. I have been looking at the URL's that are embedded into the apps on my phone. I have a procedure to dump apps and search them:

  1. Copy /data/app/*.apk to your desktop
  2. Use AutoAPKTool1.0.4 to decompile them all
  3. Use Xseach to find all files with "http://"
  4. Move them all to a single folder.
  5. Use guru's URL Grabber to extract all of urls.

With the all of the duplicate and irrelevant urls removed, my apps had over 300 external links in them. Most of them were to ad websites. A good portion of them used IP addresses so that the host file isn't utilized:
WhereIsMyDroid http://10.0.2.2:4567
HiddenMenu http://115.89.146.85 and http://203.229.247.29
Sudoku http://69.251.244.68:8080
Coolreader http://213.5.65.159
..etc.

And these were the IP's that were obviously written out. It wouldn't take much effort to mask these by breaking up the numbers. What I can't believe is how anyone could trust pirated apps. Who knows what they have injected into these apps?
 
Last edited:
  • Like
Reactions: JerryScript

mmarz

Well-known member
Mar 9, 2011
1,130
447
0
Visit site
Can the host file be updated to work with url domains?

You can't block IP addresses using the host file because the whole point of the host file is to look up the IP of a url. If the app already has the IP, it won't bother checking the host file.

But I did do a little checking and you can block individual IP's using iptables:

Code:
iptables -A OUTPUT -d 000.000.000.000 -j DROP

Where 000.000.000.000 is the ip address you want to block. You'll need to run that command from a script on every boot. That will block your phone from accessing that IP address. This is fine if you have a handful of IP's to block. I wouldn't use it for thousands like AdFree does with the host file as it would significantly slow down your connection. The host file works differently and so that is not a concern for AdFree.
 
  • Like
Reactions: JerryScript

mmarz

Well-known member
Mar 9, 2011
1,130
447
0
Visit site
No ads here using AndGuard

While AndGaurd and AdFree will protect against commercial advertisers, it will not help against malicious programers that use their own custom servers.

BTW, unless you get "AndGuard Pro (w/ Iptables)" you might as well just have AdFree. AndGuard Pro (w/ Iptables) is the combination of host file redirection and the iptables command I posted above. You can pay for the app to do it, or you can make your own script as a describe above and use AdFree (it has a more extensive blocking list, 23k entries).