The website of a popular watch retailer is reportedly redirecting users that visit the site on Android-based devices to a number of malicious domains serving up premium rate SMS malware.
According to a WebRoot report, users that visit the unnamed watch-selling website in Bulgaria are redirected to any number of malicious domains, all controlled by one party, where they are prompted to download the malware in question, which presents itself as either an Adobe Flash Player installer (‘hxxp://adobeflashplayer-up.ru/?a=RANDOM_CHARACTERS’ at IP address 126.96.36.199), a fake Android browser (’hxxp://browsernew-update.ru/?a=RANDOM_CHARACTERS at IP address 188.8.131.52), or a new version of Google Play (‘hxxp://googleplaynew.ru/?a=RANDOM_CHARACTERS’ at IP address 184.108.40.206).
The campaigns appear to be targeted toward Russian-speaking Android users.
You can see the laundry list of other domains responding to that same IP address (220.127.116.11) along with the rest of the WebRoot write-up.
The fake Flash Player installer variety of the malware is requesting permission to access and change network and wifi states, install and uninstall shortcuts, set alarms, write settings and secure settings, write external storage, read contacts, install and delete packages, and read, send, and receive SMS messages among other functionalities. Once executed, the malware used the android.hardware.wifi, android.hardware.telephony, android.hardware.touchscreen, and android.hardware.screen.portrait features. It then phoned back to a ‘gaga01.net/rq.php’ at the IP address 18.104.22.168.
The Android browser installer phones home to that same site and IP address. It asks for many of the same, but ultimately fewer, permissions and uses the android.hardware.wifi, android.hardware.telephony, android.hardware.touchscreen, and android.hardware.screen.portrait features after execution.
The WebRoot report does not go into detail about the fake Google Play installer.