Mobile Safari scareware campaign thwarted

Today, Apple released an update to iOS (10.3) that changed how Mobile Safari handles JavaScript pop-ups, which Lookout discovered scammers using to execute a scareware campaign.

The scammers abused the handling of pop-up dialogs in Mobile Safari in such a way that it would lock out a victim from using the browser. The attack would block use of the Safari browser on iOS until the victim pays the attacker money in the form of an iTunes Gift Card. During the lockout, the attackers displayed threatening messaging in an attempt to scare and coerce victims into paying.

However, a knowledgeable user could restore functionality of Mobile Safari by clearing the browser’s cache via the the iOS Settings — the attack doesn’t actually encrypt any data and hold it ransom. Its purpose is to scare the victim into paying to unlock the browser before he realizes he doesn’t have to pay the ransom to recover data or access the browser.

Lookout found this attack in the wild last month, along with several related websites used in the campaign, discovered the root cause, and shared the details with Apple. As part of the iOS 10.3 patch released today, Apple closed the attack vector by changing how Mobile Safari handles website pop-up dialogs, making them per-tab rather than taking over the entire app. We are publishing these details about the campaign upon the release of iOS 10.3.

An attack like this highlights the importance of ensuring your mobile device, or your employees’ mobile devices, are running up-to-date software. Left unpatched, bugs like this can unnecessarily alarm people and impact productivity.

Discovery event

This attack was initially reported to Lookout’s Support desk by one of our users running iOS 10.2. The user reported that he had lost control of Safari after visiting a website and was no longer able to use the browser. The user provided a screenshot (below) showing a ransomware message from pay-police[.]com, with an overlaid “Cannot Open Page” dialog from Safari. Each time he tapped “OK” he would be prompted to tap “OK” again, effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser.

The user reported seeing the “Your device has been locked…” or “…you have to pay the fine of 100 pounds with an iTunes pre-paid card” messages and was no longer able to use the browser.

Abuse of pop-ups in Mobile Safari

The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “locked” out from using Safari unless they paid a fee — or knew they could simply clear Safari’s cache (see next section). The attack was contained within the app sandbox of the Safari browser; no exploit code was used in this campaign, unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device.

The scammers registered domains and launched the attack from the domains they owned, such as police-pay[.]com, which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money. Examples range from pornography to music-oriented websites.

The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk.

The attack, based on its code, seems to have been developed for older versions of iOS, such as iOS 8. However, the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3. An endless loop of pop-ups effectively locks up the browser, which prevents the victim from using Safari, unless she resets the browser’s cache. iOS 10.3 doesn’t lock the entire browser up with these pop-ups, rather it runs on a per-tab basis so that if one tab is misbehaving, the user can close it out and/or move to another one.

Quick fix

Before the iOS 10.3 fix was available, the victim could regain access without paying any money. Lookout determined the best course of immediate action for the user who initially reported it was to clear the Safari cache to regain control of the browser. (Settings > Safari > Clear History and Website Data) Once a person erases all web history and data, effectively starting Safari as a fresh app, the ransom campaign is defeated.

To clear browser history on iOS: Settings > Safari > Clear History and Website Data

Preventing the attack

Individuals are strongly encouraged to protect their iOS devices against this attack and take advantage of a number of other security patches that Apple made available in iOS 10.3. See https://support.apple.com/en-us/HT207617 for details. Lookout users will be prompted to update their operating system to 10.3 if they have not already done so.

Investigation into the campaign

The attack utilized JavaScript that appears to be reused from an earlier attack, based on the following comment it contained:

“saved from url=(0070)http://apple-ios-front.gq/29300000/index.php?DATARE=Vylet%3A30_15%3A29”

This attack was documented previously on a Russian website. The JavaScript included some code that specifically set the UserAgent string to match an older iOS version.

“’Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4’”

The attack code creates a popup window, which infinitely loops until the victim pays the money. The ransom is paid by sending, via SMS, an iTunes gift card code to a phone number displayed on the scam website. The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup, so it fails, but keeps presenting the dialog message due to the infinite loop in the code. The JavaScript code is delivered obfuscated, but was de-obfuscated by our analysts to determine its intent.

The JavaScript we obtained from the pay-police[.]com domain was slightly obfuscated using an array of hex values to masque behavior of the code. The pop-up attack on newer versions of iOS appears to DOS (denial of service) the browser.

Obfuscated array of JavaScript commands

The code on this page also runs the following script before executing the obfuscated code:

<script type=”text/javascript”>navigator.__defineGetter__(‘userAgent’, function () { return ‘Mozilla/5.0 (iPhone; CPU iPhone OS 8_0_2 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12A366 Safari/600.1.4’; });</script>

The group involved in this campaign has purchased a large number of domains that try to catch users that are seeking controversial content on the internet and coerce them into paying a ransom to them.

Some of the additional URLs we found that were serving the malicious JavaScript included:

  • hxxp://x-ios-validation[.]com/us[.]html
  • hxxp://x-ios-validation[.]com/ie[.]html
  • hxxp://x-ios-validation[.]com/gb[.]html
  • hxxp://x-ios-validation[.]com/au[.]html
  • hxxp://x-ios-validation[.]com/nz[.]html

Each site would serve up a different message based on the country code identifier. The sites, presumably, are used to target users visiting from different parts of the world. Each message has a separate email address for the target to contact, which appear to be country-specific and part of a wider phishing campaign.

The phishing domains and email addresses for each payload:

  • U.S.: us.html networksafetydept@usa[.]com
  • Ireland: ie.html justicedept@irelandmail[.]com
  • UK: gb.html cybercrimegov@europe[.]com
  • Australia: au.html federaljustice@australiamail[.]com
  • New Zealand: nz.html cybercrimegov@post[.]com

Lookout researchers continue to monitor this and other related campaigns, as well as work with platform providers to address security concerns as they arise.

Mobile Menace Monday: Preinstalled adware and sometimes worse

BLU manufactured mobile devices have been discovered with preinstalled adware known as Android/Adware.YeMobi.

Behavior of YeMobi

The incriminating behavior of adware YeMobi is its ability to launch the default browser on a mobile device and use it to display ads. There is an unusual element to this as well—it only displays ads while the Google Play store app is running.  As seen in the code below, if com.android.vending (the Google Play store app) is active, activity MessageLoadDetail is loaded.  Activity MessageLoadDetail then goes onto to display ads.

The rise of preinstalled malware

Buying a new phone only to find it comes preinstalled with adware or even more dangerous malware is frustrating.  Trust us, it’s just as frustrating not being able to remove these apps for our customers.

With the ease of selling online, Android devices re-imaged with custom ROMs(“Read-Only Memory”) containing preinstalled shady/malicious apps are starting to appear more and more on the online marketplace.  Sellers can easily re-image an Android device with a custom ROM which replaces the default operating system—typically stored in read-only memory. Sellers then turn around and sell these devices for cheap online.

Just like when installing apps, it’s important to buy your mobile device from trusted sources.  Avoid buying devices online from untrusted sellers/stores; even if the price is hard to pass up.

Disabling YeMobi and other preinstalled apps

In order to keep essential operating system apps from being removed on Android devices, you cannot uninstall preinstalled apps. However, you can disable some preinstalled apps—like Adware YeMobi. Simply go into settings > apps, find the YeMobi app, open its settings, and disable it via the Disable button.

Finding preinstalled malware on your device can be tricky—a mobile scanner can assist with finding them for you. Malwarebytes Anti-Malware Mobile detects Adware YeMobi along with other preinstalled malware and can be found for FREE on Google Play.

As always, stay safe out there!

The post Mobile Menace Monday: Preinstalled adware and sometimes worse appeared first on Malwarebytes Labs.