We’ve recently encountered quite a few pop-ups saying our Android device is infected. These sites aren’t ones we’d expect to see malware on, so the pop-ups peaked our interest.
When encountering one of these pop-ups you will see a dialog with a message indicating you have a virus.
After pressing ‘OK’ on the first dialog, you’ll be redirected to mobile.alert.secure-intl.com, which displays a second pop-up saying you are infected with a Trojan.
The supposed Trojan is MobileOS/TapSnake, with the dialog instructing you to press 'OK' for removal.
Of course we want to remove, pressing ‘Remove Virus’, on yet another warning screen, will start a fake scan. When the "scan" completes, a full screen warning displays with more information about the supposed threat.
[gallery type="slideshow" ids="2817,2818,2819"]
Hmm, looks like Tapsnake can steal passwords and credit card information. Discovered in 2010, Tapsnake is real Android malware capable of spying on your location.
Along with the additional information about Tapsnake, the warning screen gives us an option to install a "Free Antivirus Security Android app."
The app being pushed to install and save us is Android Armor, an antivirus app with some bad press regarding shady detection methods.
We installed Android Armor, ran a scan, and of course no infections, as expected since the phone was basically stock, not even the supposed Tapsnake malware.
We ran a ‘Quick Scan’; doing a deep or SD card scan with Android Armor requests credit card information—even a deep or SD card scan would find nothing as there's no malware on the phone.
[gallery type="slideshow" ids="2821,2820,2822,2824"]
There's a lot of red flags with these pop-ups and Android Armor. In this case, we didn’t encounter a truly malicious app, but shady advertising practices.
This is another example of misleading advertisements where they win and you lose; the company gets you to install their app and you get a false sense of security.
We're accustomed to seeing these practices with malware, but this isn’t standard practice for legitimate software. This could be a case of an overzealous advertiser who gets paid each time the app is installed.
We’ve reached out to Android Armor to see if they are aware of the practices and have not heard back.
Please use caution when encountering these types of pop-ups, whether it be on a PC or mobile device.
On a PC, nine times out of 10 it’s malware, often really bad stuff. On a mobile device it can go either way, my advice, just don’t install any app delivered via pop-up, spam, or phishing link. If an app seems interesting, don’t install at that time, search it out and find a reputable place to install—providing you find it’s legitimate.
In cases like this where a website is using scripts to display advertising content you can disable Java Script in your browser, however doing so could disable some components of websites you normally visit.
We’ll continue looking into this advertising strategy and any apps involved; safe surfing.