Malvertising on iOS pushes eyebrow-raising VPN app

Malvertising on iOS pushes eyebrow-raising VPN app

There is a preconceived idea that malvertising mostly affects the Windows platform. Certainly, when it comes to malicious adverts, Internet Explorer is a prime target for malware infections. However, malvertising can produce different outcomes adapted to the device the user is running.

Case in point, we discovered this scareware campaign that pushes a ‘free’ VPN app called My Mobile Secure to iOS users via rogue ads on popular Torrent sites. The page plays an ear-piercing beeping sound and claims your device is infected with viruses.

“We have detected that your Mobile Safari is (45.4%) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites.”

Such alerts on mobile devices are not new and sadly common place via many ad networks these days. Usually, aggressive affiliates remunerated per lead will use these kinds of tactics to drive traffic to game apps or even tech support scams.

Thankfully for the latter, Apple has released an update to their mobile operating system (iOS 10.3.1) to avoid so-called “browser lockers” via incessant JavaScript popups that prevented users from closing the offending page. Having said that, social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material.

Network traffic

This malvertising chain starts off with an ad call from Propeller Ads Media, goes through Real Time Bidding (RTB) via AdMetix, is redirected to RevenueHits, and finishes off with scammy advertisers.

‘Free’ VPN app

This fake website advertises the MyMobileSecure VPN to remove “infected applications and files”. Tapping on ‘Remove Virus’ opens up the App Store to download this app.

The MyMobileSecure developer, VoiceFive is a comScore, Inc. company, “a leading global market research company that studies and reports on Internet trends and behavior.” In order to activate the free VPN app, users must join the MobileXpression research community, and this is where things get interesting.

From mymobilescure.com: “The MobileXpression email account is a part of the software download package for iPhones and iPads. The email account is there to provide you with a better way to stay in touch with MobileXpression and also make sure our software works correctly.”

If the product is free, you (might) be the product

According to their website, MobileXpression is a market research panel designed to understand the trends and behaviors of people using the mobile Internet. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc.

As an aside, the topic of VPNs is particularly hot at the moment, on the heels of an upcoming bill (S.J. Res. 34) that would allow Internet Service Providers (ISPs) to sell data about your online habits to advertisers. Many people are rushing into installing the first VPN they can get their hands on, which is a terrible idea considering some companies out there are very shady and far worse than your own ISP.

Free does not mean Open Source or risk-free for that matter. But the fact of the matter is that people tend to gravitate towards free products, especially if those are pushed aggressively via hungry advertisers. For this reason, users should pay even more attention before installing a free app.

If the reason you want to install a VPN is because you are truly worried about your online privacy, then always endeavour read the fine print first. This particular VPN app has some concerning statements:

If you shop around for other VPN providers, you will see the exact opposite when it comes to data collection and logging. Here are some examples:

  • [VPN x] never logs where you go on the Internet. If anyone asks, the best we can do is shrug our shoulders.
  • [VPN y] makes it impossible to identify the type of traffic or protocol you are using, even for your ISP.
  • [VPN z] doesn’t store any connection logs whatsoever. In addition, we do not log bandwidth usage, session data or requests to our DNS servers.

Some even provide Bitcoin as a mode of payment to completely anonymize the registration process, via a throwaway email address for example.

VPN providers and trust

Often times, affiliates are not properly policed and we observe scare tactics to force the installation of various pieces of software. It’s important to note that those affiliates are normally distinct from the software vendors themselves, but scammy behaviors end up reflecting poorly on everyone.

In this particular case, one cannot help but feel that this VPN application comes with some serious baggage and unfortunately the average user will not take the time to review the fine details. If the intent is to use a VPN to anonymize your online activities, this does almost the opposite.

One statement from mobileXpression is particularly striking:

We make commercially viable efforts to automatically filter confidential personal information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect personal information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information.

This summarizes the issue quite clearly: said data should never be collected in the first place because some very unfortunate things can happen once it is logged in a database. Haven’t there been enough data breaches lately to be seriously concerned with what kind of data a company may collect (inadvertently or not)?

Choosing the right VPN application these days has become very challenging due to the renewed interest in online privacy (there are other reasons people buy VPNs as well, such as to bypass geo-restrictions from services like Netflix, the BBC, etc). It’s important to take the time to review the companies behind those products, their policies, and real reviews, not fake or sponsored ones. At the end of the day, you are placing your data and trust in someone else’s hands.

Kudos to CloudFlare for terminating the scareware domain in less than five minutes.

IOCs:

onclkds.com xml.admetix.com clk1005.com inclk.com browserloading.com giveawaywins.com securecheckapp.com
206.54.163.50 173.239.53.20 173.192.117.80 108.168.157.87 52.29.11.13 104.31.67.144 104.28.17.3

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher