The US Federal Trade Commission settled its complaint against Snapchat on Thursday this week. The complaint accused the company of failures to protect and secure its users data along with other privacy failures. It notes that a security failure in the Find Friends feature that caused the details of 4.6 million North American users to be released on-line, could have lead to "spam, phishing, and other unsolicited communications" to Snapchat users. With AdaptiveMobile's large mobile security presence in North America, we decided to analyse whether an exposed Snapchat user was more likely to be targeted by malicious SMS attacks after the data went on-line.

Firstly, some more background on the data breach. It started on the 25th of December 2013, when the security researchers at Gibson security released a report on the vulnerabilities within the API of Snapchat. Soon afterwards one of these vulnerabilities was exploited by unknown attackers and on the 31st of December 2013, the website snapchatdb.info (now defunct) went live. The website offered a list of 4,609,620 Snapchat user names, locations and their partial phone numbers. The Snapchat users' phone numbers had the last two digits obscured.

We began by looking for directed attacks using Snapchat user names within malicious SMS attacks. We were unable to find any attacks which were directly linked to a Snapchat user name; however this is not the full story. We then investigated if there was an increased level of SMS spam to Snapchat users within the released database. To determine this, we compared the amount of blocked spam sent to victims of the leak for a three month period before and after the Snapchat database was released on-line. Because the leaked database had the last two digits obfuscated, we matched the phone number of blocked SMS spam recipients during the period with the partial phone number ranges from the leaked database and compared the amount to the total number of blocked SMS spam sent. If the leaked Snapchat users were not targeted, then their percentage of the total amount of the blocked  spam should stay fairly constant throughout the six month period. If they were targeted, then we should see their percentage of the total increase after the 31st of December, 2013.

Here we have plotted the percentage of total spam, sent to possible leaked Snapchat users per week and included the average and one standard deviation for comparison.

As you can see the maximum data point is on the week ending on the 5th of January. During this week the percentage of SMS spam received by North American cell phone users whose phone number matched a leaked partial number, was more than 1.5 times the average for the 6 month period. Also the percentage stays above average until the start of March. This is indicative that the database was possibly used to guide mobile attacks. We saw no other specific activity that could have explained this rise, but as every data scientist knows: correlation does not imply causation. However as you can see the timings of the breach and spike thereafter match.

As the database contained only partial phone numbers, this may have dissuaded spammers from fully exploiting the leak by including user names. We will continue to monitor the situation going forward and remain watchful of similar possible data leaks in the future. Since the breach and the later Snapchat spam outbreak, Snapchat have increased their security and recently hired more security expertise, but this shows the need for all messaging platforms to have a good defence against cybercriminals. This is because a successful attack on one can impact all.

SMS worms for Android smartphones don’t appear very often. The vast majority of Android malware that has been discovered to date can be treated as trojans. But it doesn’t mean that other types of malware like SMS worms don’t exist. Recently an SMS worm dubbed Samsapo was discovered and analysed by a number of antivirus companies. Samsapo used a pretty common monetization mechanism: it was able to subscribe an infected device to a premium-rate service. It was also capable of stealing various types of personal information from a smartphone.

Description

AdaptiveMobile has analysed and confirmed a new piece of malware, termed Selfmite, that is also able to propagate via SMS. Potential victims receive the following SMS message containing a URL pointing to the Selfmite worm:

Dear [NAME], Look the Self-time, http://goo.gl/******

If the user clicks on the goo.gl shortened link he will be redirected to http://173.244.***.***/TheSelfTimerV1.apk and offered to download and install this APK file. If the user performs these actions then the following malware icon with ‘The self-timer’ name appears in the smartphone’s menu:

Selfmite worm icon ‘The self-timer’

If the victim launches it, the malware will immediately read device’s contact book for a name + phone pair and send 1 message to 20 different contacts using the name as a greeting:

SMS sending routine

After sending malicious SMS messages to the new potential victims, the Selfmite worm will open http://173.244.***.***/message.php URL in the web browser and try to access another goo.gl URL stored on this web page. The shortened URL will be resolved to http://apx.rdkt.avazutracking.net/iclk/redirect.php?apxcode=[REDACTED]&id=[REDACTED] and further to http://seth.a2.avazutracking.net/tracking/redirect/redirect.php?id=[REDACTED]&czid=[REDACTED]=&usrid=[REDACTED]&rgid=[REDACTED]&kw=[REDACTED]&vurl=[REDACTED]. After this the user will be offered to download and install a mobogenie_122141003.apk file.

Monetisation

Mobogenie is a legitimate app for managing and installing Android apps from various sources, downloading videos, music and images. It is available both in Google Play and alternative sources. According to the Google Play statistics alone the Mobogenie Market app has at least 50,000,000 installs which makes it a pretty popular application. Besides that the Mobogenie app is promoted via different ad platforms:

As you might have already noticed Selfmite worm uses advertising platform to redirect user to the particular version of Mobogenie app. And this particular version of Mobogenie app will ‘click’ after the installation to a certain URL with additional device parameters in order to confirm the Mobogenie app installation.

So as a result we believe that an unknown registered advertising platform user abused legal service and decided to increase the number of Mobogenie app installations using malicious software.

Statistics

At the moment we can confirm that we have detected dozens of infected devices in North America. As for other countries then some estimations can be made via Google URL shortener statistics. All screenshots were made at 17:00 UTC on 24th July 2014.

Malicious URL

Mobogenie redirection

Conclusion

New SMS worms for Android don’t appear very often. That this one was used to abuse legal ad services and pay-per-install schemes makes it even rarer, this means Selfmite is a pretty interesting piece of malware and part of an unique attack.

The impact on the user is not only have they been fooled into installing a worm and other software they may not want - the worm can use up their billing plan by automatically sending messages that they would not be aware of, costing them money. In addition, by sending spam the worm puts the infected device at danger of being blocked by the mobile operator. More seriously, the URL that the worm points to could be redirected to point to other .apks which may not be as legitimate as the Mobogenie app.

Fortunately, as the infection was detected so early, it doesn’t seem to have propagated widely at the moment. North America seems to be the area most targeted, as a result AdaptiveMobile has blocked the spread of messages containing links to the worm in our customer’s mobile networks in that region and are working to clean up the devices already infected. We also have contacted Google in order to disable the goo.gl shortened URLs and Mobogenie to block the ID which is responsible for these actions. The malicious goo.gl URL is disabled at the moment. This should stop the worm author from profiting from the spread of Selfmite.

MD5: TheSelfTimerV1.apk 54b715f6608d4457a9d22cfdd8bddbe6

Thanks to Yicheng Zhou and Mingfei Pan for their contribution.

The Indian Consumer has always focused on three major investment havens: Stock Market, Real Estate and Gold. The Indian General Elections 2014 has given a much needed fillip to the Indian Stock Market. It is also a known phenomenon that the Real Estate sentiment turns positive on the back of the Stock Market euphoria.

A roller-coaster is on the cards for the infrastructure sector and Real Estate in particular, believe many gurus.  Spammers have smelt this opportunity and have begun speculating using the SMS platform.   Moving from circle to circle and hopping from one service provider to the next, they have already created an artificial real estate euphoria. Home buyers are promised with big returns especially if they are the early birds. Fine tuning their psychological game for Aspirants, spammers have hyped up property advertisements claiming availability 'at throw away prices' in localities close to ‘happening’ landmark sites.

As of now, large spam campaigns have been making the rounds to woo consumers towards places like the outskirts of Noida and Faridabad in Utter Pradesh, Bhivandi and Andheri in Maharashtra, where property has gained much significance in recent times. We expect this spamming behaviour to exploit the outskirts of other upcoming Cities too.

Here is a typical spam type where spammers try to draw your attention to the accommodation type and the area of interest, with an emphasis on the budget:

Hurry Coming Soon SAI VILLAGE near sec-104 Noida. 1,2&3 bhk appt with 80% bank loan. Appts startng @ 18 lacs(clp). Rates aplicble for 1st 50 flats. Call:[mobile number removed]

The main intention of the spammers is not just to build curiosity but to exploit the opportunity by forcing you to ‘ACT’.  The call to action here is to make you ‘Call Back’ on the number given in the message.   Also note the obfuscation in the message. This is one of the techniques used to evade filters.

Upcoming regions with real estate resources are first picked. Mapping is then done keeping the Aspirants in mind:  a region is chosen according to the probable financial capability and consumer apatite.  Next the launch time of such attacks are well planned. Such messages are pushed first in the morning hours, around 9:30 am. The second push take place around afternoon and the third follows around 5:30 pm.  These three time slots are carefully chosen where people normally come together to socialize with friends, colleagues and family. This then becomes a subject of discussion where others too are influenced in this proposition. As in the case of the messages given below where the spammers is campaigning for 3/4 BHK luxurious flats in the region of Gurgaon as against 2/3 BHK semi luxurious flats in the region of Bhiwandi (BHK being “Bedroom / Hall / Kitchen”).

Ansal Launching 3/4BHK Ultra-LUXURIOUS Apt, GURGAON Include-VRV-AC,Mod Kitchen,Car Park.Most Attractive-Price.EASY Pay-Plan.Max Ing-Disc.cal [mobile number removed]
1/2/3BHK Apts in-Bhiwadi @ 12.51Lac*. 90A, Approved. Direct NH-8 & Near to Airport. 20m drive from Gurgaon, Bkng Amt. Rs.2Lac Only. RainBow: [mobile number removed]

Further, if the consumer dreams of having a bungalow with a courtyard, well there are plots to cater to this elite bourgeois genre too.

DTCP APPROVED PLOTS @ MADHURANTHAGAM Near to DSP, SUB COLLECTOR Office.Gated community with all amenities, ON GST ROAD. CONTACT:[mobile number removed]
govt. approvd society plots on yamuna x-way. startng from 8.5lak -no other chrges  limitd forms availble frm (Rs 500) reg. fee 51,000.PH[mobile number removed]

To make this trend clear here is a pan India graphical representation of the real estate focused spam.

Figure 1.1: Depicts regions in India where real estate is being promoted through SMS spam

Spammers  have their focus on places around the outskirts of Mumbai like Andheri, Bhiwandi, Ghatkopar, Mulund, and the neighbourhood of Delhi: NCR, Faridabad, Noida, upcoming areas near Yamuna, Gurgaon, Mathura,  Lucknow, Dwarka and the expressways connecting these places, the concentration seems to increase as you go further North towards the outskirts of Chandigarh and Ludhiana.

Here are some more spamming tactics adopted by spammers to evade being detected:

• The use of special characters, numbers and spaces in the middle, beginning or end of a word in a message:

S*I*R Office/Shops in Middle of Noida in 14Lacs only Opportunity comes once for profit PHO[mobile number removed]/

• At times words are deliberately misspelt or combined to evade filters:

VIRTUALandTOLLFREEno -To Manage UR BUSINESS CALL With -Live Cal TrackingRecording -LeadDatamanagement CRM24x7Call Attendant-Start  Rs899O ph0[mobile number removed]

• Even languages are exploited where words are either typed in Hindi or the local language or Hindi or local language words are spelt in English itself:

Apke $apno Ka Ghar GURGA0N Mein 2 BHK,1250sqft@4800Psqft In Sec-68 Golf Course Extn Rd Few Flats Left [mobile number removed]

Along with such tactics, spammers also launch spam campaigns targeting consumers from other service providers and messaging channels.

As we relentlessly pursue blocking spam and tracking Spammers’ behavioural patterns and nefarious tactics, we would like to caution you from getting carried away by such offers. We at AdaptiveMobile anticipate large Realty focused SMS spam campaigns to gain momentum as the festival season progresses.

Note: This blog has been updated with information reflecting new activity, please scroll down to the end to see latest developments

Its been a few months since we released our report on appspam and Messaging apps, making people aware of the issue of appspam and aggressive 'Growth Hacking'. This is essentially the behaviour of certain apps, that when installed send app invites (or 'appspsam') to contacts in your address book, with varying degrees of ability by the person installing the app to prevent or control this. After issuing the report we saw a change for the better, and a few weeks later we reported that we saw a 25-35% drop in app spam invites. A key factor that also occurred around this period is that Google changed its Android Developer Policy, which seems to have helped address this problem.

This was encouraging, but we feel that it didn’t go far enough. Below we have plotted out a representative sample of the number of App spam invites in North America around that period. You can see Glide's invite volume did drop initially, but still generated far and away the most amount of app spam invites, and as other apps dropped further, Glide actually generated a higher proportion of invites than ever before. In addition Glide's invite volume started to increase again towards the end of the period, whereas Tango's invite volume has been steadily dropping since the start of AdaptiveMobile's advisory period, as they made changes to ensure they generated less complaints. Finally 'Others' includes all other apps, this stays roughly constant, as even though some apps heeded our advice, other new ones arose. 'Others' also includes a number of apps that in our opinion are doing growth hacking via invite responsibility, so we did not expect them to change their behaviour.

After this period, the subsequent response by Glide in recent months has been most interesting. 2 months after our report, on the 14th of June, the default Glide invite text, which had been like the following: 
 

Seen Glide? http://i.glide.me/join
Tried video texting? http://i.glide.me/join
 

Started to change. First, it changed by making the text even vaguer, to remove any references to what the app actually does (its a video texting app). An example is:

Seen this? http://i.glide.me/join
 

And then, on June the 16th , Glide started using short urls from bit.ly to point to glide.me, rather than using the glide.me url itself:

Check it out! http://bit.ly/1kFJMTB
Check out this app! http://bit.ly/1nVjxKE
Come online! http://bit.ly/1k2VGYr
Did you see this? http://bit.ly/1mABehm
Don't miss this! http://bit.ly/1qajgYU

Before we cover the problems with this, its interesting to look at the nature of the links. These urls redirect to links like http://i.glide.me/join/1404103250468 , where the 13 digit identifier is used to track the number of clicks via each link. The generated bit.ly links are reused amongst multiple glide invite senders but normally only sent in a short time period (around a day), as new bit.lys are generated very frequently every day - in fact a new one is generated at least every 10 minutes, you can see this in their bit.ly stats here. In total we monitored dozens of different short text strings being used by the app to advertise itself, all using many many thousands of newly generated bit.ly links - according to the bit.ly supplied stats alone at least 10k links have been generated since Glide opened an account on July 14th alone. Its probable that before this date links were registered on an ad-hoc basis.

Returning to the question of why this happened; the very fact that Glide took this approach - of making the text more vague, and obfuscating the url is concerning. We see this type of messaging behaviour often with malicious spammers, who are trying to both convince the user to install the app using social engineering, and to try to avoid any detection in place. It is clearly not a good sign when App developers start copying the techniques of spammers. It's notable that Glide have also added an unsubscribe feature to their website. This was added some time after June 25th, and accomplished by adding a single, one-line link to the original statement in the FAQ that said:

How the unsubscribe feature works is that users sign up with their phone number, so they will no longer receive Glide invites. However this feature is fundamentally flawed due to the logic behind it. In effect Glide are assuming that everybody is signed up, unless they indicate otherwise. Best-practice commercial advertising techniques are normally the opposite – imagine if every advertising company assumed that just because your phone number was in somebody’s mobile that you are fair game for advertising, until you indicate otherwise for each and every company?

Since we issued the report, we have been working with our mobile operator customers and industry organisations to both generate awareness and effect change in these apps. Other mobile security companies have now recognised the problem and begun reporting it, while most notably it seems that Bit.ly themselves have also reacted. We have monitored that recently Bit.ly has begun flagging all bit.lys that redirect to the i.glide.me/join/link-id format as potentially having a problem, with a warning screen like below. Generally these warning screens are issued for a link to a landing page that have been shortened multiple times or because the link has potentially malicious content, both generally a sign of issues in what is being sent. 

However this is an ongoing story, to get around the bit.ly warning, since yesterday (4th September 2014) at roughly 2pm UTC, Glide have reacted by changing the bit.lys generated and used in the app spam to now point first to a http://vidtext.me/join/link-id intermediate page, which then redirects to to www.glide.me only. As this is essentially repeating the same problem (multiple bit.lys pointing to the same end point), it's possible it will meet with the same reaction by bit.ly. We will continue monitoring and we can expect further developments in this area as attention increases. 

We believe the path for Glide is clear, they need to change their UI design, as per the recommendations in our report, to avoid guiding users to spam all contacts on installation. Recommended guidelines are repeated below:

• Make it easy for a user not to invite all contacts
• Not ask on start up or activity to invite all contacts
• Not give an “invite all” option
• Not pre-select all contacts to be invited in an invite screen
• Allow the user to edit the invite text
• Not make inviting others via SMS Invites, part of an incentive system

As explained in the report, these guidelines are derived from the well-behaved apps that generate minimal complaints despite their large user bases. It goes without saying also, that having a clear description of what is being advertised  (i.e. the name of the app) is an essential part of that.

Update 8th Sep: Bitly have flagged as suspicious Glide generated bit.lys that point to vidtext.me. Glide are now generating bit.lys that point to vdotxt.com. 

Update 9th Sep: Bitly have again flagged as suspicious bit.lys that point to vdotxt.com. It seems that Glide have since stopped using short urls, and are now using  vdotxt.com/join 

Today, in partnership with telecoms and technology analyst Ovum, we have announced the results of a global enterprise mobility survey. The survey threw up some surprises and confirmed a few things we might have guessed to be true.

The benefits of BYOD for employers and employees are well-documented, as are a good number of the barriers to adoption. When it comes to enterprise mobility employers have an understandable insistence on water-tight security. While employee concerns tend to centre on privacy and cost.

Irrespective of age, job function, geographic location or preferred mobile device technology, maintaining privacy is the single most important concern for employees when it comes to enterprise mobility with 84.4% of respondents rating it a top three concern. The challenge of ensuring security while maintaining privacy must, at times, seem insurmountable to enterprise IT managers. In the words of enterprise mobility pragmatists everywhere ‘you can’t have your cake and eat it’.

Although, one survey finding in particular suggests perhaps there is a solution that can keep everyone happy. When Ovum asked those who BYOD whether they would prefer to have a service that allowed them to use their own devices at work provided by their mobile operator, rather than their employer, 42% said “yes” compared with just 30.1% who said “no”.

Put simply, employees trust their mobile service providers more than the organizations that pay their wages and, in a lot of BYOD cases, the organizations who pick up the tab for the mobile services they use. Mobile service providers are more of a constant in the lives of employees, particularly in high growth markets where BYOD is more common. Think about your own life experiences, there are a small and finite number of MNOs to choose from, while (for most people) career paths are more varied.

The unresolved tension between privacy and security is clear. The requirements for security and privacy are colliding – for both the enterprise and employee. Mobile operators are uniquely positioned to deliver the balancing act between user impact, complexity and cost, and deliver services for the enterprise that achieve:

• Protection without compromising privacy
• Cost control without compromising employee efficiency

The benefits would be the creation of a trusted community outside of the enterprise, without the financial burden of the cost being met by the internal IT/security budget. By including security features in all devices, even at a basic level, the awareness of the risks mobile devices are exposed to on a daily basis is raised. At AdaptiveMobile we believe that doing this well and providing enough security to baseline your ecosystem will ultimately have a positive impact in terms of raising the security level and expectation for all.

One of the surprises that came out of the survey was the level of importance that employees place on security as part of a corporate mobility service relative to the importance of avoiding ‘bill shock’. A massive 67.2% of respondents who BYOD said avoiding access to malicious websites was a top three consideration, while 57.7% believe avoiding malicious apps is a top three concern. Avoiding bill shock garnered just 19.7% rating it as another top issue.

These figures make sense when you consider the rising penetration of smartphone ownership (and BYOD) comes hand in hand with a rising incidence of security breaches. Employees are much more aware today of the threats posed by breaches to security. While the cost of enterprise mobility is decreasing everywhere, so avoiding bill shock is becoming less of an issue relatively.

Reflecting on these concerns there is an obvious opportunity for national trusted mobile operators and carriers to bridge the trust divide. The survey shows MNOs are uniquely positioned to allay employee concerns about privacy whilst delivering effective mobile security services. It doesn’t need a revolution – but fresh thinking from the mobile security experts, in order that today’s technologies are evolved to meet the security demands of our hyper-connected society.

It's been reported that there has been another wave of Snapchat spam messages being sent. Like the attack which we covered in January, users are reporting that they've received a new wave of weightloss scam snaps. This type of scam normally works by enticing the user to go to the websites and buy pharmaceutical/weight loss products. These latest attacks have apparently been sent by real compromised accounts, as users are receiving them from their contacts and reports from Snapchat - as quoted by the BBC, are they believe that the details to access these accounts have come from other breaches:

"We have seen evidence that hackers who have access to a trove of credentials leaked from other websites, have started using them to gain access to Snapchat accounts,"  

Which exact websites Snapchat refers to is unclear. While it's been suggested by some that Gmail-like leaks may be responsible, one other obvious contender in many people's minds is the large scale breach Snapchat suffered at the start of the year. This occurred when they ignored reports that existing security holes could pose a threat, and promptly had their user details hacked and around 4.6 million user names from the USA and Canada being made public on the SnapchatDB.info website. We covered this in depth at the time, focusing on the distribution of the phone numbers from the breach - showing that some states were more badly affected than other (if you were a Snapchat user with a Colorado cell-phone at the time , your details were obtained). We did this analysis as from first-hand experience we know that problems and leaks on other messaging bearers can directly affect the work we do on mobile messaging such as SMS and MMS, and sure enough in a subsequent follow-up we showed that statistically the SnapchatDB leaked phone numbers received more text message spam after the breach than beforehand. 

But whether the SnapchatDB leak on its own lead to access to user accounts, and so Snapchat spam to be sent, is actually very doubtful. What seems more likely, as Snapchat has referenced in their answer, is that spammers may have combined it with other sources, such as passwords or email addresses from other hacks, to try to guess access. However we have seen first-hand in mobile messaging it can be very hard to tell sometimes how exactly hackers have obtained access to accounts they shouldn't have and so other factors may be at play as well. In either case, if the hackers have developed a system or have access to a trove of credentials, then we can expect spam attacks to continue for a while.   

It seems that Snapchat is in the unfortunate position now of sustaining a spam industry. Even before the initial weight-loss attack they suffered in January, Snapchat has faced a series of other spam attacks. We have classified these attacks into several groups:

1) Adult based spam. Inevitably the earliest type of spam to try to target any communication system, on Snapchat this is broken down into several types: 

• Snapcrush spam: This seems to have been the first seriously reported Snapchat spam, and started in November 2013, it contained a link to a simple dating site (snapcrush.com) which was also registered in that month
• Pornbot spam. This is primarily Kik-related spam, which is done by sending snaps to people asking them to contact Kik Messenger accounts. These Kik accounts are invariably pornbots that will initiate a conversation and then try to get the user to signup for a chat room. We shared details on the origin of these senders and their lineage recently. This type of spam was reported since mid/late January 2014, although may have been active earlier. Another attack featured skype pornbot related Snapchat spam that was publically addressed by Snapchat in mid April. Surprisingly (or not - depending on your point of view), this post is not on the main Snapchat blog feed, you have to search for it directly.   
• Generic Dating Site spam. This type of spam was seen at least since June 2014. It differs from the others in that the link (NewVerified .com) points to an appfly.mobi website which contains links to various apps in google play. These are all legitimate apps, so how this spam makes money is that is an affiliate type scheme, where the spam senders gets paid per app install.

2) Pharma type scam, which as well as including the original attack in January & the current attack being reported now, also included a bizarre Smoothie spam attack in February, whose snaps contained links to websites such as frootsnap .com or snapfroot .com. These redirected to fake Groupon-like websites to offer weightloss supplements. This was also sent by real compromised accounts indicating this is the system of choice for this attack. Below you can see the evolution of this type of spam.

3) Fake goods/advertising type scam. Primarily a fake luxury good type attack, this has been active since at least mid-January, and followed shortly after the Weightloss-spam attack in that month. It relies on 'humour', and points to websites such as RexRep.com that sell fake luxury goods such as Rolexes. Certain similarities between the method of execution between this and the weightloss type attacks indicate they are linked.  

There has also been other reports such as giveaway type attacks, these don't seem to have been as large but again it indicates an evolution of the spam ecosystems on Snapchat. The presence of at least 2 different spammer groups active on Snapchat, if not more, means that the targeting of Snapchat users is well established now. As a result it becomes considerably more difficult to eliminate it completely. Snapchat have since already taken some of the obvious steps such as making it more difficult for an automated attacker to create multiple accounts, but as the recent attacks have shown clearly there are still methods to obtain unauthorised access to other accounts and send spam from their Snapchat account.

Snapchat have reported in many instances they have already notified users that their account has been compromised, in general, it's a good idea for any user who suspects that his account has been used to send spam, that they change their password, preferably to one unique and complex. The next steps that needs to be taken by Snapchat are to look at ways to make account takeovers more difficult, to put in methods to identify and block the spammers when they are active, as well as an efficient system of easily reporting Snapchat spam when received. As a company that specialises in messaging spam detection and blocking on multiple bearers we know better than most the difficulty of doing all of this, but as our results have shown in the US it is possible, as SMS spam is now a fraction of what it once was, and many criminal organisations that used to rely on text message spam have moved on to other messaging bearers. It's possible for Snapchat to address this threat, and shift those stubborn spammers.   

On Thursday, 2th of October JPMorgan Chase gave further details of the data breach it first reported to have occurred in mid-August. The latest estimates as they reported in their SEC filing , are that information from 76 million households and 7 million small businesses has been compromised. Given that there are only 117 million households in the US, this breach means the majority of the US population has been affected in some way.

The information that was compromised was stated to be User contact information i.e. : name, address, phone number and email address – and internal JPMorgan Chase information relating to such users. However account numbers, passwords, user IDs, dates of birth or Social Security numbers, were not comprised according to the filing.

While its definitely re-assuring that direct financial information was lost, the information that was leaked is still damaging. As we’ve covered in the Snapchat breach at the start of 2014, the leak of phone information can be used to help target and optimise any mobile phishing attacks.

Coincidentally, the day before JPMorgan Chase gave details on the breach (the 1st of October), we recorded a SMS Bank phishing attack targeting several thousand mobile subscribers in Florida. The SMS message that was sent was of the following type:

JPMorgan Chase Bank, N.A. notification:You have a new message regarding your Chase account. Please tap the link bellow to read it: http://tinyurl.com/[REDACTED]

When the user clicked on the tinyurl link, this would redirect to a web address that looked similar to the mobilebanking url used by Chase, where they would be presented with the below fake Chase login screen: The attack then relies on unsuspecting users entering their bank details. While the login is fake, a common feature of these type of attacks is that the other links in the screen (FAQs, Contact Us etc) are to real Banking websites.

Once the attack was detected, it was blocked within our carrier customers - although some subscribers of other carriers may have received the SMS phishing text. As always, if you have received a suspicious text message, do not enter your bank details, and inform your carrier that you received the spam message. Since the attack we communicated with tinyurl and requested them to disable the link which they have done, and also have informed Chase about the fraud.

The crucial question is whether these two incidents (the breach reported on the 2nd & the JPMorgan Chase SMS phishing spam on the 1st) are related. Our estimation is that it is doubtful the two are connected. SMS Bank phishing attacks are unfortunately quite common and persistent, many bank brands are targeted over time, so targeting of JPMorgan may just have been a coincidence. In addition this attack was relatively quite small, and so far we do not see any indication that this attack was executed in a way different from normal from these attackers.

That is not to say that we haven’t or won’t see attacks in the future that use this information. As others have stated, the acquisition of information related relating to the majority of households in the US will be of immense value to phishers. It’s likely that if the attackers do decide to sell on their information for use in phishing attacks, the sudden appearance of millions of contact details is likely to lead to a drop in the price of this information in the criminal underground due to oversupply (something that potentially been observed in other breaches), leading to targeted phishing attacks becoming cheaper to execute, and so more people being at risk of fraud. So while the original breach may not have directly lead to an increase in fraud, the information leaked has already increase the risk of being targeted indirectly. This one may affect us for quite some time.

In the end of June we reported about a new SMS worm dubbed Selfmite. Fortunately the number of infections at the time was not large due to the fast actions that we took including a notification to Google on the malicious goo.gl URL used by the worm. The worm used a legal advertising platform and pay-per-install for monetisation which is described in our blog entry about the first version of the Selfmite SMS worm. However in the last few days we have discovered and have been tracking a new version of this worm. Selfmite is back and it has some serious improvements.

Description and statistics

Selfmite.b is still an SMS worm with similar functionality but different approach. Its code is injected to a trojanised version of the legitimate Google Plus app which appears after the malware installation. This is different from the original version of Selfmite. Second, Selfmite.b uses configuration file which is downloaded by the worm from hxxp://209.190.28.50/setting.php which contains SMS spam message, the URL and other data used by the worm:

Selfmite.b configuration file

The worm uses one of the following SMS texts:

Hi buddy, try this, its amazing u know.http://x.co/5****

Hey, try it, its very fine.http://x.co/5****

If you read the description of the first version of Selfmite worm you will notice that it was designed to send an SMS message with the link to itself to the first 20 contacts in an address book. The second version of Selfmite goes a lot further and sends one of the messages above to all the contacts. In a loop. This means that potential victims will continue to receive malicious SMS message from an infected phone until either the operator detects and blocks these messages or an owner of an infected phone removes the malware. According to our data, Selfmite.b is responsible for sending over 150k sent messages during past 10 days from a bit more than 100 infected devices. Plus, this time Selfmite.b victims can be found all other the globe, infected phones can be found in 16 countries: Canada, China, Costa Rica, Ghana, India, Iraq, Jamaica, Mexico, Morocco, Puerto Rico, Russia, Sudan, Syria, USA, Venezuela, Vietnam. To put this into perspective that is over a hundred times more traffic generated by Selfmite.b compared to Selfmite.a.

We notified Go Daddy about the malicious x.co URLs and at the moment both shortened URLs have been deactivated. But the fact that the author(s) of the worm can change it remotely using a configuration file makes it harder to stop the whole infection process.

What does this all mean? First, it means nothing good to any victim of the Selfmite.b worm. As well as spamming all their contacts, any owner of an infected phone can face huge bills due to a large number of SMS messages being sent by the worm. Besides that, huge amounts of traffic from a single phone can affect the operator’s network and may lead to blocking of the phone number for spamming.

Monetisation

Selfmite.b has some improvements in this area as well. The first version of this SMS worm used Mobogenie application installation and pay-per-install scheme. This time authors decided to track the victims IP address to cause different results depending on a user’s origin.

The malware uses two different ways of monetising the infection.

The first way is when the worm creates icons with similar names on a desktop pointing to 2 different URLs. The icon names and URLs are obtained from the following file hosted on the C&C: hxxp://209.190.28.50/icon.php

File icon.php used by Selfmite.b

Selfmite.b creates the following icons on a mobile desktop:

Icons created by Selfmite.b

If user clicks on one of the icons the following content he receives depends on his country of origin. E.g. if a user is from Ireland he will be redirected to the following premium subscription page:

Geo-targeted premium subscription page

E.g. in case of Russian IP address an automatic download of Mobogenie app (as it happened in case of the first version of Selfmite worm) will start.

The second way of monetisation is when Selfmite.b uses the trojanised  Google Plus app. First, when the user clicks on this app it tries to point to a certain app in Google Play (depends on a current configuration file). Second, when the user exits Google Play an unsolicited subscription website opens in a browser on the phone. In both cases the malware author(s) use advertising and referral networks to monetise this behaviour.

The content of the subscription page may vary:

Various versions of subscription pages

Conclusion

It looks like that this new version is like ‘Selfmite worm on Steroids’. It has a far more aggressive self-propagating mechanism and therefore has a bigger number of victims. Plus it’s many ways of monetisaton together makes Selfmite.b a really serious issue. We continue to monitor the situation and will keep you posted with any updates.

googleplus.apk MD5: 1bf7a3639bf81e2260547fe5e04f864c

Thanks to Yicheng Zhou and Cathal Mc Daid for contribution.

P. S. What happens if a spam message has been received by an iOS user? After clicking on the one of the malicious shortened URLs user will be redirected to the fitness app in Apple’s App Store:

On the 8th of October we published information about the new version of the Selfmite SMS worm we detected – Selfmite.b. We think that it is necessary to update our readers with a few additional facts and figures, to give some additional information and to correct some misconceptions.

1. At the moment we have now detected over 200 active infected devices all over the globe.

2. We’ve been monitoring the worm continuously and we haven’t tracked any changes in the setting.php file which contains all necessary data used by the Selfmite.b worm – including what URLs to include in the message to send to all contacts. In other words, these URLs pointing to a malicious file are the same as when this blog entry had been published. As we requested these URLs to be disabled, the worm cannot currently propagate any further unless the URLs change.

3. There’s no doubt that the first version of the Selfmite worm (Selfmite.a) had a limit for sending SMS. The SMS sending routine code is capable of sending malicious SMS messages to the first 20 contacts found in the address book of an infected device:

Selfmite.a SMS sending routine

4. There’s no doubt that the configuration file of the second version of Selfmite contains the following string as it was pointed out by other security companies:

SMS_LIMIT===5

But at the same time this parameter which might have been used for setting a limit to a number of SMS messages being sent from a single infected device is actually not used by the Selfmite.b worm. Here’s the SMS sending routine of the Selfmite worm which uses another 2 parameters from the setting.php file (SMS_TEMPLATE and SMS_OFFER):

Selfmite.b SMS sending routine

There is no equivalent usage of SMS_LIMIT in the code. So it’s not correct to say that this worm is less virulent than Selfmite.a, as this is based on a parameter that is not actually used. The current version (Selfmite.b) will send to all contacts if possible, regardless of what SMS_LIMIT is set to.

5. The second proof of the fact that a Selfmite.b infected device will generate a lot of SMS traffic is the number of SMS messages being sent. As we are active and blocking in several networks affected we can tell the infected devices we’ve seen have sent tens of thousands of SMS:

SMS traffic generated by Selfmite.b

Based on the code and what has happened in real-life we can confidently state that this version of Selfmite is more virulent and widespread.

Over the last 24 hours we have seen a new variant of the Android ransomware known as Koler become active in the United States.

Koler is a piece of malware that blackmails users of infected phones by blocking screen with an intimidating fake law enforcement notification page, and scares the victim to pay a “fine” to unlock their phone. This type of malware was first spotted in May this year blackmailing victims on Android devices. In July new reports suggested a new version that can also target PC’s.

This time though we have detected a new strategy to spread the infection. In this new variant of Koler (Worm.Koler) we found that it is now capable of self-replication via SMS messages which are sent to contacts in the address book of an infected device containing a bit.ly URL.  This appears to be an attempt for the malware writer to improve the infection rate over earlier versions, which relied on hiding the malware in porn sites.

The attack starts with the victim receiving an SMS message from a phone number of someone they know that states:

someone made a profile  named -Luca Pelliciari- and he uploaded some of your photos! is that  you? http://bit.ly/xxxxxx

Interestingly the message has been used also in a Facebook scam in February this year spread through Facebook’s own messaging channel. Its possible that the malware author decided to use this text as they believed that it is good text content to ‘hook’ unsuspecting receivers of the message into clicking on the link.

Hosting Page For Worm.Koler on DropBox

When a potential victim clicks on the link, the user is redirected to a DropBox page that offers user to download a ’PhotoViewer’ app. Once installed, it blocks user‘s screen with a fake FBI page, which states the device has been blocked for containing child pornography and zoophilia. The user then has the option to ‘wave the accusations’ and unlock the device by paying the “fine” using a Money Pak Voucher.

Worm.Koler as 'PhotoViewer'

The device appears to be completely locked down with the screen on the phone blocked, so the user won’t be able to close the window, or deactivate the malware through the app manager. The victim is forced to buy a voucher as instructed on the blocking page, and send the voucher code to a malware author

Koler Ransomware App

It appears that the Worm.Koler malware writer(s) is trying to combine the techniques we have seen with SMS worms like Selfmite, with an Android ransomware attack . As we have seen in the recent Selfmite outbreaks, SMS worms rely on spreading the infection by spamming the victim’s contacts with text messages that contain download link to the .apk file. It’s also easier to trick a recipient to download and install malware via worm techniques, as it comes from someone known to the person.

SMS sending routine

One interesting difference with this version of Koler and other SMS worm methods, is that Worm.Koler sends to all contacts only once, while in comparison  Selfmite.B sends to all contacts in a loop.

Due to the Worm.Koler’s SMS distribution mechanism, we are seeing a rapid spread of infected devices since the 19th of October, which we believe to be the original outbreak date. During this short period, we have detected several hundred phones that exhibit signs of infection, across multiple US carriers. In addition to this, other mobile operators worldwide - predominantly in the Middle East, have been affected by this malware. We have already blocked several thousand worm  messages being sent by infected devices on customer networks in North America network, as Worm.Kolar attempts to spread further via worm techniques.

As suggested by the statistics from bit.ly, the malware has got access to a large population, while the majority of click have been from the US, quite a few people have made contact to the malware apk through the bit.ly shorturl link around the world. As a result, we are expecting more infected devices appear in coming days.

Source: bitly.com statistical service

To combat this threat, we have requested bit.ly to disable the link, and contacted dropbox to remove the malware file. We also actively blocking the message on our customer networks. In the interim however if you receive the message you should not click on it, and report it to your operator.

If you are unfortunately infected by the malware, you should never pay the ransom, as it won’t guarantee the unlocking of your device, and it will further encourage criminals to participate such ransom activity.

You can use following steps to remove the malware:

1. Reboot phone into “Safe Mode”. Consult your phone manual for instructions on how to do this. Common device requirements are to hold volume up and volume down button simultaneously when restarting
2. Remove the ‘PhotoViewer’ app using standard Android app uninstallation tool

IMG_7821.apk MD5: c7ee04bf3e42640ef6b5015b8af01f4f

Thanks to Denis Maslennikov and Cathal Mc Daid for contribution.

AdaptiveMobile is delighted that it has been presented with the first ever ‘Network Management Excellence’ award at the Telecoms.com Awards 2014. AdaptiveMobile was recognised for its distinguished mobile network security services at the awards ceremony last night.

Receiving the Network Management Excellence award confirms AdaptiveMobile’s status at the forefront of identifying and neutralising emerging mobile-borne threats, including most recently the self-propagating Selfmite SMS worm, a new generation of Android malware. In June 2014, AdaptiveMobile was the first to uncover the Selfmite worm which was used to abuse legal ad services and pay-per-install schemes.

The exponential increase in devices with network capabilities has been mirrored by a rise in network security threats; at AdaptiveMobile we anticipate and eliminate such threats before the end user can be affected. AdaptiveMobile’s unique big data analysis capabilities witness over 30 billion mobile events every day from every region of the globe – the equivalent of 10.9 trillion events per year. Every day at AdaptiveMobile, we filter more than 2 billion SMS messages, secure 55 million emails, protect more than 18 billion instant messages and filter more than 8 billion web requests. We are certain that this level of diligence and protection secured us the award last night.

AdaptiveMobile’s win was also influenced by our own growth levels over the past 18 months. AdaptiveMobile’s security solutions are now deployed in 9 out of the top 10 mobile operator groups globally (excluding China), protecting over 1 billion subscribers from mobile security threats.

The significant growth of AdaptiveMobile’s operator customer base across the board is in line with analyst forecasts on the growth of the messaging security market, with the SMS security market alone forecast by Infonetics to be worth $1billion by 2018.

As enterprise mobility strategies such as BYOD bring more potential unprotected devices into the enterprise, exposing businesses to new threats out of their control, this year AdaptiveMobile introduced its cloud-based Enterprise Mobile Security Management (MSM). The hosted, white-label security solution is now in over 20 trials with operators worldwide. The MSM solution increases the value of AdaptiveMobile’s relationship with mobile operators, delivering integrated end-to-end security for the enterprise.

The award itself was introduced by popular demand to reward companies that provide network management services that facilitate more efficient control over network infrastructure. The award was judged with evidence of where the use of these services has materially assisted their client. We are very proud of our accomplishment and will continue to improve our solutions to maintain our status as the number one worldwide mobile security provider.

There have been several recent reports in the media on the results of new research into SS7 network. This interesting research outlines a series of techniques potential attackers can use to listen in to and read the calls and text messages of others. An obvious question for those of us in the telecom security industry is whether the threat is real and what we should do to address it. In considering an answer, we can look at a little-reported incident that occurred in Ukrainian Mobile networks earlier this year.

Last May, a report was issued by the Ukrainian Telecom Regulator (NKRZI[1]). This document, which went essentially unreported by the press outside of Ukraine & Russia, contains the result of the investigation of the NKRZI, assisted by the Ukrainian Security Service (SBU), into telecom network activity over several days in MTS Ukraine. The key findings of this report were that over a 3 day period in April 2014, a number of Ukrainian mobile subscribers were affected by suspicious/custom SS7[2] packets from telecom network elements with Russian addresses, causing their location and potentially the contents of their phone calls to be obtained.

The 'attacks' outlined in the document involved SS7 packets being sent between the mobile operators.  Without going into specific details, what occurred is a series of SS7 packets were received by MTS Ukraine's SS7 network which modified control information stored in network switches for a number of MTS Ukraine mobile users. In doing so, when someone tried to ring one of the affected mobile subscribers, their call would be forwarded to a physical land line number in St. Petersburg, Russia, without their knowledge - in effect the call has been intercepted. There is an additional further step that could be taken for the interception, not outlined in the original Ukrainian report, but suggested by the Washington Post article. The forwarded-to number could have initiated a new call to the original targeted subscriber, and then conference in the intercepted call, thus allowing itself to listen in to the call without the participants being aware.

In the document, the investigation stated that the custom SS7 packets themselves came from links allocated to MTS Russia, the parent company of MTS Ukraine. The Ukrainian regulator then assigned responsibility for the nodes that generated the SS7 based on the origination addresses in the SS7 packets received. According to the report,  some of the SS7 source addresses that originated the attack were assigned to MTS Russia, while others were assigned to Rostov Cellular Communications.

It's important to keep in mind that this is the report from one side only, and it is stated that they “draw conclusions about the potential for the interference with operation of telecom networks on the part of the PSTN area in the Russian Federation” , however in the report the regulator felt that MTS Ukraine was not doing enough to maintain the privacy of subscribers locations and call forwarding routes. For its part, MTS Russia denied that the SS7 address used was under its control, thus leaving the ultimate instigator a mystery. Indeed, in subsequent follow-ups it was reported that MTS Ukraine was not alone of being at risk, as the Ukrainian Telecom Regulator stated at a later date that Astelit and Kyivstar – the other main Ukrainian mobile operators – also experienced ‘external interference’. Whilst we don't have information on the exact subscribers affected, there have been examples of very sensitive phone calls being intercepted by unknown means within the region, when using non government issued cell-phones. It is purely speculation on our part, but the same SS7 techniques outlined in the report could have conceivably been used to help achieve these interceptions.

Looking forward, an unfortunate, but seemingly inevitable, side-effect of these techniques is that it will lead to countries that have been affected adversely by SS7 attacks to attempt to build their own capability, thus leading to an ‘SS7 arms-race’. This has already been experienced in Ukraine, where new legislation has been submitted that one media source stated will allow their security services to legally listen in turn to subscribers of foreign mobile operators, track their location and obtain ‘other’ information about the activity of subscribers. Taken to extremes between countries, this would lead to a form of ‘mutually assured surveillance’, with mobile operators and mobile phone users on both sides suffering.

The Ukrainian report, and the recent research that has been released, shows us that we have moved into uncharted territory. Yes, there is a threat, and it is real - as the above example shows - however it does require considerable technical expertise to do this level of network interference. Not only to run and operate SS7 nodes capable of doing this - but especially to gain access to the SS7 network in the first place. Plus the nature of the risk is very different: consider there are more users of the SS7 network worldwide than there users of the internet, yet the number of attacks on IP networks everyday dwarf what is known to occur over SS7. The SS7 network is working as designed, but 'bad actors' are increasingly trying to exploit it, the real danger is that we assume that nothing can be done to fix the problem and it will just get worse as more 'bad actors' try to get access. As has been said by others, as an industry we need to work together to define recommendations and implement solutions to detect and stop potential attacks, because defences are possible and can make a difference if deployed correctly.

This coordination is already well underway, and AdaptiveMobile are helping to contribute to this, but no-one should doubt the amount of work and effort that will be required to completely secure the SS7 network from organisations that would seek to exploit it. However, at the same time it would be a mistake for those using these techniques offensively to assume that their activities & methods have gone unnoticed. We are now entering the more public stage of a struggle in which the gauntlet was thrown down some time ago.

Example AdaptiveMobile visualisation of SS7 Activity between several mobile operators over a short time spam - looking for abnormal behaviour. Colours represent a selection of different SS7 packet types. The 'clumps' are groups of similar SS7 node types. While unrelated to the events described in the report, the purpose of such work is to help investigate ways in which to detect malicious or unusual SS7 behaviour in networks. Such methods will be called on increasingly in the future to help detect and block unwanted SS7 activity.

References:

[1] National Commission for the State Regulation of Communications and Information (Національна комісія, що здійснює державне регулювання у сфері зв`язку та інформатизації)

[2] Signalling System 7 (SS7), is a catch-all term for a telecom network technology that is used by hundreds of cellular companies to allow them to operate and communicate with each other; it is the computer protocol used by telecom nodes within cellular networks to provide mobility control, network registration, call and text setup etc. In short it enables mobile devices to communicate and roam globally, and it allows mobile operators to control and bill this activity. All pieces of network hardware that operate in the core network use SS7 to interoperate with the rest of the network.

Over the last 24 hours we have detected a new version of the SMS Worm for Android that was detected and warned above by Singapore's Computer Emergency Response Team (SingCERT). Once it was reported by SingCERT the original worm (which has many different names including Dowgin, Nxuul & SmsLink), was profiled by AV companies as functioning as a worm that spread a lot like the Koler.Worm Ransomware. However the new version we have found seems considerably more advanced and sophisticated.

It uses the same worm mechanism, but has been designed to spread in multiple languages - not just in English like the original version, but in 37 different languages - depending on the host device. In addition the new version seems to have several new security features that have been implemented. Overall, this new version of this worm seems designed to be able to take the malware infection to different parts of the world, as well as being designed to be harder to analyse by mobile security companies.

The infection begins when the subscriber receives a text message, in the original version it was this:

<Name> Is this your photo?
<Shortened link>

Where <Name> was selected from the contact list of the infected phone that send the text message. In the new version, the text can be the equivalent phrase in any one of 37 languages. If the user clicks the link, they have an option to install the application.

Once the application is installed, it is displayed as a 'PhotoViewer' App

If the user clicks and opens the App, things get dangerous. When the malware starts it displays terms and conditions, If a user clicks 'ok' it brings up a picture. The icon will hide from the screen afterwards.

Some important notes on what’s really happening:

1. The ‘cancel’ button in the terms and conditions is actually unusable - the user cannot cancel
2. The malware monetizes itself by displaying advertisements which the user cannot exit, and in effect make the phone unusable. How soon the phone gets locked up depends on the network connection. Once the app starts up, the advertising displays itself by adding a transparent layer to the screen. The various advertising libs embedded into the malware will start pulling advertising from the internet to overlay on the layer. This means the phone is essentially 'locked up', as all clicks by the victim afterwards are on the adds or on the transparent layer and produce money for the malware authors. In fact the ads are so aggressive, they can start appearing even before the terms and conditions are accepted (as seen below).

Selection of Advertisements being displayed:

Background:

The Malware C&C is hardcoded to a set value in the malware, and from that the malware downloads various files, 2 files of note downloaded are:

t.txt

We believe this file is a DES encrypted config, containing most likely the shortUrl link that is to be used in the text for downloading the apk, along with some other features.

json.txt

This contains ISO 639-1 language codes and the corresponding text. The languages selected are a mix of mainly European & East Asian languages - including English, Arabic, Spanish, German, Chinese, Japanese, Korean, Hindi, Russian, French - along with many others, see the bottom of this blog for the full list of languages and strings used.

The language used to populate the sms text worm string with is selected from the default language on the device:

the use of the local language makes sense for an SMS worm basd mechanism, as recipients of the message would be less likely to click on the link (even from their friend), if it was not in a language in which they speak. We have previously seen that languages that spread through the local language make a better 'fit' for sms spam, and this case is no exception

The malware then selectes people to send the spam message with the malware link via cycling through the user’s contacts list:

As well as having a vastly increased range of strings to use, and so many additional countries in which it could propagate, the new version of the malware contains many security enhancements, which seem have been introduced to provide additional protection from detection & analysis:

1. More sophisticated obfuscation of the code
2. Using encryption to protect information, including the Ad api accounts, as well as the short url shown previously:
3. The use of a WeChat micromessage (weixin) connection to report back information. This is a previously unseen development, and may herald the start of more usage of methods like this to try to hide communications/reporting.

The number of infected devices is currently still being determined, but as the malware outbreak is potentially only starting, it is not likely to be high in the early stages. To ensure this remains the case, mobile phone users in the affected areas should be wary of the below strings. What particular area is being targeted depends on the initial outbreak and the strings used. The earlier version was mostly reported in East Asia, especially in the Singapore area, and based on the languages used in this version to propagate with (including rarer ones such as Lao & Khmer), it seems likely as well this is also a main target.

On the other hand this version has been packaged with a full selection of languages from other parts of the world - including many European languages large and small - so it is not restricting itself. This local language selection seems one of the main innovations of this malware, and one we are likely to see again. Initial detections by us have so far been in the North American area, however we will continue to monitor for this infection worldwide

As always, to protect yourself you should:

• do not click on a link if you do not trust the contents
• If you install the malware by mistake, You can use following steps to remove the malware:
  • Reboot phone into “Safe Mode”. Consult your phone manual for instructions on how to do this. Common device requirements are to hold volume up and volume down button simultaneously when restarting
  • Remove the ‘PhotoViewer’ app using standard Android app uninstallation tool

Thanks to Yicheng Zhou, who analysed the malware and produced the research on which this blog is based.

MD5 : 7d0d14e96f26350bd27d85634e826969

Languages/Strings:

OTT messaging apps are big business. At the very start of 2015, the world’s biggest messaging app, WhatsApp, announced they were handling up to 30 billion messages a day. This is an impressive figure and a sign of the growth that messaging apps have experienced. However there are signs that their scale is beginning to attract unwanted attention. Namely criminals groups who have made it their business to spam on other messaging bearers like SMS, now seem to be moving or being pushed to do the same on OTT messaging apps. Let’s take a look at spam on the biggest messaging app ; WhatsApp.

WhatSpam

A few weeks ago we monitored the below image-spam being received by Irish & UK WhatsApp subscribers in a wave of attacks. The spam itself was a investment advertisement from US numbers. This spam type in itself was not surprising, but what is surprising is how relatively limited WhatsApp spam has been in the past. However this seems to no longer be the case.

As well as this investment spam, which seemed to have been concentrated to a few waves, WhatsApp users in Europe are being targeted over the last few weeks with more constant spam attacks that have been directly seen on other bearers. The current most reported attack on social media^[1][2] is the fake handbag/luxury goods spam:

The links in these messages lead to the respective websites, which sell fake copies of the goods mentioned:

This spam, which has been reported from Chinese mobile numbers, is very similar to the same type of spam which has been implicated in a Chinese originated iMessage spam attack in 2014 that affected primarily the US ,but also other countries. An example iMessage spam from July 2014 is below, which you can see is clearly similar to the WhatsApp examples. Due to the massive decline in the amount of SMS Spam in America, this attack gained prominence as it occupied a large percentage of the remaining spam being reported at the time. The presence of the same kind of attacks, clearly indicates that these types of spammers have decided to switch, or at least diversify onto WhatsApp.

Another sign of cross-over of spam from one bearer to another was the reporting of mobile malware being spread by WhatsApp in the last week. In this analysis it was also reported the malware  -termed SocialPush by Lookout - was being spread by Twitter, however, in addition we (AdaptiveMobile) also detected this same malware being spread by SMS – meaning the malware authors or other users of it decided to distribute it over popular multiple messaging systems regardless of type. Other WhatsApp spam types, such as porn-conversation ads^[3][4] shown below have begun being received in the Middle East, primarily from Indian mobile numbers. While not the same criminal group, and so not directly connected, the method used matches the porn bot spammer group which operated originally on Yahoo and AIM, and is now present on Kik Messenger.

The total scale of these individual spam attacks over WhatsApp is hard to tell, but if anything, it does seem clear that WhatsApp is joining the ranks of messaging systems which now have a functioning and active spam ecosystem, and the contributors to this spam are being affected by and coming from other messaging systems.

For a Few Rupees More

While other regions are being affected by spammers gradually moving into WhatsApp, one country in particular has faced a massive influx on spammers moving onto the messaging app – for reasons that should have actually had no impact on WhatsApp. The country where WhatsApp spam seems the worse is India, and here it is increasing, bizarrely, due to government regulation.

In September 2011 the TRAI’s (Telecom Regulatory Authority of India) anti-spam regulations for SMS came into being for mobile operators in India. This enforced fines against mobile operators for every single incident of sms spam reported by subscribers. While it took some time for these regulations to be implemented, the results in the last few years have been widely successful. In one Indian Mobile Operator that AdaptiveMobile are actively filtering in, sms spam reported has dropped by nearly 97% in 2014 alone (see below), and over 99% since filtering was introduced, with a ‘steady state’ being indicated for the last 10 months. To give another comparison, a net result is that the background rate of spam actually sent and blocked - in another Indian operator AdaptiveMobile is active in - is now roughly around 0.12%. This is over 350 times lower than China, which reported a rate of about 45% spam as a percentage of all messages in 2014.

However this success seems to have led to spammers in India changing tactics, and in this case, one of those tactics is to switch to send spam via WhatsApp. First reported in early 2014, recent news reports from India indicate that while operators there confirm they are now winning the fight against SMS spam, spam sent over internet based messaging such as WhatsApp is a major new front of unsolicited messaging. The type of unsolicited messaging covers many different types of spam, but primarily tend to be a whole range of unsolicited advertisements, such as below:

Economically, it is now very cost-efficient to send WhatsApp spam in India. One report explains that prices for WhatsApp advertising text messages bought in bulk are now as low as 0.21 Rupees (around 0.3 of a US or Euro cent), and not much higher for image messages. In fact, just browsing the internet you can find even lower deals, here you can see offers for advertising WhatsApp messages at 0.18 Rupees. It’s interesting that on the same website SMS costs for the equivalent bulk deal are 0.09 Rupees, meaning WhatsApp spam is still twice as expensive to send as SMS spam. This may not be the case for long - the price (of WhatsApp advertising) was much higher in the past and will probably continue to drop.

So what do you get for your extra 0.0015 dollars? Well for one its still more complicated for the spam provider to set up and send via WhatsApp, so those costs must be covered. But beyond that sending via WhatsApp allows advertisers using the 'service' to send longer messages, and images if required. However one main reason spammers are switching to send on WhatsApp is because they are exploiting a loophole in the anti-spam regulations. As an IP service, which users optionally sign up for, and not a ‘core telecom service’, WhatsApp is not covered by the Do-Not-Disturb requirements, leading to a thriving industry offering to send spam over WhatsApp. This fact is even pointed out by spammers spamming their services to those who which wish to advertise – see the example we have highlighted below – which clearly spells out the advantage of WhatsApp as being legally able to send to DND (do not disturb) numbers. Government intervention, it seems, has given a perfect reason for SMS spammers to move to WhatsApp in India.

Return to Sender

The source of these spam messages is also useful in our analysis. One of the benefits with WhatsApp is the cost of sending international messages is irrelevant, and so the source number can be from anywhere. The same is the case for WhatsApp spam, with investment spam originating from the US but being received in Europe, luxury goods spam originating from China and also being received in Europe, and porn spam originating from India but being received in the Middle East. If we dive deeper into the numbers used, we can also see evidence of a more complex spamming structure emerge.

From analysing the US numbers reported sending WhatsApp spam worldwide many of them belong to VoIP operators, meaning they can be assigned virtually. This is interesting as numbers that can be assigned virtually would be valuable for WhatsApp spam purposes, as in the case of WhatsApp account closures, spammers could simply use new VoIP virtual numbers to create and validate new accounts to continue sending WhatsApp spam. The use of VoIP numbers has been common in SMS Spam in the last 1 to 2 years in the US as ‘real’ numbers have become less attractive to send spam due to aggressive shutdowns. This reuse of the same methods from other messaging spam types – of using VoIP numbers - along with the same scams, means that the WhatsApp spammers are not ‘native’ spammers, but incoming groups who have operated on other types of messaging, and who come to WhatsApp with extensive experience.

What is WhatsApp to do? Well, recent updates from Germany draws some attention to how WhatsApp now deals with spammers, with temporary exclusions being put in place if users send to too many users who do not have them as their contacts, and have been blocked by too many people in a short period of time. Some of these techniques are innovative and useful – as they use the ‘reporting’ of blocked users to give a reputation, and also by using the contacts uploaded by WhatsApp users as a form of validation. The principle behind this is that if both parties in a conversation have each other as a contact, then they should be permitted to send to each other.

Unfortunately though, there are failings. The above methods are behaviour based and may generate 'false positives' (senders flagged as spammers that are not) occasionally. For example, if someone lost their phone, received a new number, and sent a WhatsApp message to all their old contacts, they might trigger the above restriction. This would be why these restrictions lead to temporary blocking of the WhatsApp account, and not permanent. Optimisation of these restrictions to prevent false positives is likely to be a long-term effort. More seriously, at the moment it is not possible to actually report the spam message content to WhatsApp, nor can users restrict WhatsApp messages to be received from contacts only – in effect forming a whitelist of approved senders. This 2nd point of not introducing a whitelist is probably a deliberate design decision to ensure that new WhatsApp users can contact people within the App, without having to resort to SMS or other apps. In addition, one security feature that WhatsApp have already implemented - End to End encryption - rules out several of the methods that messaging systems use to deal with spam.

You Can Please Some of the People..

End-to-End encryption means that messages are encrypted in transit from one handset to another, without the WhatsApp servers routing the message or any other entity being capable of decrypting the messages in transit. While laudable, there are trade-offs based on this decision, and in this case it also means that spam filters within the WhatsApp servers cannot extract features from encrypted WhatsApp message content in order to apply anti-spam content logic on the messages. The discussion on the mix between end to end encryption and anti-spam was covered well in this conversation, and is well worth a look. The end result is that it is very difficult to do content filtering of WhatsApp messages on the server-side, preventing the use of many of the techniques used in unencrypted messaging systems. However this need not be a critical loss, its problematic, but as the E2E conversation states there might be ways to do some feature extraction at the client, although these are likely to be infeasible or untrustworthy. Long-term, promising methods like - homomorphic encryption - an encryption approach that allows operations on encrypted values without having to decrypt the value first, may offer WhatsApp the ability to filter the encrypted content at their servers. While great strides have been made recently in this, its still likely to take many years before its ready for widespread use. 

For now though, WhatsApp (and any mobile based service) is still in a good position of having strong identity – namely phone numbers – on which it can base attribution, and all OTT messaging apps are in control of who has access or not. Plus it would be a mistake to think that WhatsApp is being ‘flooded’ by spam to the same extent of email. While only WhatsApp know the true level of spam in their ecosystem, there may be ways for us to gauge the exposure users have it, by using Google Trends. Below we have plotted a graph of searches in Google of the words “WhatsApp spam” v “SMS spam” from 2011 onwards. If one assumes the usefulness of Google Trends to infer what people search for to indicate that they have been affected (an assumption that has been proved problematic with Flu searches), then there are two ways to read this:

• One, WhatsApp, with 700 million users, compared to the World’s 4.6 billion mobile phone users - all capable of receiving SMS - is generating proportionally more searches for spam than would be expected.
• On the other hand, WhatsApp, with up to 30 billion messages being sent a day, versus SMS’s estimated 20 billion, is generating proportionally less searches for spam than would be expected.

The truth of course, is probably somewhere in between. The fact the search terms are in English and the presence of peaks related to public events such as WhatsApp email-spam news articles means these trends must be taken cautiously. Trends like these are best if they are added to additional data but it's clear even from the data we have that users at least are searching WhatsApp spam more frequently, and it's on track to exceed the searches for SMS Spam by mid-summer 2016. This again indicates a shift in a spam 'metric' from SMS to WhatsApp. In any case the days of WhatsApp users assuming that they are immune from spam are drawing to an end, for the message is that as it becomes bigger, the more it is going to be a target for the spammers and criminals who have honed their skills on other, more established, messaging bearers.

Old Spammers Never Die,,,

For this discussion, we focused on WhatsApp, being the biggest OTT messaging App with a size of 700 million active monthly users, but we could have taken any of the main messaging Apps. The lesson is, that with a ‘pull’ factor of a growing user base, and with a ‘push’ factor of increased spam defences and (in some regions) government regulation on other bearers, the OTT messaging apps become more and more attractive to the established messaging criminal groups to ‘cross over’. Therefore these apps should be alert and prepared to implement the technologies and teams needed to deal with the threat before it has a chance to affect the service or users.  For WhatsApp and others in 2015, the recommendation is to expect more ‘cross-overs’ from other messaging systems and build in security to stop them.

There is a Chinese proverb: 'A small spark can burn across a prairie'. It also applies to the malware world. A simple piece of malware is on the way to become one of the 'spammiest' mobile malware outbreaks seen yet. This malware we have dubbed Gazon spreads via SMS with a shortened link to itself in the spam message, redirecting a potential victim to a webpage that promises an Amazon gift card if you install an APK file hosted on the page

Hey [NAME], I am sending you $200 Amazon Gift Card You can Claim it here : https://bit.ly/getAmazon[CENSORED]

The malware passes itself as an app that gives Amazon rewards. However, the only thing it actually does is pulling up a scam page inside the app which asks you to participate in the survey.

Each of the options below ends up taking you to either another scam page or asks you to download a game in the Google Play. While you are busy clicking through pages the author just earns money through your clicks as we have seen in other pieces of mobile malware.

However, in the background this malware harvests all your contacts and sends a spam message to each of them with the URL pointing to the body of the worm.

Thousands of people have seemingly installed this malware and been a victim. We are seeing over 4k infected devices in all of the major networks in North America, and we've blocked over 200k spam messages generated by these infected devices. Stopping the spread via messaging is critical as each one of these messages was an attempt to spread the app to an infected user's contacts. Based on click-throughs from the shortened URL it also seems this malware has been encountered in multiple other countries as well, worldwide

At the moment none of the AV engines detect this malware according to VirusTotal.

The shortened URL account related to this malicious URL was actually connected to a FB account which seems to be owned by a real person.

According to the profile this spam campaign was not the first one for the owner of the profile. There was a link that redirects users to a scam page related to a previous WhatsApp spam, incidentally this shows the close links between the authors of mobile messaging spam and WhatsApp spam we have seen in other cases.

The URL and the account have already been disabled and therefore further malware propagation is stopped.

However users should be aware of this scam, and as always, be careful clicking on links in text messages that seem suspect. In this case, like other worm malware we have seen recently, even messages your contacts send you may not be safe. The malware can be removed using standard Android app uninstall utilities.

If it doubt, don't click, and it it is spam, report it to your service provider.

MD5 4a56c7abdc455c82e95753bdb1934285

SHA256 6ce53539d05d250ae1be6dfe44b43405a98d0454742eaacaf094e38eb2389a20

Thanks to Denis Maslennikov, Cathal Mc Daid & the bitly security team for their help.

Over the past 18 hours, we have seen a new form of SMS messaging attack that immediately crashes your iPhone, iPad or iPod upon opening the message. The message comes as a specific string of Arabic characters that can be sent by anyone via iMessage or text message.

The Arabic string responsible is:

effective.

Power

 لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗
 

Reddit users discovered the bug this morning and since then it seems to be spreading around the globe. When the message is received it instantly crashes the device and causes it to reboot, according to news reports it appears that the attack is a glitch in the way Apple’s iOS renders Arabic text. Apple devices render characters in Unicode – a coding standard that provides a unique number for every character, regardless of platform, program, or language - making it easier for them to display and process the thousands of different characters from across the world. Basically, the problem arises when they can’t process a specific string of characters; this bug is uninterpretable and because the operating system cannot understand and decide how to decode it, it simply shuts down. Reddit reports that its due to how:  the banner notifications process the Unicode text. The banner attempts to present the incoming text and then gives up. The solution of course, is for Apple to issue an update to the iOS so that they don't react in this manner.

As the problem is on-going, we implemented blocking of these types of messages in our customer operator base, to ensure that subscribers would not be affected. As may have been predicted, it looks like many people have jumped on this opportunity to cause problems for their contacts. So far today in North America alone, we've detected and blocked many tens of thousands of people attempt to send over a quarter of a million of these SMS messages to their 'friends'. The volumes in some cases are staggering, in one case one individual attempted to send the message nearly 900 times in a 30 minutes period!. While the vast majority of these are probably pranksters, one security concern here is that a hacker can leverage this issue to execute immediate denial of service attacks, and that any business with a heavy reliance on iOS could be targeted and blocked from their own devices within a matter of seconds.

While we continue to block and track the scale of attempted mis-use of these messages, some good information has been shared on how to deal with the message if you receive it. When the text message is displayed by a banner alert or a notification on the lock screen it immediately crashes your device. In order to regain access to your device, the Verge has reported that you need to respond to the sender. If the message was sent from one iMessage user to another (and you own a Mac), you can log into your iMessages on your computer and send a reply. If your iPhone is the only Apple device you have, you can send a reply through the share sheet – this is the box that comes up enabling you to share a photo or link through mail, iCloud, or messaging. 

The final workaround is requesting that the person who sent you the malicious message send another message, effectively cancelling out the malicious strand.

In comparison to the other types of SMS messaging threats, like bank phishing attacks, that we normally see, this specific type of messages is termed an attack message and does not normally exist for monetary gain – it is a malicious message with a sole focus of corrupting the end user’s device. These types of SMS attack messages have existed before of course - all with somewhat scary titles. In 2010 there was the (in)famous SMS of Death, and even before that there was the Curse of Silence, both types involved messages with particular formatting that would cause the handset to either crash or be unable to receive SMSs  . Apple itself has not been immune to problems with handling of SMS before, in the past it incorrectly displayed the sender of certain types of SMS to be anything that an attacker wanted it to be. But the ease of this vulnerability, not requiring special SMS or telecom skills is what makes it more impactful.

While we wait for Apple to make an update that will deal with this issue, we’re continue to monitor and block these malicious messages within our customer base. One thing is for certain - based on what we have seen - the number of people receiving this message are going to be very large, and the impact sizable.

Many thanks to Jessie Power for contributing to this blog

The recent “Unicode of Death” has taken over websites, news outlets, and newsfeeds this past week. In a matter of hours, the Apple bug was sent to hundreds of thousands of people, effectively disabling their iPhones, Macs, and iWatches for a short period of time. We began actively monitoring the attack on the iPhones as news broke the morning of May 27^th and within 18 hours saw (and blocked) over a quarter of a million SMS messages in North America alone. 

It was determined that the Apple Operating system simply could not process the specific combination of “Unicode” – non Latin alphabet characters – in a text message, iMessage, or Tweet, and upon receiving the string of characters the device would freeze and reboot. While not particularly damaging to the actual phone, the user did have to rely on various tricks to get their device working again. By either requesting the sender follow up their original text with a new message; asking Siri to read unread messages and then delete the text; or by logging in to your iCloud account on a Mac or iPad and responding to the original message, the list was exhaustive.

Similar to bugs with other catchy names, like the Venom vulnerability, or even the much more serious Heartbleed vulnerability, the Unicode of Death relied on older computer code and assumptions that had been in place for years before being exposed. But as simple as this seems, the effect of the bug was quite significant. In the week after reddit users revealed the existence of the bug, we determined that over 2.5 million iPhone SMS messages with the Unicode of Death characters were attempted to be sent in the United States, by hundreds of thousands of people. In a country of 318 million people, the mass attraction to this cyberattack is what separates this attack from any other in recent history. Hundreds of thousands of Americans took it upon themselves to “test out” this phenomenon. After one day of monitoring and blocking these messages, we discovered one individual had attempted to send the message nearly 900 times in just 30 minutes.  While the majority (92%) of people sent less than 10 messages, the average number of messages sent per person was 4.5.
                

The social nature of these attacks is the key differentiator here. The senders of these messages genuinely believed this to be an amusing prank – not realizing they were participating in possibly one of the biggest cyberattacks in history. Traditionally defined as an offensive manoeuvre that targets computer information systems, infrastructures, computer networks and personal devices by various means of malicious acts, it has been recorded that cyberattacks are becoming increasingly sophisticated and dangerous. And when you consider that millions of people deliberately tried to crash the technology that their “friends” literally hold closest to themselves, it’s hard to not consider the security implications. If a cyberattack is easy enough to execute, and it’s evident that a sizeable percentage of people will try it (at least as a joke), you have to ask – is there a cyber-attacker in all of us?

As technology progresses, we need to keep in mind the dangers of flaws in older technology and design defences. This Apple Unicode of Death has once again brought into stark relief two very different, but connected, dynamics – the potential for flaws in older computer technology to affect security and human behaviour. As we become more and more attached to our devices, the opportunity to exploit this relationship becomes greater. What is it about this type of detrimental activity that makes over a million people want to “try it out”? By continuously monitoring the networks, we can plan for the previously unlikely or little known threats, as next time it may take more than a Siri command to recover.

Many thanks to Cathal Mc Daid for original contribution.

AdaptiveMobile is delighted to announce that it has been recognised as a 2015 ‘Cool Vendor’ in this year’s Gartner Cool Vendor in Communications Service Provider, Security Report. The formal announcement was made today through a press release.

The report evaluates technology providers with security platforms geared toward fixed and mobile networks, and those that can provide security intelligence. As the world leader in mobile security, this designation is a validation of AdaptiveMobile’s unique threat intelligence and globally-deployed network protection platform.

The recognition is given by Gartner to companies categorised as a ‘truly innovative, unique, and highly original technology or service provider, who are making a difference in their respective markets’. Since 2004, AdaptiveMobile has been addressing the ever-changing mobile threat landscape. As threats become more aggressive and complex, it’s critical to stay ahead of the curve. With an unrivalled position – sitting in the heart of over 75 communication service providers globally and protecting over 1.3 billion subscribers – AdaptiveMobile has an access to the mobile threat landscape that no one else can achieve. Our unique data intelligence allows us to detect and block emerging threats such as the recent iOS bug – ‘Unicode of Death’ – and damaging worm malware attacks like Selfmite.B and Koler Ransomware.

Earlier this year, we launched our SS7 Protection Product and Grey Route Controls Service – providing CSPs with state of the art protection to secure their networks and protect and grow new revenue streams. Continuing with our strong history of innovation, AdaptiveMobile is also focussed on sharing our mobile threat intelligence with adjacent markets including financial institutions and global internet brands, enabling them to reduce fraud by leveraging the exclusive characteristics of mobile identity.  

As we move into the future, the mobile threat landscape only becomes more complex. The Gartner Cool Vendor recognition validates AdaptiveMobile’s unique threat intelligence and globally-deployed network protection platform – proving the Company is poised for significant growth.

Gartner first introduced the Cool Vendors report in 2004, and more than 2,200 Cool Vendors have been profiled globally within this time. This is the first year for the Cool Vendor in Communications Service Provider, Security Report.

Disclaimer
Gartner, Inc., Cool Vendors in Communications Service Provider Security, 2015, Deborah Kish, Akshay K. Sharma, Craig Lawson, 15 April 2015. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Is fearr cosaint cliste ná ‘spam’ bhriste

The use of over-the-top (OTT) messaging services has grown exponentially over the past few years. New data from mobile research specialists, Juniper Research, has found that the overall messaging market will fall in value by $600 million by 2019, while mobile and online messaging traffic will reach 160 trillion per annum by 2019, up from 94.2 trillion this year. Within Ireland alone, over 43% of smartphone owners use OTT applications to connect with friends and family – including Skype, WhatsApp, Viber and Facebook Messenger. Yet while this growth is significant, with it comes an increase in reported cases of spam messages.

In January we reported on WhatsApp spam being received by Irish and UK subscribers in a wave of attacks. The type of spam in itself was not unique, but the very fact that there was WhatsApp spam demonstrated a shift in the way spammers are planning their attacks. With analysts predicting the decline in SMS revenues and a forecasted doubling of messaging traffic by 2019 (primarily in OTT messaging applications), it is evident spammers need to find new targets.

Since then, we’ve detected an increase in spam messages over the various OTT applications. Late last week we noticed an increase in spam messages again targeting users over WhatsApp; and, while this latest wave of WhatsApp spam attacks is new, the technique spammers are using is not.

As is obvious from these screenshots, the spammers are using group targeting to gain access to as many contacts as possible.           

Spammers create a group, add a selection of sequential numbers to the group in an attempt to hit as many WhatsApp users as possible, and then delete the group – making contact blocking irrelevant. This is a new type of attack, though the originating numbers are from countries we’ve seen time and time again – China, India and US VoIP.

In addition to the recorded instances of WhatsApp spam worldwide, we’ve also detected an increase in Viber spam across Irish OTT users.

Though not a first for either WhatsApp or Viber, this spam is noteworthy in that it’s written in the Irish language.

The first recorded, wide-scale SMS spam in Irish was detected in late 2012 / early 2013 with a standard Apple spam message, but since then known cases have been very rare. Reported widely throughout Twitter and Facebook, this is an example of the Irish language spam messages Irish users have been receiving.

With known cases of this specific spam message in Asia and the US, this messaging abuse attack from hackers has navigated its way across the pond to Ireland. The spammers are moving quickly, though their methods of localising the language is neither unique nor effective (we disputed the value of localising the language to such an extent in a 2013 blog post). The Irish is very basic and is a direct translation using Google Translate.

We’ve witnessed the development of OTT messaging apps becoming a more and more attractive way for established messaging criminal groups to ‘cross-over’. Spam attack tactics are being recycled through familiar spam groups in China, India and US VoIP. While the messaging systems are working to build security protocols against these attacks, the important thing is to be aware of these attacks. The tactics are not unique, but they are damaging. Remember that you should not click on any unknown or unfamiliar link and report the incidents to the respective messaging application. In many cases, reporting to the targeted brand (i.e. Ray Ban) is also effective as they’ll work with the suppliers to eliminate these issues.

Thanks to Cathal Mc Daid, Yicheng Zhou and Barry Scallan for their contribution.