You’re probably cautious about clicking on unknown links. Whether they arrive in a message, are buried in a social media post, or pop up on a random website, it’s common to use URL shorteners to compress long web addresses. While these tools are convenient for making links more manageable, they can also obscure the original website, track visitor activity, and even monetize clicks.
Unfortunately, this monetization often involves displaying intrusive ads when you click on a shortened link. Some of these ads are more than just annoying—they can be downright dangerous, using scare tactics to trick you into thinking your device is infected. This can lead to downloading shady apps, signing up for dubious services, enabling unwanted notifications, or falling for fake prize offers.
The Threat: Android/FakeAdBlocker Malware
Our recent investigation uncovered a disturbing trend: URL shorteners are being used to distribute a piece of Android malware known as Android/FakeAdBlocker. Once downloaded, this malware can deliver additional harmful software, including banking and SMS trojans, as well as aggressive adware, directly from its Command and Control (C&C) server.
### How It Works
The content delivered by these monetized link shorteners varies depending on your device’s operating system. While some of the ads and apps may seem legitimate, the majority are not. Here’s what happens:
#### iOS Users
If you’re using an iPhone or iPad, these links might flood your device with unwanted ads or even create fake calendar events. These events often claim that your device is infected with malware, urging you to click on links that lead to more scareware.
#### Android Users
For Android users, the risk is more severe. The scam might start by prompting you to download a seemingly harmless app, only to deliver the actual content after installation. We’ve observed two common scenarios:
1. **Fake Ad-Blocking App**: When trying to download an Android app outside of Google Play, you might be prompted to enable browser notifications and download an app called “adBLOCK app.apk.” Instead of blocking ads, this app installs Android/FakeAdBlocker, which hijacks your device’s actions to deliver even more malicious software.
2. **Misleading File Download**: If you’re looking to download a file, you might encounter a webpage instructing you to download an app named “Your File Is Ready To Download.apk.” This name is meant to deceive you into thinking you’re getting the file you wanted, but it’s actually Android/FakeAdBlocker in disguise.
The Numbers: A Growing Threat
Android/FakeAdBlocker was first detected in September 2019, and it’s been spreading rapidly ever since. Between the start of this year and July 1st, over 150,000 Android devices have downloaded this malware. Our data shows that this threat is known by various names, but it’s all part of the same malicious campaign.
### Cleaning Up the Mess
Simply uninstalling Android/FakeAdBlocker won’t erase the spam events it created in your calendar. However, you can use apps like Calendar Cleanup, available on the Google Play store, to automatically remove these events. Be sure to adjust the date and time settings to cover the period when the spam events were created.
Conclusion: Stay Vigilant
Our data clearly shows that many Android users are downloading apps from outside Google Play, which puts them at risk of malicious apps delivered through aggressive advertising. Android/FakeAdBlocker is a perfect example of why you should be cautious about where you download apps. This malware, hidden behind scareware ads, can lead to financial losses and further security risks. It’s crucial to stay aware and practice safe browsing habits to protect yourself from these hidden threats.
