‘Four Virus!’ mobile device hijack… nice try scumbags!

I got a browser hijacker this morning on my phone. It claimed that my system is “heavily damaged by Four virus!” It pretends to be scary and dangerous, beeping my phone and pulse vibrating it continuously. It’s not really a scary virus. It is a scam message intended to scare you into clicking OK which then would allow it to install some malware.

If you get this thing on your device, don’t click OK or Repair! Don’t click anything in the message box or browser. First thing I did (after taking a few screenshots)… Close the browser
(probably best to force quit it in application manager) and clear all cache on the phone. The hijack itself seemed like little more than a nuisance as long as you DON’T CLICK ON ANYTHING.

Time to power on the ol’ virtual machine to do something stupid… Click on it, LOL

Executing it, I found this annoying bugger wanting to connect to get some files… Let’s see what they are…
First it tries to open a pop-behind webpage which doesn’t display at all but loads a script in a way that tries to be sneaky and obfuscated. One line of this file that tries to load the script is:
(URL removed for safety)

<span>&lt;s</span><span>cript type=”text/javascript” src=”SCRIPT URL – some cloudflare.ajax.BullS**t.script.js”&gt;</span><span>&lt;</span><span>script&gt;</span>

Which is a sneaky way to load and run a script. They are probably trying to prevent it from being filtered by the browser and antivirus by hiding the script tags inside of span tags with html character codes. It translates directly to:

<script type=”text/javascript” src=”SCRIPT URL – some cloudflare.ajax.BullS**t.script.js”><script>

And, yes… Of course I downloaded the script and have been looking it over. A lot of it I don’t understand but it seems to be wanting to load other javascript objects. It wants your location data and info about your device (brand, model, OS version, cell carrier, etc…). It has error handling code to suppress all error and debug messages on your device so you would never know it was there.

psafe - four viruses
Full screen ad; image is apparently from shutterstock.com – 295331837

At the same time it tries to open a webpage on top, “PSAFE.html” that shows a full screen ad.

A quick image search shows that this image was taken from shutterstock.com and is called “Teenage boy hiding himself under a blanket“.
If you click anywhere at all it tries to go to “http://a.googleplaysetvices.com/click/1”. Notice the way services is spelled ‘setvices’… obviously not the real google play store. This is where the hijack trick tries to screw you. It tries to download com.psafe.msuite from the fake playstore. That URL resolves to:

Domain: a.googleplaysetvices.com uses three IP addresses: 23.22.158.20, 52.44.151.120, and 52.22.161.45

This instance:
IP Address: 52.44.151.120
Hostname: ec2-52-44-151-120.compute-1.amazonaws.com
Nameservers:
tani.ns.cloudflare.com >> 173.245.58.224
pete.ns.cloudflare.com >> 173.245.59.136

Country: United States
State: Virginia
City: Ashburn
Postal: 20149
ISP: Amazon Technologies
Organization: Amazon.com

This shows if the hijack fails. It tried to download com.psafe.msuite from the fake playstore. Click to enlarge.

Amazon Web Services (amazonaws.com) is not inherently malicious. It is used behind the scenes by many websites and apps. But it has been the target of hackers in the past so it’s possible the account has been compromised. I plan on reporting it to the AWS abuse form. They would be very concerned about security issues.

Anyway, back to the pSafe hijack.
pSafe is a scam that installs on a computer browser. It will take control of the browser changing the browser’s homepage and search engine, and make DNS redirect to, “page not found.” It affects all the major browsers.

Fortunately, it seems to be removed by malwarebytes or other such anti-malware software.

Once again, an alert message claiming to be alerting you of a security issue that actually turns out to be the security issue.

— CSH

Domain: us.dlsanyac.pw
IP Address: 104.27.187.232
Hostname: 104.27.187.232
Nameservers:
pat.ns.cloudflare.com >> 173.245.58.139
igor.ns.cloudflare.com >> 173.245.59.119

Country: United States
State: California
City: San Francisco
Postal: 94107
ISP: CloudFlare
Organization: CloudFlare
AS Number: AS13335 CloudFlare

Leave a Reply

Your email address will not be published. Required fields are marked *