I got a browser hijacker this morning on my phone. It claimed that my system is “heavily damaged by Four virus!” It pretends to be scary and dangerous, beeping my phone and pulse vibrating it continuously. It’s not really a scary virus. It is a scam message intended to scare you into clicking OK which then would allow it to install some malware.
If you get this thing on your device, don’t click OK or Repair! Don’t click anything in the message box or browser. First thing I did (after taking a few screenshots)… Close the browser
(probably best to force quit it in application manager) and clear all cache on the phone. The hijack itself seemed like little more than a nuisance as long as you DON’T CLICK ON ANYTHING.
Time to power on the ol’ virtual machine to do something stupid… Click on it, LOL
Executing it, I found this annoying bugger wanting to connect to get some files… Let’s see what they are…
First it tries to open a pop-behind webpage which doesn’t display at all but loads a script in a way that tries to be sneaky and obfuscated. One line of this file that tries to load the script is:
(URL removed for safety)
Which is a sneaky way to load and run a script. They are probably trying to prevent it from being filtered by the browser and antivirus by hiding the script tags inside of span tags with html character codes. It translates directly to:
At the same time it tries to open a webpage on top, “PSAFE.html” that shows a full screen ad.
A quick image search shows that this image was taken from shutterstock.com and is called “Teenage boy hiding himself under a blanket“.
If you click anywhere at all it tries to go to “http://a.googleplaysetvices.com/click/1”. Notice the way services is spelled ‘setvices’… obviously not the real google play store. This is where the hijack trick tries to screw you. It tries to download com.psafe.msuite from the fake playstore. That URL resolves to:
Domain: a.googleplaysetvices.com uses three IP addresses: 220.127.116.11, 18.104.22.168, and 22.214.171.124
IP Address: 126.96.36.199
tani.ns.cloudflare.com >> 188.8.131.52
pete.ns.cloudflare.com >> 184.108.40.206
Country: United States
ISP: Amazon Technologies
Amazon Web Services (amazonaws.com) is not inherently malicious. It is used behind the scenes by many websites and apps. But it has been the target of hackers in the past so it’s possible the account has been compromised. I plan on reporting it to the AWS abuse form. They would be very concerned about security issues.
Anyway, back to the pSafe hijack.
pSafe is a scam that installs on a computer browser. It will take control of the browser changing the browser’s homepage and search engine, and make DNS redirect to, “page not found.” It affects all the major browsers.
Fortunately, it seems to be removed by malwarebytes or other such anti-malware software.
Once again, an alert message claiming to be alerting you of a security issue that actually turns out to be the security issue.
IP Address: 220.127.116.11
pat.ns.cloudflare.com >> 18.104.22.168
igor.ns.cloudflare.com >> 22.214.171.124
Country: United States
City: San Francisco
AS Number: AS13335 CloudFlare