Vidro: How deep and mobile is the rabbit hole?

The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but weve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland.

Spreading

Trojan-SMS.AndroidOS.Vidro is spread via porn sites. The mechanism is very similar to the way the very first Android malware (Trojan-SMS.AndroidOS.FakePlayer) spread. If the user visits a porn site with a desktop browser he will see something similar to this:

But if the potential victim somehow visits the same website using an Android device, a porn web site will be optimized for the smartphone:

After clicking on the link Watch Now, the user will be redirected to the web site called Vid4Droid (vid4droid.com) which suggests to the victim that they download The new Sexvideo App:

A click on the Install button will redirect the victim to a page containing an automatic download start which contains instructions onhow-to-install-our-super-porno-app with a reminder to allow an installation of applications from unknown sources:

Vidro description

After the installation of Vidro the following icon can be found in the main menu:

If the victim launches malware the first thing hes going to see is the dialog box which invites him to agree with the terms and conditions.

But the funny fact is that theres no EULA and/or terms and conditions in the app. In other words, even if those conditions exist, theres no possibility to read them. After clicking Yes an SMS message to will be sent to a premium rate number. The premium rate number is 72908 (Polish) and the SMS text is PAY {unique sequence of ciphers and letters}. Each message cost 2 zl (0,5 Euro). We will discuss the SMS text later. Messages will be sent every 24 hours. All the data required for sending the expensive SMS is stored in the configuration file setting.json.

Vidro is also able to hide incoming SMS messages from specific numbers. Weve seen already such functionality in Trojans like Foncy and Mania.

Besides sending expensive messages Vidro is able to:

• Update the configuration file (which might contain a new premium rate number and SMS text) and update itself. For connecting to remote server the malware uses its own User-Agent string: Mozilla/5.0 (Linux; U; {app_id}; {android_version}; de-ch; Vid4Droid) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30.
• Upload information about itself and the infected device to a remote server.

Content provider and affiliate network

If you google 72908 (the premium rate number from Vidro) you can find a Polish forum which contains some complaints about this number.

Rough translation:

“How to remove ‘carmunity’ from 72908 number? Help me.”

“I want to disable.”

Lets take a deeper look at the malicious vid4droid.com domain. According to Robtex this domain is controlled by two name servers at carmunity.de; and the vid4droid.com mail server is handled at tecmedia.eu.

There is a number of hosts (like sex-goes-mobile.biz, sexgoesmobile.biz, sexgoesmobil.com and similar) which share both name servers and mail servers with this domain. And if you visit one of these hosts you will be redirected to the web site sexgoesmobile.com.

Carmunity

Carmunity is a German content and service provider company, whose portfolio offers an array of creative and technical solutions, enabling businesses to generate and apply their own portals in the mobile internet. This quote was copied from the English version of their web site (carmunity.de).

Main page of Carmunity web site

Contact information contains the physical address of this company. According to this, Carmunity is located in Bremen, Mary-Astell-Str. 2. If you google this address you can find that another German company called Displayboy has the same physical address. What do we know about this organization? Well, here are some quotes from their web site displayboy.com (no German version, only English):

“Welcome to DisplayBoy – the leading provider for adult affiliate marketing in the mobile Internet.”

“Right now, between 5%-10% adult website users are surfing sites with mobile phones. With Displayboy you can convert your existing mobile traffic in a snap. It’s easy, simple and reliable.”

Do Carmunity and Displayboy have something in common? I think, yes 🙂 At least both companies are specialized in monetization of mobile traffic.

SexGoesMobile

As was mentioned above, some host names use the vid4droid.com domain name and mail servers. And if you try to visit one of them youll be redirected to sexgoesmobile.com. Here is a part of the main page of this web site:

Yes, its an affiliate network created for monetizing mobile adult traffic. And there are some curious things inside. Lets see whats going on there.

Many mobile affiliate networks (Russian ones at least) provide full access to various so-called promotional tools to all participants. The SexGoesMobile affiliate network also offers various promotional tools. For example, you can create a mobile pay site using one of the existing templates:

Each template has its own domain name. And each affiliate who participates in SexGoesMobile has an ID. After choosing the template this affiliate is able to choose the target audience (mobile or desktop):

And finally an affiliate is able to generate a unique URL with his ID:

If the potential victim clicks on this unique link he will be redirected to the web site exgftube.mobi that contains fake video thumbnails. By clicking on one of this thumbnails the user will be redirected to the vid4droid.com web site where he will be invited to download vid4droid.apk file (Trojan-SMS.AndroidOS.Vidro). Do you remember the format of the SMS text in this malware? PAY {unique sequence of ciphers and letters}. This unique sequence of ciphers and letters will be generated on a remote malicious server based on the referrer (a unique URL with the ID of the affiliate). In other words, each affiliate has his own SMS Trojan with unique SMS text.

Conclusion

The mobile malware industry and mobile malware services continue to evolve. A couple of years ago mobile affiliate networks were mostly Russian. Now we see that these affiliate networks appearing in other countries. Unfortunately, such networks have already become pretty effective and are an easy way to spread mobile malware and earn money illegally. And the migration of affiliate networks will lead to new infections and huge money losses not only in Russia but in other countries as well.