First things first, although several people reported the download of malware in the form of an apk file, we were not able to reproduce that situation. We were able though, to reproduce a very nifty full page forward from the website twitpic.com to a landing page were several tactics were used to trick the user into clicking on specific links and eventually acknowledging the purchase of a subscription worth €5 a week.
The story starts by visiting the website twitpic.com. Twitpic is a well known and frequently used platform to share pictures on twitter. Once a twitpic link is opened, the screen below appears after 3 seconds, making the average Android user think the application WhatsApp is interfering and an update for the program is available.
What is actually happening?
While visiting twitpic.com the website loads a lot of ads. One of these ads is from AppNexus. This add makes a connection (in our case) to ams1.ib.adnxs.com. Which in this case, loads a page from track2.buyfaq.com/300x250.html. This supposed banner contains the following html code:
The banner loads an iFrame. This iFrame again is loaded from http://mt.moneyandroid.com/topic/mobi/mcenter.php?aid=98&ext=6
This specific mcenter.php?aid=98&ext=6 checks the user agent of the visiting client and screen width used. If the User-Agent does not match that of an Android device or the screen width does not match that of an Android device it will skip the JavaScript part that is displayed below and will only load the HTML content. In our case, where we use an Android device it will load the HTML+JavaScript code displayed below:
The webpage http://mt.moneyandroid.com/topic/mobi/download.php?i=[string] serves a HTTP/1.1 302 Moved Temporarily and contains the following value:
http://app-update.whatsapp.com.earic.com/topic/whatsapp/white.php?lp=1&aff_sub3=NL_[TmobileNetherlandsbv]_3_a90_v22_2014-06-15
In the JavaScript code several functions are initiated. A setTimeOut function is called waiting 3000 milliseconds to execute a function that creates a click event on the HTML a-element which will initiate the provided href URL to load. In this case a HTTP/1.1 302 Moved Temporarily page was thrown containing a new URL. The browser of your Android device will forward to that page, taking over the previous Twitpic page. Once forwarded the image below will appear.
As shown in the pop-up above, WhatsApp needs an update. The domain used seems to be app-update.whatsapp.com..., very trustworthy. The "OK" button can be pressed. And a countdown will start, as shown below:
If you look closely to the domain you will see that the domain used is not "app-update.whatsapp.com" but instead "app-update.whatsapp.com.earic.com". Earic.com is an educational website, it is not clear weather this domain is hijacked, hacked or willingly cooperating. Obviously the original domain whatsapp.com is not involved in anyway, the crooks are just trying to let us think this domain is involved and thus make it look trustworthy.
Once you click the "Download now" button the webpage below is shown.
Here in small letters your subscription is described, in top the subscription costs of 5 euro are displayed. Below it says you are a member automatically. Users that don't read carefully will just press the download button to, what they believe, install the WhatsApp update.
Once you press the "Download" button, the following page is displayed:
Your mobile number is filled in automatically and you just have to press the "Continue" button. Once the "Continue" button is pressed an SMS-text message is sent to the mobile phone containing a verification link in it. Once that link is clicked the subscription is acknowledged and you will be charged 5 euros per week.