First things first, although several people reported the download of malware in the form of an apk file, we were not able to reproduce that situation. We were able though, to reproduce a very nifty full page forward from the website twitpic.com to a landing page were several tactics were used to trick the user into clicking on specific links and eventually acknowledging the purchase of a subscription worth €5 a week.
The story starts by visiting the website twitpic.com. Twitpic is a well known and frequently used platform to share pictures on twitter. Once a twitpic link is opened, the screen below appears after 3 seconds, making the average Android user think the application WhatsApp is interfering and an update for the program is available.
What is actually happening?
While visiting twitpic.com the website loads a lot of ads. One of these ads is from AppNexus. This add makes a connection (in our case) to ams1.ib.adnxs.com. Which in this case, loads a page from track2.buyfaq.com/300x250.html. This supposed banner contains the following html code:
The banner loads an iFrame. This iFrame again is loaded from http://mt.moneyandroid.com/topic/mobi/mcenter.php?aid=98&ext=6
The webpage http://mt.moneyandroid.com/topic/mobi/download.php?i=[string] serves a HTTP/1.1 302 Moved Temporarily and contains the following value:
As shown in the pop-up above, WhatsApp needs an update. The domain used seems to be app-update.whatsapp.com..., very trustworthy. The "OK" button can be pressed. And a countdown will start, as shown below:
Once you click the "Download now" button the webpage below is shown.
Here in small letters your subscription is described, in top the subscription costs of 5 euro are displayed. Below it says you are a member automatically. Users that don't read carefully will just press the download button to, what they believe, install the WhatsApp update.
Once you press the "Download" button, the following page is displayed:
Your mobile number is filled in automatically and you just have to press the "Continue" button. Once the "Continue" button is pressed an SMS-text message is sent to the mobile phone containing a verification link in it. Once that link is clicked the subscription is acknowledged and you will be charged 5 euros per week.