IT NEWS

This week on the Lock and Code podcast…

Online scammers were seen this August stooping to a new low—abusing local funerals to steal from bereaved family and friends.

Cybercrime has never been a job of morals (calling it a “job” is already lending it too much credit), but, for many years, scams wavered between clever and brusque. Take the “Nigerian prince” email scam which has plagued victims for close to two decades. In it, would-be victims would receive a mysterious, unwanted message from alleged royalty, and, in exchange for a little help in moving funds across international borders, would be handsomely rewarded.

The scam was preposterous but effective—in fact, in 2019, CNBC reported that this very same “Nigerian prince” scam campaign resulted in $700,000 in losses for victims in the United States.

Since then, scams have evolved dramatically.

Cybercriminals today willl send deceptive emails claiming to come from Netflix, or Google, or Uber, tricking victims into “resetting” their passwords. Cybercriminals will leverage global crises, like the COVID-19 pandemic, and send fraudulent requests for donations to nonprofits and hospital funds. And, time and again, cybercriminals will find a way to play on our emotions—be they fear, or urgency, or even affection—to lure us into unsafe places online.

This summer, Malwarebytes social media manager Zach Hinkle encountered one such scam, and it happened while attending a funeral for a friend. In a campaign that Malwarebytes Labs is calling the “Facebook funeral live stream scam,” attendees at real funerals are being tricked into potentially signing up for a “live stream” service of the funerals they just attended.

Today on the Lock and Code podcast with host David Ruiz, we speak with Hinkle and Malwarebytes security researcher Pieter Arntz about the Facebook funeral live stream scam, what potential victims have to watch out for, and how cybercriminals are targeting actual, grieving family members with such foul deceit. Hinkle also describes what he felt in the moment of trying to not only take the scam down, but to protect his friends from falling for it.

“You’re grieving… and you go through a service and you’re feeling all these emotions, and then the emotion you feel is anger because someone is trying to take advantage of friends and loved ones, of somebody who has just died. That’s so appalling”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

A data breach at Financial Business and Consumer Solutions (FBCS), a US debt collection agency, has led to the loss of data of some Comcast Cable Communications and Truist Bank customers.

FBCS is in the business of collecting unpaid debts on behalf of its customers. The data breach occurred in February 2024 and the cybercriminals responsible for the incident gained access to:

• Full names
• Social Security Numbers (SSNs)
• Date of birth
• Account information and other provider information
• ID card and/or driver’s license
• Other state identification number
• Medical claims information
• Clinical information (including diagnosis/conditions, medications, and other treatment information), and/or health insurance information.

FBCS discovered the unauthorized access to certain systems in its network on February 26, 2024.

The latest count of impacted people, established in July, increased the number of people in the US impacted by the data breach from the original 1.9 million to 4.2 million people.

As part of the ongoing investigation, FBCS recently informed additional customers that the breach had impacted them and their clients. Among those customers are Comcast and Truist Bank.

Comcast commented that FBCS originally reassured the company that the breach involved none of Comcast’s customer data. However, that subsequently had to be revoked. According to a notice submitted to the Maine authorities, 273,703 Comcast customers were impacted by the breach.

Apparently, due to FBCS’s worsening financial position, which could be a direct result of the breach, entities indirectly impacted by the incident will have to undertake the notification and remediation processes themselves. Comcast is offering customers impacted by the FBCS breach 12 months of free-of-charge identity theft protection services.

Unfortunately, it’s not the first or even the worst time Comcast customers have been affected by a data breach.

In January 2023, data belonging to 7,358,464 Comcast customers was leaked on a hacking forum. The data contained names, usernames and additional personal information.

And in November 2015, a cybercriminal offered to sell listed 590,000 Comcast user account information for $1,000 on the Dark Web. At the time Comcast insisted that there was no breach and that only 200,000 of the leaked were active customers, and it was unclear if the data leak was indeed a security breach or a result of years of phishing.

Truist customers have also been impacted before. In October 2023, data reported to belong to Truist Bank, was stolen during a cyberincident. The stolen data included email addresses, phone numbers, birth dates, bank information, full names, company names, physical addresses, credit card information, and more. Like the Comcast breach, this data was publicly shared on the internet.

Scan for your exposed personal data

It’s always extra painful when a company you have done no direct business with has leaked your personal data. Sadly these days you can’t know who has your data, but you can check what personal information of yours has been exposed online with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

After what seemed like a long hiatus, we’ve observed threat actors returning to malvertising to drop malware disguised as software downloads. The campaign we identified is high-impact, going after utility software such as Slack, Notion, Calendly, Odoo, Basecamp, and others. For this blog, we decided to focus on the Mac version of communication tool Slack.

Following the creation of advertiser identities belonging to real businesses, the threat actors launch their malicious ads, hiding their infrastructure behind several layers of fingerprinting and cloaking.

We have reported these incidents to Google and the related advertisers have been banned. However, we are still finding new malicious ads and hearing from others seeing the same, indicating that this campaign is not over yet.

Wanted: Utility software

The threat actor is abusing various platforms to host their payloads, giving insights into what they are choosing to lure in victims. For Windows users, all payloads were found in various GitHub accounts which we have reported already.

For Mac, we saw payloads originating from the same domain via PHP scripts using identifiers. These appear to be created for individual and perhaps time-based downloads. Other links that include the name of the software (i.e. clockify_mac.php) work regardless.

creativekt[.]com/macdownloads/script_6703ea1fc058e8.92130856.php
creativekt[.]com/macdownloads/script_66ffc3cf465a45.36592714.php
creativekt[.]com/macdownloads/clockify_mac.php
creativekt[.]com/macdownloads/script_66e6ba358cd842.42527539.php

Impersonating two identities at once

When we searched for Slack from the US, the top Google result was an ad that looked completely trustworthy. It had the brand’s logo, official website and even detailed description.

If you follow this blog, you probably know there is more to it. By clicking on the three dots next to the ad, you can see more information about the advertiser, which in this case is a law firm.

Note: We understand that most users will not—for lack of time, interest or knowledge—take this step, which is why we offer solutions such as Malwarebytes Browser Guard that automatically blocks ads.

The “My Ad Center” vignette shows that the advertiser was not verified yet, but we were able to access their profile and see their collection of ads. There were four ads in total, and three of them were related to lawyer services using the name and address of a real company in the US.

The Slack ad was somewhat the odd one sticking out but could, in theory, have been promoted by this advertiser. What we believe is the problem with Google ads is how any advertiser can still use the branding of a major company as if they were them. From the point of view of internet users, this is extremely deceiving and provides no rail guard against abuse.

After we validated the ad ourselves and saw where it redirected to (a malicious site), we reported it to Google. Very shortly thereafter, Google took action and removed not just the ad, but the advertiser.

However, a couple of days later a new ad appeared, once again using a stolen identity this time from a women’s health company.

Decoy site and payload

As we have seen before, the malicious ad starts a redirection chain made of various click trackers, cloaking and a decoy site. This allows victim profiling, but more importantly it is used to avoid automated detection in order to keep the ad up and running as long as possible.

Victims eventually land on a decoy sites, similar to those used for phishing credentials, except here the end goal is to trick users into downloading malware.

Windows users get their respective payload hosted on GitHub. The binaries have been inflated into large files to hinder sandbox analysis and are likely Rhadamathys infostealer.

For Apple users, the installers are also an infostealer, branched out of the AMOS (Atomic Stealer) family. Passwords and other secrets found on a system within the file system, browsers, extensions and apps are grabbed and uploaded as a zip archive onto a remote server located in Russia:

Conclusion

When we investigate ads, we use a simple yet realistic setup that mimics what most users would have. This is not an automated process, which sometimes requires multiple attempts from different geographic locations and browser profiles. While this work can be tedious and time consuming, we believe it is necessary in order to identify threat actors at the source, therefore providing protection to the Malwarebytes customer base, but also anyone else that uses the Google search engine.

Slack is not the only brand that threat actors like to impersonate. In fact, we also saw and reported malicious ads for the productivity suite Notion. We noticed that it also shared the same payload hosting infrastructure, indicating that the two campaigns were related.

If you are still clicking on ads to download software, you take a risk by allowing fraudulent advertisers to redirect you to malicious sites. Inadvertently installing malware and getting your identity stolen has never been easier.

We recommend paying special attention to sponsored results or adopting a tool such as Malwarebytes Browser Guard. For our Mac users, we detect this threat as OSX.Poseidon.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Malicious hostnames

creativekt[.]com
slack[.]designexplorerapp[.]net
odoo[.]studioplatformapp[.]net
notion[.]foreducationapp[.]com
slack[.]workmeetingsapp[.]com
clockify[.]turnrevenue[.]com
slack[.]aerodrame[.]finance

GitHub repositories

github[.]com/09shubin/asdjh23/releases/download/nhehhh34/
github[.]com/fewefwfewfew/dwqfqwe/releases/download/fecfewwefewf3/

Payloads (Windows)

9c8dadbb45f63fb07fd0a6b6c36c7aa37621bbadc1bcc41823c5aad1b0d3e93e
2b587ca6eb1af162951ade0e214b856f558cc859ae1a8674646f853661704211
e3557fb78e8fca926cdb16db081960efc78945435b2233fbd80675c21f0bc2e2
637b3ac5b315fd77b582dff2b55a65605f2782a717bed5aa6ef3c9722e926955
79017a6a96b19989bcf06d3ceaa42fd124a0a3d7c7fca64af9478e08e6c67c72
6eb1e3abf8a94951a661513bee49ffdbecfc8f7f225de83fa9417073814d4601
de7b5e6c7b3cee30b31a05cc4025d0e40a14d5927d8c6c84b6d0853aea097733
77615ea76aedf283b0e69a0d5830035330692523b505c199e0b408bcccd147b7

Payloads (Mac)

b55f2cb39914d84a4aa5de2f770f1eac3151ca19615b99bda5a4e1f8418221c2
9dc9c06c73d1a69d746662698ac8d8f4669cde4b3af73562cf145e6c23f0ebdd

Command and control servers

85.209.11[.]155
193.3.19[.]251

Apple has issued security updates for iOS 18.0.1 and iPadOS 18.0.1 which includes a fix for a bug that could allow a user’s saved passwords to be read aloud by its VoiceOver feature.

VoiceOver allows users to use their iPhone or iPad even if they can’t see the screen. It gives audible descriptions of what’s on your screen—for example, the battery level, who’s calling you, or what item your finger is on.

Unfortunately, that also included an audible description of a user’s saved passwords, effectively reading aloud someone’s passwords.

While the chance of abusing this vulnerability is relatively small—the device would have to be unlocked and in the attacker’s proximity to exploit it—it’s always better to install security updates as soon as possible. Once criminals know vulnerabilities exist they tend to go looking for unpatched vulnerable devices.

The patch for the flaw (listed as CVE-2024-44207) is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version of iOS and iPadOS, go to Settings > General > Software Update. You want to be on iOS 18.0.1 or iPadOS 18.0.1.

If you’re not on the latest version, you can update from this screen. It’s also worth turning on Automatic Updates if you haven’t already, which you can also do from this screen.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Last week on Malwarebytes Labs:

• Facebook and Instagram passwords were stored in plaintext, Meta fined
• Android users targeted on Facebook and porn sites, served adware
• Fake Disney+ activation page redirects to pornographic scam
• Radiology provider exposed tens of thousands of patient files
• Not Black Mirror: Meta’s smart glasses used to reveal someone’s identity just by looking at them
• Browser Guard now flags data breaches and better protects personal data

Last week on ThreatDown:

• Zimbra SMTP vulnerability is being exploited in numbers
• A visit to a print shop put a password stealer on a co-worker’s laptop
• Watch out! Mobidash Android adware spread through phishing and online links

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Two things are true of data online: It will be collected and, just as easily, it will be lost. 

But a major update to Malwarebytes Browser Guard will better protect users from opaque data collection that happens every day online, as well as raising their awareness about corporate data breaches that have left their sensitive information vulnerable to harm.    

First, Browser Guard will now send helpful notifications to users when they visit a website belonging to a company that has suffered a proven data breach in the past 90 days. While everyday users might already know about some of the largest breaches in recent history—AT&T comes to mind—it can be nearly impossible to keep track of every single company that has lost user data in the past.  

With these new data breach notifications, Browser Guard will warn users about recent data breaches they perhaps never heard about, from the 2.2 million people affected by the breach of Rite Aid, to the 1.7 million people affected by the breach of Slim CD, to the 500,000 people affected by the breach of the Texas Dow Employees Credit Union.  

Importantly, Browser Guard will not send repeat notifications that pester return users. The notifications will also include direct access to the Malwarebytes Digital Footprint Portal, allowing users to check in real time whether their data was included in any flagged breach.  

In a second, added feature, Browser Guard is also making it easier to stay private online by automatically opting users out of data collection performed by tracking cookies that are littered across the internet, with no extra effort required on users’ behalf.

These types of cookies are present on nearly every single website that people visit today, from Google to Facebook to YouTube to Reddit. They are invisible pieces of code that advertisers use to track user activity even after they leave a website.

This data, when collected in aggregate, can reveal a person’s age, gender, hometown, relationship status, political beliefs, and so much more. And it’s precisely this data that advertisers want, as it helps them micro-target their ads to, say, new dads in Overland Park, Kansas, looking for a lawnmower, or, first-time homeowners in San Francisco needing a washer and dryer that fit in a small space.

For more than a decade, this type of data collection happened invisibly, but when the European Union passed a sweeping set of data protection rights in 2016, much of that changed.

Following the passage of the law (referred to in short as GDPR), users began to see cumbersome popups everywhere across the web that asked about “cookie preferences”—preferences around how these invisible trackers would collect information both for the website itself and for the advertisers using that website to deliver ads.

With the latest Browser Guard update, cookie consent forms will now be auto-rejected, thus requesting the site to honor the most privacy-preserving settings.

What people experience is a simpler and less aggravating internet, where they’re no longer forced to manage yet another aspect of their privacy.

Download for Free today:

For a live look at the new Browser Guard, see the video below.

Like something out of Black Mirror, two students have demonstrated a way to use smart glasses and facial recognition technology to immediately reveal people’s names, phone numbers, and addresses.

The Harvard students have dubbed the system I-XRAY and it works like this: When you look at someone’s face through the glasses—they used Ray-Ban Meta smart glasses—a connected Artificial Intelligence (AI) platform will look up that face on the internet and pull up all the information it can find about the person.

The Ray-Ban Meta glasses have the ability to livestream video to Instagram. A program monitors that stream and uses the AI to identify faces. It extracts a picture which is then fed into public databases. Depending on the online presence of the person, this can reveal their name, address, phone number, and even relatives.

And as if it wasn’t creepy enough already, it only takes a few seconds before that information shows up on the user’s phone.

If you’d like to see this system in action, one of the students posted a tweet on X that shows you pretty much how effective it can be.

Facial recognition is a technology that has quickly evolved. That’s not always a bad thing, but it poses a privacy issue when the consensus from the person in the database is missing. Many people have become used to being monitored a lot of the time that they spend outside, especially in large cities. But when facial recognition adds an extra layer of tracking, or immediate recognition, it becomes worrying.

In 2021 we wrote:

“For an individual to identify another individual would require access to a large database or an enormous amount of luck.”

But, thanks to the advancement of AI, this is no longer true. Identification can be done in seconds, for almost everybody that has an online presence, and just from public databases.

In the demo, the students claim they were able to identify dozens of people without their knowledge, although in some cases the system gave the wrong name.

It’s quite obvious that in the wrong hands this could be used to defraud or track people. The students have no intention of sharing their code, but they are not the first ones to come up with the idea or even make it work.

In 2022, a company called Clearview AI was permanently banned from selling its faceprint database within the United States. The facial recognition software and surveillance company was known for scraping images of people from social networking sites, particularly Facebook, YouTube, Venmo, and other websites. Clearview’s app was able to show you additional photos of a person—after taking a snap of them—along with links to where these appeared. Now, Clearview sells its product to law enforcement, and it’s also explored a pair of smart glasses that would run its facial recognition technology.

Also in 2022, a company called PimEyes was accused of “surveillance and stalking on a scale previously unimaginable.” PimEyes is an online face search engine that searches the internet to find pictures of particular faces. The search engine uses Artificial Intelligence (AI) for facial recognition combined with reverse image search technology to find other photos of a person published online, based on a picture submitted by the user.

In 2023, the New York Times published a story about “the technology Facebook and Google didn’t dare release” about how the two companies stopped development of technology that used facial recognition to identify people.

What’s changed since then:

• The glasses look like any other Ray Ban so you’ll be clueless about getting identified
• Facial recognition has been perfected even more
• AI can be used to quickly gather and analyze data.

Sadly, there’s not a huge amount you can do to stop someone looking you up in this way. However, there are ways to limit how much information is out there about you. Be careful about how much information you post about yourself online, and as much as possible make sure social media posts aren’t publicly accessible.

You can also check and remove yourself from people databases. The students suggested a few that you can opt-out of.

Remove yourself from Reverse Face Search Engines

The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer free services to remove yourself. 

• Pimeyes
• Facecheck ID

Remove yourself from People Search Engines

Most people don’t realize that from just a name, one can often identify the person’s home address, phone number, and relatives’ names. Here are some of the major people search engines:

• FastPeopleSearch
• CheckThem
• Instant Checkmate
• Extensive list compiled by the New York Times

Scrub your data

If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove your personal information from data broker sites.

An anonymous person has disclosed that they gained online access to a radiologist’s platform that hosted patient information using stolen credentials.

I-MED Radiology is Australia’s leading medical imaging provider. Their clinics offer a range of imaging procedures including MRI, CT, x-ray, ultrasound, and nuclear medicine. The person said they found the credentials in a data set that came from another breach, meaning it’s highly likely that the account holder used the same credentials for more than one service.

Cybercriminals often use leaked credentials and try them out on other websites and services. This type of attack is called credential stuffing. Criminals with access to the credentials from Site A will then try them on sites B and C, often in automated attacks. If the user has reused their password, the accounts on those additional sites will also be compromised.

The whistleblower told Crikey they found log-in details for three accounts in the data that belonged to a hospital. The credentials gave them access to I-MED’s radiology patient portal, and with that, to files showing patients’ full names, dates of birth, sex, which scans they received, and dates of the scans.

The credentials had been available online to cybercriminals for over a year. And to make things worse the accounts had passwords three to five letters in length and were not protected by two-factor authentication (2FA). It also seemed as if these accounts were shared among several people.

This level of authentication is below par by any standard, but it’s especially unacceptable when it concerns sensitive patient data.

When queried, I-Med said:

“We have… further strengthened our system surveillance and are working with cyber experts to respond.”

The news about the leak comes at a bad time for I-MED, following recent accusations that it allowed a startup to use patient data to train an Artificial Intelligence (AI) without consent.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

A common way to activate digital subscriptions such as Netflix, Prime or Disney+ on a new TV is to visit a website and enter the code seen on your screen. It’s much easier than having to authenticate using a remote and typing a username and password.

Scammers are creating fake activation pages that they get indexed in Google to lure in victims. Once someone goes to one of these pages, they are redirected to a fake Microsoft scanner that claims child pornography was found on their computer.

Getting from the family-friendly Disney activation page to a very graphic alert is sure to get many victims to panic, even if they have done absolutely nothing wrong. You can see what this scheme looks like in the animation below:

Malicious Google search results

The scammers are using Search Engine Optimization (SEO) techniques to place their fraudulent sites on Google’s search results page. Unlike what we have seen before, these are not malicious ads but rather organic search results.

One of the fake websites, disneyplusbegins[.]com, is a play off the official website, which can be seen when you do a Google search for ‘disney plus begin’:

Clicking on the link will take you to the aforementioned fake site that appears to prompt users to enter their code:

When interacting with the page, victims are automatically redirected to another site hosted on Microsoft Azure. A fake Windows Defender scanner claims that “Access to this PC has been blocked for security reasons. Alureon Spyware With Child Pornography Download Detected“:

The page contains a background image with pornographic material, as if it were from sites victims may have visited:

Despite the scary warning page, this is all a scam and you do not need to call the phone number shown on screen. Scammers are waiting for people to call in so they can impersonate Microsoft, remotely log into your computer and either make you send them money or steal directly from your bank account.

Safety tips

Visiting a website to activate a new product or service is something we all do at some point. It is easier to quickly type a few keywords into Google rather than entering the full website URL.

However, Google search results can be laced with malicious ads or links to fraudulent pages. If there is a QR code to scan on your TV, you may want to use that instead (with caution) or maybe spend the extra few seconds it takes to type the full URL (making sure you don’t typo it!).

Finally, just know that these fake warning pages are just that, fake. You can simply close them down by clicking on the ‘X’ at the top right. One thing to be careful about is avoiding clicking anywhere else on the page, in particular buttons or images that may say something like “return to safety”. For more practical tips, check out this article on CNBC, in particular the “How to click without getting into online trouble” part.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Android users, be on your guard against adware trying to infect your device.

The adware—known as MobiDash—is spreading via several channels, according to ThreatDown research.

One of the characteristics that makes MobiDash stand out is that it can be added to legitimate apps without changing how the original app functions. Say, for example, you install a calculator app: You still get the calculator, but you get adware served to you on the side.

Another devious feature is that MobiDash often waits for a few days before it becomes active, making it harder for the user to work out where the ads are coming from. The app they downloaded works, and because there’s no immediate sign of infection there is no reason to suspect that app.

The ThreatDown investigation started by researching a domain that recently popped up in a phishing campaign. We found that besides the phishing campaign, links to this domain were being spread on Facebook.

But not just Facebook, we found that MobiDash was also being spread on certain sites that specialize in explicit content.

When victims click the link, it starts a chain of redirects (lookebonyhill.com > apkretro.com > 3-dl-app.com) that ends in the automatic download of an .apk file, although some users reportedly had to use the Download button.

Within a few days, the user will start to see ads pop up out of nowhere, until the app is uninstalled.

How to avoid/remove adware

1. Be careful what you click on: In the Facebook example above, you can see there is an unusual looking link. Don’t be tempted to click on a site you don’t know.
2. Don’t install apps from unknown sources: Use the Google Play Store as much as you can.
3. Look out for the Download website we posted a screenshot of above: The fact that the site displays no name for the apk you just downloaded should be a red flag that it’s not be the one you wanted or that it has extra adware attached to it.
4. Use Malwarebytes for Android. We’ll detect and remove MobiDash from your device, as well as block the start of the redirect chain.