'Luckyboy' Malvertising campaign hits iOS, Android, Xbox users

[JustChilliing]

Executive Summary:

1.  LuckyBoy Malvertising campaign has penetrated 10 Demand Side Platforms (DSPs) (where platform publishers sell advertising space), mostly in Europe but with confirmed cases in the US and Canada.
2. Security vendor Media Trust has said that the malware checks for the presence of blockers, testing environments (such as being loaded onto a virtual machine) and active debuggers, and will not execute if found.
3. The users behind LuckyBoy are being exceptionally careful at being caught for this type of Malvertising, indicating a well versed team in this type of campaign.

 

Quote

Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.

It is not uncommon for Android applications to have bad adverts embedded in that have been applied once Google's automatic application vetting process has given the greenlight, however they have made significant progress in the last year removing applications (normally based on a paid alternative with similar functions, or simply fake apps designed to look legitmate) that break their rules.

 

Quote

“LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive,” The Media Trust notes in a report shared with SecurityWeek.

It is not insignificant in the threat landscape that an attacker like this tries to hide from detection, and even more impressive that they are hiding from non-desired targets. Whether or not it is removed from a non-target system remains to be seen.

 

Closing thoughts

Notable in this case is the sophisticated use of tracking pixels¹. This could be an attempt to decide who a target of interest may be, before executing the payload - who this could apply to remains to be seen. It will be interesting to see who the targets are, and how their evasion techniques adjust to ensure low detection probabillities within systems. There is also very little users can do to combat the malvertising, as the publisher will apply the advertising to those that their data shows it is relevant to, possibly limited the targets available in some way. I expect affected devices will require patching however it should be on the penetrated DSP provider to resolve any issues.

 

Sources

https://www.securityweek.com/luckyboy-malvertising-campaign-hits-ios-android-xbox-users

 

 

1: Marketing pixels, aka tracking pixels, are essentially these tiny snippets of code that allow you to gather information about visitors on a website—how they browse, what type of ads they click on, etc. This behavior data helps you, as a marketer, send the user paid ads that are likely to be most interesting to them.

[Quackers101]

Might feel lucky, just wannacry.