It is not uncommon to see social media accounts, specifically Twitter accounts, directing users to malicious sites such as the ones hosting Android.Opfake, an issue we blogged about last year. Recently, we discovered that the accounts of innocent users were being compromised to tweet these types of malicious links to their followers.
Figure 1. Malicious tweets from compromised accounts
The series of compromised accounts appears to have started around the beginning of July and has affected users globally. A broad range of accounts have been compromised for weeks and many users have yet to notice that their accounts are sending out malicious tweets, even though hundreds of tweets may have already been sent.
Figure 2. Compromised account sending legitimate and malicious tweets
If you are worried about accidently clicking on malicious links coming from accounts you follow, you might be safe if you do not understand Russian. This is because the tweets are in Russian and you might ignore them if you see them on a friend’s account. If you understand Russian and are following users who regularly tweet in Russian, you should be wary.
After a user clicks on the link, sites hosting malware will be opened in the browser. A typical browser will render the page to trigger an automatic download of the app.
Figure 3. Malware hosting sites opened in browsers
Even though the apps are downloaded automatically, users will need to manually install the app.
Figure 4. Automatically downloaded app
Interestingly, a free version Asphalt 7 appears to be available from these malicious tweets. Double check that you are downloading and installing the authentic version of the app because although it appears to be free the malicious version, unlike the official Asphalt 7 app, will send premium SMS in the background. The charges will be much more expensive than the cost of the real app.
Figure 5. Fake download site for Asphalt 7
There are also tweets with intriguing images to entice users to click on the link and download malware onto their device. The accounts are not always compromised and may have been prepared by the scammers. Keep an eye out for this type of scam.
Figure 6. Scam with intriguing images
Symantec is working with Twitter to help those who have been compromised. To confirm if an account has been compromised, check if your accounts have made tweets you do not recall and check if you are following accounts you do not remember following. To prevent your accounts from being compromised, use difficult passwords, watch out for phishing scams, and protect your computers and devices from being compromised by malware that steals account information by following security best practices such as keeping the operating system and all installed software patched and using up-to-date security software. To avoid visiting malicious sites, stay away from unusual messages, even from people you know. It is always advisable to install security software such as Norton Mobile Security or Symantec Mobile Security. Symantec detects the malware discussed in this blog as Android.Opfake.