A mobile malvertising campaign recently found targeting three digital advertising platforms has been using malware that checks a phone’s battery level as part of an unusual new technique for avoiding detection.
In just the last three weeks, the operation has fraudulently generated millions of page views, as the malware redirects certain victims to an unspecified malicious website, researchers from The Media Trust have reported in a new blog post penned by Digital Security & Operations Manager Michael Bittner.
Dubbed JuiceChecker-3PC, the malware was found hidden within an otherwise legitimate ad for a large U.S. department store chain. This ad was apparently made available to ad buyers for bidding via three separately demand side platform (DSP) providers, all of whom worked with The Media Trust to shut down the malware’s sources.
The malware inside the ad uses Base64 encoding “to bypass scanning,” wrote Bittner, and then performs three checks on ad viewers in order to determine whether or not to redirect them to the malicious website.
JuiceChecker-3PC checks for three specific conditions. First, the user agent must be mobile-specific “because the sites being targeted by the malware are all optimized to be viewed primarily via mobile device and, therefore, generate more traffic,” Bittner told SC Media in an email interview.
Second, the user device’s current battery level must be between 20 and 76 percent. “The malware wants to avoid detection, in particular scanning techniques that involve the use of mobile phones. Such phones would be plugged into an electrical source and register battery levels of 100 percent,” Bittner explained.
And finally, Bittner added, the HTTP referrer must be specified because “the malware wants to avoid detection by known security vendors, which the referrer typically indicates.”
The blog post notes that while malvertising malware has previously been known to perform checks for device position, motion, screen size, and other factors, a battery check is an inventive new twist.
Checking for battery level range is unique and underscores the malware developer’s insights into how certain scanners work and how to avoid their detection,” Bittner states in the blog post. “Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online.”