Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Threat Management, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Assault and battery: Malvertising campaign checks user devices’ charge as anti-detection technique

A mobile malvertising campaign recently found targeting three digital advertising platforms has been using malware that checks a phone's battery level as part of an unusual new technique for avoiding detection.

In just the last three weeks, the operation has fraudulently generated millions of page views, as the malware redirects certain victims to an unspecified malicious website, researchers from The Media Trust have reported in a new blog post penned by Digital Security & Operations Manager Michael Bittner.

Dubbed JuiceChecker-3PC, the malware was found hidden within an otherwise legitimate ad for a large U.S. department store chain. This ad was apparently made available to ad buyers for bidding via three separately demand side platform (DSP) providers, all of whom worked with The Media Trust to shut down the malware's sources. 

The malware inside the ad uses Base64 encoding "to bypass scanning," wrote Bittner, and then performs three checks on ad viewers in order to determine whether or not to redirect them to the malicious website.

JuiceChecker-3PC checks for three specific conditions. First, the user agent must be mobile-specific "because the sites being targeted by the malware are all optimized to be viewed primarily via mobile device and, therefore, generate more traffic," Bittner told SC Media in an email interview.

Second, the user device's current battery level must be between 20 and 76 percent. "The malware wants to avoid detection, in particular scanning techniques that involve the use of mobile phones. Such phones would be plugged into an electrical source and register battery levels of 100 percent," Bittner explained.

And finally, Bittner added, the HTTP referrer must be specified because "the malware wants to avoid detection by known security vendors, which the referrer typically indicates."

The blog post notes that while malvertising malware has previously been known to perform checks for device position, motion, screen size, and other factors, a battery check is an inventive new twist.

Checking for battery level range is unique and underscores the malware developer’s insights into how certain scanners work and how to avoid their detection," Bittner states in the blog post. "Given this malware’s level of encoding, most blockers and conventional scanning techniques continue to let the malware pass through and impact millions of site and mobile app users. Nipping the attacks in the bud is particularly important given the explosion of malicious ads in the digital ad supply chain and the millions of shoppers who use their devices to browse and make transactions online."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.