Users are tricked into believing their device is infected and forced to hand over personal data
Security researchers at Malwayrebytes have discovered a malvertising campaign that uses scareware to push a ‘free’ VPN app called ‘My Mobile Secure’ to iOS users via malicious ads on popular Torrent sites.
The page plays an “ear-piercing” beeping sound and falsely warns the user that his or her device is infected with viruses with the message: “We have detected that your Mobile Safari is (45.4 percent) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites.”
Users are then encouraged to download the app in order to remove “infected applications and files”, but to do so they must hand over a plethora of personal information.
“Such alerts on mobile devices are not new and sadly common place via many ad networks these days”, writes Jérôme Segura, lead malware intelligence analyst at Malwarebytes. “Usually, aggressive affiliates remunerated per lead will use these kinds of tactics to drive traffic to game apps or even tech support scams.
“Social engineering attacks such as the one above are still active and prey on the surprise effect or culpability someone may experience after browsing sites with pirated material.”
The developer behind My Mobile Secure is a comScore, Inc. company called VoiceFive, “a leading global market research company that studies and reports on Internet trends and behavior.”
In order to activate the free VPN app, users must join the MobileXpression research community. But the fine print reveals that the company will collect a whole host of user data, including contact and demographic information, device data, web browsing activity and even the number of text messages sent.
Segura points out the contradictory nature of these activities: “MobileXpression is a market research panel designed to understand the trends and behaviours of people using the mobile Internet. This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymise your online activity by encrypting your data from your ISP, government, bad guys, etc.
He advises users to always review the companies behind such products before signing up, so that you know exactly who you are trusting your private data to.
Think you know mobile apps? Try our quiz!