Receiving and imparting advice allows humans to benefit from the experiences of others, without ever having to suffer the consequences of making the same mistakes themselves.
While that’s a great theory and a lovely thought, it’s a poor substitute for knowing that today’s disaster is your own work and yours alone. What’s infinitely worse than that is blindly allowing strangers on the internet to make big decisions, and then having to live with the consequences of their poor advice knowing the blame lies closer to home.
Stay Safe, Trust No One
Case in point, ‘staying safe online’, which according to Google’s autocomplete is a popular question when people are preparing to download anything, from music to PC games, to general software and Android APKs.
Anyone who opted for the ‘safest site’ to ‘download free mp3’ today, but ignored copyright concerns and the first few results linking to legal services, may have landed on a site with links to a few YouTube download sites. However, the ‘recommended’ option at the top of the list is to install free software that ‘claims’ to download from Spotify instead.
The .exe triggered no warnings when scanned using Windows Defender, MalwareBytes, and BitDefender. When checked it remotely, using a handful of online security tools, a different picture emerged.
A decision was made not to install the software and that turned out to be a good thing. Most of the time, installing any type of software from unknown sites should be avoided and here, any benefit would’ve been eliminated ten times over by whatever came next.
Beware of Deception
While the Baader-Meinhof phenomenon might explain an ‘unusually’ large number of people asking for “the safest site” this week, they were definitely there; on X, Reddit and other platforms, seeking out everything from manga to mainstream movies.
As usual, responses to the impossible question varied. Typically, some site or another in vogue at the moment receives a mention; that happened on one occasion this week and the chat ended there.
On rare occasions, someone will take the time to point out that research is advised but, for many people, that sounds like a tedious way of not getting content immediately. We didn’t see any of those this week, unfortunately.
Occasionally, since it tends to get frowned upon these days, someone will post a link to a site. In one case last week, someone posted a direct link to an Android APK.
In response to that post, a seemingly unconnected user agreed that this particular app provides access to everything and helpfully provided a link to a site where all of those details were available. That included the name of the app, a nice logo, its file size (around 30mb), version number, package name, and details of OS version compatibility.
As highlighted by the poster, the page also listed all relevant file hashes and a signature, so that any prospective users could do all the relevant checks, to confirm it’s 100% safe. How many people actually check those things is unknown but, in this case, the hash linked to details of an app on VirusTotal with a clean bill of health. However, the APK delivered by the site had a completely different hash.
Pirated Content Still On Offer…Good?
Many people believe that if an app works, that’s always a good sign. The reality is that if the app doesn’t work, people will uninstall it, and that’s the last thing nefarious app distributors want.
In this case, the app did work, albeit in a secure environment. But ordinarily it would’ve been installed on someone’s Android phone, where it would’ve been very happy indeed.
As F-Secure explains: An SMS-Worm is a type of worm that distributes copies of itself to new victims – in this case, mobile phones – over the Short Messaging System (SMS) of mobile telecommunications networks. An SMS-Worm may be able to automatically send a copy of itself to every contact listed in the mobile phone’s Contacts list.
Alternatively, the SMS may contain a link to a website. On clicking the link, the user may inadvertently download the worm’s executable code onto their mobile phone, thereby infecting themselves. For this method to work, the mobile phone would need to have Internet-access capability.
Other slightly worrying behaviors included an attempt to harvest all hostnames from the local network, presumably just to check out what other services might be available. Merely out of curiosity? Probably not
At some point, the app tried to connect to an IP address and domain names which according to records are connected to Hola/Luminati. That raises the prospect of devices subsequently becoming part of a network where the user’s connection can be used by someone else.
There’s no suggestion that those services are aware of anything malicious, a quality they’re likely to share with people who install *any* Android software without knowing what it does first, even though it’s free to find out.
Androguard: Reverse engineering and pentesting for Android
ANY.RUN: Free Malware Reports and Database
APKHunt: Comprehensive static code analysis for Android
APKLab: Android Reverse-Engineering Workbench
APKLeaks: Scanning APK file for URIs, endpoints & secrets
APKtool: A tool for reverse engineering Android APK files
Hybrid-Analysis: Free Automated Malware Analysis
Frida: A world-class dynamic instrumentation toolkit
Genymobile/scrcpy: Display and control your Android device
MobSF: Security research platform for mobile applications
Oracle VM VirtualBox
Sixo Online APK Analyzer
URLscan: Website scanner for suspicious and malicious URLs
VirusTotal: Analyse suspicious files, domains, IPs and URLs to detect malware
Wireshark: The world’s most popular network protocol analyzer
From: TF, for the latest news on copyright battles, piracy and more.
