Angry Birds impersonated to distribute malware

As part of Netcraft's ongoing work in providing anti-fraud and anti-phishing services, we have recently discovered a significant number of Russian language attacks targeting users of popular pieces of software, including well known brands such as Angry Birds. This type of attack can be particularly successful as it exploits a user's trust in a brand. Malicious downloads for Android phones are becoming an increasingly common attack vector.

Angry Birds is a video game franchise created by Rovio Entertainment. The franchise gained popularity on Apple's iOS platform, and has since become available on all popular mobile and desktop operating systems. With over 1 billion downloads, and over 250 million active users, the franchise has become iconic in the marketplace — the original game and its variants are frequently seen in top ten app lists, so is continually attracting new users.

Angry Birds is impersonated to push malware.

Distributing malware purporting to be genuine software isn't a new tactic — Angry Birds has been a victim of this before. In this case smartphone users were hit by premium rate phone scams.

However, lately we have seen an increase in attackers taking additional measures to prevent their sites being found and taken down by the anti-phishing community. Restricting access to a site by country is one tactic that is becoming increasingly common. This is usually achieved via IP filtering; however Netcraft has seen attacks restricting access based on Accept-Language and User-Agent headers — one particular type of attack purported to provide a browser update, varying the brand impersonated depending on the User-Agent submitted.

Many of the attacks Netcraft has observed have been primarily composed of Russian language content, and restricted to IP addresses located in Russian-speaking countries. On another site impersonating Angry Birds, we found that when accessed from a proxy based in Russia, malware was distributed; however when attempting to download the content through a different proxy (located in Australia in the below example) we were redirected to Google.

IP filtering, amongst other measures taken by fraudsters, makes identifying and classifying phishing sites more difficult both for anti-phishing vendors and for hosting companies responding to abuse notifications.

You can protect yourself against phishing sites by installing Netcraft's Anti-Phishing Extension and help protect the internet community by reporting potential phishing sites to Netcraft by email to scam@netcraft.com or at http://toolbar.netcraft.com/report_url. Netcraft can also help protect both brand owners and hosting companies.