A strain of malware that spreads on the web via advertising platforms has mounted a large-scale, mass data harvesting campaign, opening up thousands of Android users to follow-on attacks. Researchers said it’s likely there’s an organized crime ring operating behind the scenes.
Named ICEPick‐3PC by the Media Trust, the malware is a sophisticated form of adware using rarely seen techniques, according to Mike Bittner, digital security and operations manager at the firm.
“Publishers and website owners are outsourcing advertising management – what goes into delivery of an ad, such as its animation, is then handled by third-party code,” Bittner told Threatpost. “During the implementation of this code by third-party agencies, malicious code is injected into the library to hijack that operation.”
“Malicious code is injected into TweenMax, one of GSAP’s most popular tools, and CreateJS, another suite of tools, while self‐service agencies implement the libraries on a website,” the Media Trust noted in a posting Wednesday about the malware.
When a user clicks on an infected ad, the malware makes an RTC peer connection between the infected device and a remote peer. It then profiles the user’s device, and sends the extracted device IP to the remote user. The malware’s name, ICEPick-3PC, is actually a nod to the ICE protocol used to establish the RTC peer connection.
The malware harvests device fingerprinting information such as user agent, device type and whether the device is an Android device. It also checks the battery level, and the device’s motion and orientation activity in order to verify that it’s actually being used by a human being. If the device checks out as an attractive target, ICEPick‐3PC extracts IP information.
“One main component of this attack that’s interesting and that speaks to its sophistication is the fact that it actually establishes a peer-to-peer connection and successfully extracts the private IP address of the Android user,” Bittner said. “That’s something we have never before seen on a massive scale. Usually you see adware performing simple redirects to pop-ups resulting in a phishing attempt.”
The malware has been seen affecting more than 100 clients of The Media Trust, including recognized publishers and major e‐commerce businesses in retail, healthcare and a variety of other industries that get tens of thousands of visitors per month.
“We don’t typically see this, the actual targeting of specific users on such a mass scale,” said Bittner. “It’s using an advertising platform as a way to reach a mass audience to infect, targeting by geography and user agent. It has a level of sophistication and specificity that we don’t typically see in adware.”
This extraction and collection of IPs on such a large scale marks a significant advancement in malware authoring, according to the Media Trust.
“Stealing IP en masse with such efficiency demands rarefied coding skills,” the researchers said in the posting. “This malware has overcome such hurdles and even breaks through VPNs in order to intercept IPs.”
Overall, the data enables bad actors to identify users’ device vulnerabilities, and leaves the devices wide open for potential future attacks. “The reason the IP is significant is that you can get user agent and device type relatively easily, but the IP can be used for future exploit targeting,” Bittner said. “There are any number of open-source tools for bad actors that can give you a profile on a particular device and determine what potential exploits they’re vulnerable to.”
The malware’s level of sophistication and advanced techniques points to a well-organized criminal operation behind it all. The attack on recognized publishers and e‐commerce businesses “might portend a larger‐scale attack, or, at the minimum, the illegal trading of user information, in the near future,” the firm said.
In order to protect sites from ICEPick-3PC, publishers and e‐commerce businesses should thoroughly vet the self‐service ad agencies they work with for security weaknesses and avoid repeat offenders. They can also detect such offenders by scanning interactive ads and site pages for unauthorized code.