"When you access Facebook from your Android mobile device," comments PandaLabs' technical director Luis Corrons in a new blog posted today, "you will see a ‘suggested post’ (Facebook’s subtle euphemism for an advertisement) advertising tools for WhatsApp." These adverts are targeted specifically against Spanish (or Spanish-speaking) users, and only appear if Facebook is accessed from an Android device.
One advert offers WhatsApp users the chance to spy on their contacts' conversations; and by Friday last week had already received 3,752 Facebook likes. But there are other adverts – another (Trucos WhatsApp) offers the ability to hide the user's WhatsApp status (1,997 likes). They are not, however, genuine apps, but lures to trick users into downloading malicious apps.
Any user who falls for the lure and clicks the advertisement is taken to a page that looks like a very reassuring Google Play page. This seems to be reassuring: 4.5 stars from 35,239 users. But, points out Corrons, the graphic shows 3.5, not 4.5 stars. And "if you add up the number of votes that appear on the right, the total is 44,060 votes," not 35,239. It is, points out Corrons, a false web page designed to look like the official Google Play store.
Any user who falls for the subterfuge and downloads Trucos WhatsApp gets the standard 'continue' button on installation. What is not standard, however, is the small print and grayed out terms and conditions that are accepted by the installation. These include being signed up to a premium SMS service costing €1.45 per minute.
This is quite simply premium rate SMS malware that goes to some effort to hide its actions once it is activated. If everything works according to plan, incoming SMS messages are aborted so the user never sees them (but is still charged for them). This doesn't however, work for the latest Android OS (4.4). Plan B, says Corrons, "turns on the device’s silent mode for a couple of seconds, so the user won’t listen to the notification sound, and then it marks the message in the inbox as read."
Cybercriminals have been taking advantage of high publicity events – such as the Facebook WhatsApp acquisition – since the dawn of the internet. Since it is already in the news, users' guards are lowered. The addition here of a false but official-looking Play store web page containing reassuring statistics accessed via a genuine advertisement on Facebook further compounds the illusion. It demonstrates the continuous awareness that users must bring to their use of the internet if they wish to stay safe.