AdSecure’s latest platform feature scans for Google compliance

AdSecure, the ad verification tool used by ad networks, ad operations teams and publishers, today announced that it has updated its scanning technology to recognise and flag advertisements that are not compliant with Google’s Abusive Experience Report. AdSecure’s latest platform feature uses state-of-the-art image recognition technology, machine learning and AI to recognise all ad formats and creatives that Google considers to be abusive and therefore non-compliant.  

According to Google’s Abusive Experience Report the following ads are specifically designed to mislead users and are therefore non-compliant:

  • Auto-redirect the page without action from the user.
  • Take the user to an ad landing page or other content when they click anywhere outside of the user-visible border of the element.
  • Resemble system or site warnings or error messages.
  • Simulate messages, dialog boxes or request notifications.
  • Depict features which do not work.
  • Display a “close” button that does anything other than closing the element when clicked.
  • Imitate Antivirus Alerts



Google states that from 15th February, publishers that feature any of the aforementioned abusive ad experiences will receive a violation notification. The publisher will have 30 days to stop displaying the non compliant ads and will have to submit their site for review via WebTools for approval from Google. For each listed experience, Google will provide a brief definition, the URL of the incriminated page, screenshots and a short video that shows the misleading element(s).

Once the publisher has fixed all the issues from the report, he will have to submit his website for review. Even though Google has not publicly shared an exact time frame on how long the review process would take, some sources seem to indicate that the review could take around two weeks. If the publisher fails to comply, external links ( tabs) will be blocked on the entire site which lead to a loss of ad revenue, including from Google Adwords.

Mathieu Derval, Product Manager at AdSecure commented, “We are excited to be adding new violations that Google considers as abusive to our detection arsenal. This new platform feature is a ‘must have’ for ad network platforms, publishers and ad operations teams. Not only does it ensure that publisher revenues are not compromised by penalisation from Google, but publishers continue to preserve trust and security within the online advertising ecosystem.”

Derval continued, “AdSecure clients have the capacity to run comprehensive scans to inspect their ad tags and will receive real-time notification alerts through AI assisted analysis, each alert features a comprehensive report listing the non-compliant elements, allowing clients to take immediate action and reduce the risk of their own publisher clients getting flagged by Google.”

If you would like to find out more about incorporating AdSecure into your business, please visit for more information.

3 reasons to use AdSecure’s new Residential IP scanning technology

The AdSecure engineering team has been very busy over the last few weeks, and we are very excited to announce a major product enhancement that will further improve the overall detection of malicious ads. The new feature offers clients the possibility of scanning tags and landing pages from Residential IPs.

Residential proxies are IP addresses from a standard Internet Service Provider (ISP), often DSL or cable, that are wired directly into a user’s home, unlike Datacenter proxies, which are IP addresses that come from a secondary corporation and work by hiding the users’ IP addresses from the internet.

AdSecure’s Residential IP features allows you to:

1-  Beat cloaking practices

Cloaking is a common technique used by bad actors to display different ads or landing pages to users than the ones that are approved by ad platforms. Because ad platforms usually use Datacenter and not rotating IPs, it is easy for a criminal to know which IP address the compliance team is using during the review process, so the bad actor fools them by serving a compliant ad, while serving a malicious version to the rest of visitors.

2- See what real users see

Now you can scan ads and landing pages that are the ones being seen by ‘real’ users so you can verify the integrity of each offer.

3- Safeguard Your Audience.

Protect your users and your reputation by stopping non-compliant ads and landing pages.

As of today AdSecure gives you access to Residential IP scanning for over 70 GEOs including: US, Canada, Germany, France, Mexico, Italy, Thailand, Brazil and many more. In the near future AdSecure be adding more Residential IPs.

Contact us now if you are interested in testing this feature for free.

AdSecure launches ad scanning for premium 3G mobile carrier IPs

Barcelona, 13 November 2017.  AdSecure, the ad verification tool used by ad networks, ad operations teams and publishers, today announced that it has significantly improved its mobile ad scanning technology by implementing 3G proxies across a range of countries and mobile carriers.  

This new platform feature allows clients to scan live campaigns that are targeting specific mobile users.  This is a highly powerful feature as advertisers tend to show different type of offers for 3G and Wifi users, and this can be challenging to monitor.  

The feature works by allowing clients to scan by country, 3G carrier network and iOS or Android.  Once a fraudulent, malicious, non-compliant campaign or landing page is detected the client is immediately emailed a comprehensive analysis of each anomaly detected, which leads to a better understanding of the ad’s redirection chain  so that they can take action.  AdSecure has deployed this feature in 16 countries, supporting over 50  mobile carriers. And planning to release new mobile carriers in the near future, to offer the widest range of 3G proxies in the market. Current locations include :

  • Austria: A1 / T-Mobile / Three
  • Belgium: Base / Orange / Proximus
  • Brazil : Claro /OI / TIM / Vivo
  • Canada: Bell / Rogers / Telus
  • France: Bouygues Telecom / Free / Orange / SFR
  • Germany: e-plus / O2 / T-mobile / Vodafone
  • India: Airtel / Vodafone / Idea / Aircel
  • Italy: Three / Tim / Vodafone / Wind
  • Mexico: AT&T / Movistar / Telcel
  • Netherlands: KPN / T-Mobile / Vodafone
  • Poland: Plus / T-Mobile
  • Portugal: Meo / Nos / Vodafone
  • Spain: Movistar / Orange / Vodafone / Yoigo
  • Switzerland: Orange / Sunrise / Swisscom
  • UK: EE / O2 / Three / Vodafone
  • USA: AT&T / Sprint / T-Mobile / Verizon

A full list can be viewed here.

Mat Derval, Product Manager at AdSecure commented, “AdSecure’s core mission is to protect the internet browsing experience and the addition of our new 3G feature allows clients to scan ad campaigns aimed at desktop and/or mobile 3G connections.  Now publishers and ad networks have the the tools to immediately identify fraudulent campaigns and ensure that their ad space inventory is filled with compliant, malware free ads to protect their users.  Additionally ad networks working with affiliates can now scan affiliate mobile offers and mobile carriers can scan ads that are using their 3G network.”

AdSecure will add more countries and mobile carriers very shortly.  For further information visit

Meet with AdSecure at Madrid Mobile Summit

The Madrid Mobile Summit is the ultimate event for everyone in the apps/games/adtech ecosystem – whether you’re an app marketer, publisher, developer, startup or VC – you’ll find sessions on how to grow long lasting and profitable apps, how to monetize apps using advertising and in-app purchases and how to get more users, keep them and analyze your data.

AdSecure is attending the Madrid Mobile Summit on the 14th of November 2017. To book a meeting with Mat, contact us

Nearly 1.5 million phishing sites are created each month

One area of cyber crime that that has picked up dramatically over the last 12 months is phishing.  If you are not familiar with what phishing is, it is the art of tricking people in to handing over their credentials or access to protected systems. Phishing campaigns tend to be huge email blasts that contain either links or attachments. You click a link that takes you to a website that looks like your bank’s, and enter your credentials without thinking. Or in the case of a more sophisticated attack, you click a link or attachment which installs a piece of malware which compromises a system or network.

Verizon’s 2016 Data Breach Investigations Report carried out a study of 150,000 phishing emails and alarmingly, 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link.

It seems that cyber criminals are on a major phishing expedition, with the latest figures from The Webroot Quarterly Threat Trends Report stating that 1.385 million new phishing sites are created each month.  May 2017 set a new monthly record with 2.3 million sites created.

The report also states that phishing sites are getting much harder to detect as they are becoming much more sophisticated.  They also found that these sites tend to stay up for a very short period of time: between four and eight hours. This enables the sites to avoid getting tracked or blacklisted. Even if the blacklists are updated hourly, they are generally 3–5 days out of date by the time they’re made available, by which time the sites in question may have already victimized users and disappeared.  The report also found that criminals are using company impersonations as one of their main techniques, posing as emails from Google, Chase, Dropbox, PayPal and Facebook being the biggest targets.

Malvertising campaign exploits users’ browsers to Mine Cryptocurrencies

The popularity of mining cryptocurrency within the browser is on the rise. In the last few weeks we came across many cases of this new trend, which consists in using a piece of javascript code to mine different cryptocurrencies directly through the visitor’s browser. Despite the perfomance drop of using this javascript mining approach you can bet that the attackers are able to generate substantial profits.

The JavaScript code is a modified version of MineCrunch, a notorious script which can be used to mine cryptocurrencies through the browser. MineCrunch was released back in 2014 and seems to be making a comeback. The crooks were mainly interested in Monero, Feathercoin and Litecoin, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware.

Rather than tricking users into downloading cryptocurrency mining malware, cybercriminals are buying traffic from ad networks and distributing malicious JavaScript instead of a traditional advertisement. This approach has a clear advantage as it is easier to reach a significant number of machines by “infecting” websites than it is by infecting user machines. Streaming and gaming websites have apparently been preferentially targeted, since end-users tend to spend more time on these sites and may be less likely to notice the increased activity on their computer resources, or will assume it’s caused by the game or video itself as opposed to cryptocurrency mining activity.

This new kind of malvertising attack points out once again the need for ad platforms and publishers to use ad verification tool to protect their network, reputation and visitors safety. AdSecure now offers the detection of crypto-mining activity. Contact us to see how we can help safeguard your network or sites against malvertising.

Don’t let your users be held to ransom by ransomware.

ansomware targets businesses, government institutions, public services such as hospitals, council offices and of course people at home. Home computers are perhaps the easiest way for cyber-criminals to carry out attacks as your average Joe doesn’t have a cyber-security department protecting him like businesses and organisations do. Many individuals at home think that an anti virus programme will protect them. This is simply not the case. As we have mentioned in previous blog posts, cyber-criminals sometimes distribute malware via online ads and landing pages, so if you are an ad network or a publisher, we recommend that you protect your users with a product such as AdSecure. Not only will you be helping to keep ransomware at bay, you will also be protecting users from being exposed to ransomware and keep that valuable trust from clients and website visitors because they will be protected from attack.

So let’s have a closer look at the history of ransomware, why ransomware creators and distributors find home users easy targets and what happens when a user is infected.

Ransomware history

The very first ransomware emerged way back in 1989. Named the AIDS Trojan, it spread via floppy disks and each victim was asked to send $189 ransom to a post office box in Panama. Of course nowadays ransomware is much more sophisticated and the growth of crypto-currencies has ensured ransomware is a much more attractive proposition to cyber criminals.

Types of ransomware

There are two types of ransomware: Locker ransomware, this locks the victim out of the operating system, which makes it impossible for them to access their desktop, apps and files. In this case the files are not encrypted, but the attackers ask for a ransom to unlock the infected computer. The second is Encrypting ransomware, which uses advanced encryption algorithms. It blocks system files and then demands payment in exchange for a key that can decrypt the blocked content.

Home users are easy targets and here’s why…

  • They rarely create, or don’t do data backups.
  • They don’t always keep their software up to date.
  • They think that it can’t happen to them.
  • They have little or no cyber security awareness/education, meaning that they can easily be persuaded to click on almost anything.
  • They are much less likely to purchase cyber security solutions with most home users still relying on antivirus software, but this can be ineffective because ransomware uses evasion techniques so it is undetected by traditional antivirus software.
  • And of course the sheer volume of home internet users can allow cyber-criminals to build up huge scale in order to exploit potential victims

The infection – stage 1

What generally happens when a user unknowingly infects his computer from a malicious website or link that he clicks on? The infection delivers a security exploit to create a backdoor on the victim’s computer using vulnerable software on their system. Once the victim has unwittingly clicked on a link or downloads and opens the attachment, a downloader (payload) will be placed on the affected PC. The downloader uses a list of domains or C&C servers controlled by cyber criminals to place the ransomware program on the system. The contacted C&C server responds by sending back the requested data. The infected PC can be turned into a botnet, so that the cyber criminals can grow their infrastructure and carry out future attacks, and it can spread to other PCs connected to a local network, which causes further damage.

The infection – stage 2

It then uses unbreakable encryption, which means a victim cannot decrypt the files using the various decryption tools available from cyber security researchers. It has the ability to encrypt many different kinds of files on a victim’s PC including photos, videos, documents, audio files, etc. It encrypts data stored in cloud accounts such as Google Drive and Dropbox that are synced on the PC. It can also encrypt data on other computers connected to a local network. It scrambles file names, so the victim has no idea which data is affected. This is done in order to confuse and coerce victims into paying the ransom. It can also extract data from the infected PC such as usernames, passwords, email addresses, etc. which it then sends to the server controlled by the cyber criminals.

The infection – stage 3

It then displays an image/message that tells the victim that their data has been encrypted and that they have to pay to get their data back. It can also include geographical targeting, so that the ransom note is translated into the victim’s language, increasing the chances for the ransom to be paid. Payment is usually requested in Bitcoins, because crypto-currency cannot be tracked by cyber security researchers or law enforcement agencies. Generally there is a set time period to pay and missing the deadline means the ransom will increase, but it can also mean that the data will be destroyed and lost forever.

As you can see this can be a shocking experience for your average Joe at home and with 638 million ransomware attacks in 2016, it is inevitable that the number of ransomware attacks will only increase.

AdSecure launches in Beta to beat malvertising

Barcelona 4 September 2017 – AdSecure, is a brand new ad verification tool aimed at Ad Networks, Ad Operations Teams and Publishers to ensure a continuous compliant and malware-free ad delivery and sustain a secure and safe user experience for website visitors.

AdSecure’s technology is built around a custom-made crawler using behavioural targeting techniques and is able to run checks from multiple browsers, devices and over 70 GEOs. The technology allows clients to automatically scan ad tags and landing pages for non-compliance and malware in real-time, 247.

As soon as AdSecure’s system detects a threat, it generates real-time notification alerts through intelligent threat analysis. The alerts are immediately sent to the client via email or through an API giving them access to comprehensive reports listing all malicious links, which then allows the client to take the appropriate actions.

AdSecure is quick to set up and it saves clients valuable time and resources by cleaning out malware and non-compliant advertising and therefore protecting their online reputation.

Mathieu Derval, Product Manager at AdSecure comments,

“Malvertising poses a very serious threat for the online community and for the entire online advertising ecosystem. Malware distributed through the digital advertising supply chain degrades overall trust in this ecosystem. Cybercriminals are taking advantage of the open system which relies on multiple parties including advertisers, ad networks, ad exchanges and site publishers. The boom in programmatic advertising offers attackers advanced targeting options making their malicious campaigns extremely effective and difficult to detect. This is why we created the AdSecure platform to give the industry the most effective, accurate and reliable ad verification tool.”

Mathieu Derval is attending the leading digital economy show Dmexco in Cologne 13-14 September, to book a meeting with Mathieu please contact us.

AdSecure is currently in Beta testing, if you would like to find out more about incorporating AdSecure into your business please contact us, for more information or visit

ENDS For further press information please email

Ransomware news: Android app that allows hackers to create ransomware without any code

The days of needing the coding skills of an accomplished hacker to build malware are over, at least if news from Symantec is true. The antivirus and cybersecurity company recently reported the existence of a Trojan Development Kit (TDK) that allows anyone to create Android ransomware—no coding skills required.

This latest TDK, can be found on hacking forums and even in social media advertisements in China. All the cyber criminal has to do is download the APK and install it and they’re ready to build ransomware. The process itself is simple: Just specify a ransom message, an unlock key, the ransomware’s app icon, mathematical operations to randomize the code and an animation to be shown on the infected Android device.

Meet with AdSecure at Dmexco 2017

Dmexco is the global business and innovation platform of the digital economy. It enables visitors to experience disruptive trends and defines the business potential of tomorrow. This is the meeting place for makers and shakers, visionaries, marketing and media professionals, techies, and creative thinkers. dmexco combines the leading trade fair for digital marketing with an extraordinary conference — and it’s the sector’s top event of the year.

Malvertising explained

Malvertising explained

Malvertising, or malicious advertising, is the practice of using web advertisements to spread malware with little to no user interaction required. Cybercriminals use the same advertising strategies as legitimate ad companies, except that malvertisements will either try to download malware directly to visitors devices upon viewing, or send visitors to websites that distribute viruses, ransomware or other unwanted and malicious programs.

How malvertising works?

Rather than attempting to trick users into visiting a malicious website, attackers use the granular profiling functionality provided by ad networks to spread financial malware, data-stealing malware, ransomware and other cyber threats, or if applicable, ads that will trigger an automatic redirection to landing pages hosting exploit kits.

The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious related products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed there. A script obfuscated in an infected ad will run in the background and look for vulnerabilities on the user’s computer so it can quietly download and execute a malicious application such as ransomware.

One of the most frustrating aspects is to figure out how easy it is for attackers to bypass ad platforms’ safeguards either because of insufficient checks or more seriously because they can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.

Who has this affected so far?

Unfortunately no publisher can be considered absolutely safe, you have probably heard of many cases recently, but here are a few examples of some of the most trusted websites online that have been affected: Forbes, MSN, Yahoo, The New York Times, BBC, Spotify… and the list continues to grow.

How do you protect yourself against malvertising?

Besides not clicking on questionable ads, here are some recommendations to help ensure you remain safe from threats distributed by malvertisements:

  • Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.
  • Keep your plugins updated and disable or uninstall the ones you don’t frequently use, including java.
  • Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.
  • Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.
  • When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.

Further reading:

For an indepth explanation of Malvertising and the tricks that Cybercriminals visit our blog post What is Malvertising and how to stop it.

Reversing a Crypt0l0cker dropper

Ransomware – public enemy number one in today’s digital landscape. Malicious software designed to block access to a computer system until a sum of money is paid has become the most common form of cybercrime.

This week a client of ours was attacked by Crypt0l0cker, a known ransomware strain, which is making a comeback in European countries [1]. Luckily we were able to quickly localize all affected users and prevent the malice from spreading. Of course, after the fact I was curious to find out how the attack was carried out.

It all started with your typical email sent out to the financial department claiming to be a pending bill. The email contained a link to download a ZIP archive, which contained a JavaScript file. Once extracted and opened it would download and execute the malware.

As in any self-respecting cybercrime situation, the JavaScript file was obfuscated, preventing anybody from directly understanding what it was doing by just looking at the code. So the journey began by downloading the ZIP, extracting it and checking the code. The complete source code is available here and is over 500 lines long.

At first glance, it looks complex and cumbersome. But in reality, after tracing it with a debugger, it becomes rather simple and straight forward. The only relevant parts that need to be reversed are the following:

At this point it is already evident that this JavaScript code is designed for a Microsoft environment, as nobody else implements ActiveXObject. Additionally, we can already see that the run method will be called on this object. All that is left to do is to decode the actual command that will be executed.

By checking the values returned by each of the functions we get the following output:

The ActiveXObject created earlier appears to execute a powershell command, and to understand it we need to take this reversing exercise one stop further. The easiest way, again, is to pop a powershell CLI and check the resulting value inside the Invoke-Expression call, which leads us to the answer:

To conclude, the 500+ lines of obfuscated code amount to these 4 simple expressions that download the cryptolocker [2] from a hacked Vietnamese gift shop [3], and execute it, unleashing the encryption beast on the unsuspecting hard drive. As far as today goes, there are no known decryptors for this locker. The ransom is $500, which goes up to $1000 if it’s not payed by the first deadline. This means complete data loss and a system reinstall from scratch. Having a backup with all your important data is definitely the easiest, cheapest and most secure thing you can do to remediate the damage suffered from a Crypt0l0cker infection.


An overview of modern exploit kits

nformation security technology is an endless loop of change and evolution in both offensive and defensive ways. Blackhats create demand for new offensive technologies; whitehats respond with new defensive barriers. An exploit kit (EK) is a software kit designed to run on web servers, with the purpose of identifying software vulnerabilities in client machines communicating with it. Exploit kits discover and exploit vulnerabilities to upload and execute malicious code in the client browser. In today’s blog post we are going to briefly review currently used EKs, along with their delivery techniques, exploits and malicious payloads.

Reportedly, the infamous players Angler and Neutrino have now stepped down, and are no longer seen in the wild [1], all the while Rig is running strong since 2014. According to research by Talos Intelligence [2], Sundown has also become an important player since 2016.


Even though there have been reports of exploit kits pushing cleartext code [3] to their victims, most modern exploit kits use advanced techniques for hiding their code. Among one of the more notable and interesting techniques recently seen is steganography [4], which is the practice of concealing messages or information within other nonsecret text or data. By embedding malicious code within images it becomes impossible to detect by an untrained eye, and difficult to reverse, especially if the injected bytes are further obfuscated.

Second commonly used technique to pressure the victim into installing malicious software is social engineering [5], which is the practice of psychological manipulation of people into performing actions or divulging confidential information. Victims are served malicious content that is designed to toy with their emotions, such as fear, happiness, the will to help others, etc. to make the victim visit a malicious page.

Last but not least, there are browser lockers. Browser lockers normally rely on JavaScript to render a user’s browser unusable by continuously showing alert messages, pop-ups, or going in fullscreen mode. This loop continues until the user performs a specific action, which is usually installing software or calling a fake tech support number.


Exploits commonly used by EKs are targeted against all the common suspects: Microsoft IE/Edge, Adobe Flash, Java, and Silverlight. Some EKs also have Mozilla Firefox, Google Chrome and Opera exploits. To give you an idea, there is an outdated list of Common Vulnerability Enumerations (CVEs) [6] previously seen in various packs. Some of those CVEs are still used in modern packs, since a vast majority of users do not apply security updates regularly, or even worse – use End of Life (EOL) systems, such as Windows XP.

After leaks from the Hacking Team and the like, a wave of Flash exploits dominated the market. At one point Flash CVEs were literally submitted by the dozens on a daily basis. So many were submitted in a short period of time that now all major web browser vendors block outdated Flash plugins, with plans to completely phase out Flash in favour of HTML5 [7].

The “winner” of course remains Internet Explorer. This browser has seen so many reliably-exploitable vulnerabilities that now no self-respecting user will even touch it with a stick. IE’s younger brother, Microsoft Edge, seems to be following in the same steps, potentially becoming the next big thing on the EK market.

Several exploits currently implemented in Sundown and Rig EKs [8] have been released to the public domain. By analyzing these, you may get a better understanding of the state of affairs.


There are various common malicious programs circulating in the wild and pushed to exploited clients. Consistent with the global trend [9], all EKs are mostly infecting users with ransomware[10]. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. This is achieved by encrypting the entire hard drive of the infected computer, rendering all information inaccessible. The victim is then asked to pay a ransom for the decryption key to be able to recover his or her files. If the ransom is not payed on time, the price is usually increased, and if the payment deadline is missed again, the decryption key is deleted. Albeit having payed the ransom, there is no guarantee that the victim will receive the decryption key, nor that the ransomware will be deleted. It is common practice to continuously infect the same clients that keep paying the ransom.

All modern EKs are seen to distribute Cerber [11], CryptoMix [12], Chip [13], and Locky [14], all of which are ransomware programs.

Apart from ransomware, an occasional banker trojan has also been observed in the wild. A banker trojan is a malicious program used to obtain confidential information about customers and clients using online banking and payment systems. A Zeus-based Terdot loader was identified as one of the malware samples distributed by Sundown [15].


Every few years some exploit kits step down and other emerge, but the certainty remains – there will always be a market for exploits. Whether a cybercrime ring or a government agency, everybody has their interest in obtaining unauthorized access to remote systems. With steganography now becoming standard, there will certainly be more interesting and innovating techniques to bypass sandboxes and security solutions alike.


Breaking open the Android Switcher

In late December 2016, the Android Switcher trojan was making the news. A trojan is “a type of malware that is often disguised as legitimate software. Trojans can be employed by cyber-thieves and hackers trying to gain access to users’ systems. Users are typically tricked by some form of social engineering into loading and executing Trojans on their systems. Once activated, Trojans can enable cyber-criminals to spy on you, steal your sensitive data, and gain backdoor access to your system” (source).

We decided to investigate this trojan for a short writeup of its functionalities and capabilities, so I downloaded a sample from Virustotal and cracked it open in the lab.

The first notable observation is that there is a lot of code written in Chinese (figure 1). Additionally, there are a lot of com classes, which makes it look as if it were a merged version of many different applications. This could simply be a way of adding extra trash-code to obfuscate the real functionality.

There are several hardcoded URLs for data exfiltration (figures 2 and 3), which receive internal network and device information.

Checking WHOIS records shows that the domain name is registered in Beijing (figure 4), and at the moment of writing this blog post is no longer accessible.

The trojan attacks a victim’s router by trying a series of predefined username:password combinations. These combinations are hardcoded inside one of the Java classes, and do not include very extensive tests.

According to previous research by Kaspersky Lab, the attacks are exclusively destined for TP-Link routers. This is determined based on the hardcoded JavaScript scripts that are used to navigate through the router admin panel (figure 5).

The malware also includes some interesting functionalities worth noting, such as: * Target Chinese users * Check if the device is rooted * DNS hijacking * User input emulation * Screen capturing


Android Switcher relies on a very limited set of default/weak credentials to gain access to the router and change its DNS settings. Nevertheless, according to Kaspersky’s research, this trojan was able to gain access to nearly 1,300 networks. If the next version contains a more extended set of username:password pairs and implements the capability of accessing other router models, this trojan will be able to pull in thousands of hijacked devices.

It is recommended to check that your router is configured to use a known public DNS entity, such as Google ( Additionally, it is highly recommended to change your default router password.

Deobfuscating a JavaScript exploit

Recently, one of our partners sent us an interesting piece of obfuscated JavaScript code that was used to run ads on their network. As it turned out, the code was malicious in nature, and in the present article I would like to analyze it and show how obfuscated JavaScript code can reverse engineered.

The following screenshot shows the code that we received:

In the above screenshot, there are two URLs that are readily identifiable (masked for this public release to preserve confidentiality of the affected party). The one used in the land variable is a tracker used to monitors a brand’s performance. The other one is embedded in the final part of code. This final part gave an impression to be garbage, for the exception of some artifacts (like the URL and JavaScript code).

As can be observed, the encoded text on line 58 is stored as a string and is passed as a parameter to what appears to be the decoding function defined on line 3. The decoded output is executed with the eval() call on line 2.

The eval() call will evaluate whatever is returned by the function that is defined inside the call. The function returns the decoded string on line 57. This is where we can intercept the execution flow and have a look at what is to be evaluated after the decoding function. We simply replace the return call with console.log(), save and run the script. Now we will see the decoded code printed out to console. Checking the console, I got the following output:

More obfuscated code! Analyzing we can see that _$_f4ea is an array of string values that appear to be JavaScript. The rest of the code selectively picks values from _$_f4ea and merges them into a coherent set of instructions. This time it’s not possible to get the decoded code by simply running the decoder function and printing out the result. Reversing this part will require manual substitution of values from the array. By using a JavaScript interpreter, it’s possible to semi-automate the process to get values from the _$_f4ea array, and then merge them together manually.

The final result looks, like this:

Now we can see a clear picture of what is really going on. Lets quickly review it line by line.

The first two lines define the iframe variable and the inCode that will later be injected into the URL that was previously identified. Lines 4-10 set iframe parameters and append it to the HTML document. Here we can see that inCode is injected into the css parameter in the URL passed to f.src. Upon further investigation it became evident that this website is suffering from an HTML injection vulnerability that allows malicious actors to inject arbitrary code, and more importantly have HTTP requests appear as if coming from the website itself. This is the core of the exploit. The vulnerable website is hosted in Spain. The attackers were routing all their ad traffic though this vulnerable website, thereby converting all their traffic to Spanish traffic, and finally sending it to the ad tracker that we previously identified.

It appears that the purpose of this exploit was to illegitimately augment Spanish traffic volume and get higher payouts by country. This of course led to the campaign being banned on our partner’s network.