Fake Viber Spam Changes Routines Based on Platform

Earlier this week, we noticed that there was a spike in the volume of spammed messages that pretend to come from the messaging service Viber.  This app, which also has  a desktop version, allows users for free calls and messages. The email informs the recipient that they have one voice message for their account.

Figure 1. Sample spammed message

Different Routines for PC and Mobile

The infection routine is pretty straightforward for computers: clicking the embedded link leads to the download of backdoor malware, detected as BKDR_KULUOZ.VLU, in the system.

However, recipients who open the email on their mobile devices experience a different routine altogether. Rather than drop any malware, the user is redirected to different websites, such as a random URL, a search engine site, or even official app stores.

Mobile users were sometimes redirected to a streaming site. Investigations revealed that this site has been linked to suspicious activities. For example, the site covertly charges the credit card number users must give during registration. Some users were redirected to the site by clicking a “Flash Player” update advertisement.

Figure 2. Users are sometimes redirected to a streaming site

Redirections Based on Mobile OS

What’s more notable is that redirection can also vary depending on the OS of the device. Android users were directed to the “Go Launcher” app on the Google Play Store. Apple users were directed to a Chinese gaming app on the iTunes site. It should be noted that both of these apps are not malicious.

Figures 3 and 4. Users are sometimes redirected to Google Play and iTunes

Redirections based on platform are not limited to official app stores. Android users who click the link were sometimes redirected to what appears to be a blank page. After checking the source code of the page, we found that it contains links that lead to a URL with an .APK file, detected as ANDROIDOS_PAWEN.HBT.

This app contains links to various adult sites. In addition, it also monitors the user’s incoming and outgoing calls, taking note of any numbers and sending it to a URL hardcoded in the app. The purpose of these URLs is patently clear from their URLs:

  • http://{malicious domain}/scripts/app_tracking_manager.php
  • http://{malicious domain}/scripts/app_call_tracking_manager.php

However, it should be noted that users are not led to the link that contains the malicious .APK file. Meanwhile, iPhone users were sometimes redirected to an adult site.


While we have seen several threats that work on different platforms, the amount of possible outcomes for this one spam attack is highly notable. It’s also interesting that the spammers behind this attack took great pains to redirect mobile users to different sites based on the platform of their devices.

Messaging services are a common social engineering lure for attacks such as this one. Perhaps what makes this one more plausible than others is that Viber does have a desktop client. For users who receive the email, it wouldn’t be a far stretch for a recipient to assume that the voice mail exists.

We advise users to be cautious when opening emails. Emails can be easily spoofed by spammers and other cybercrooks. Clicking links in emails should be avoided as much as possible. It’s far better for users to directly type the URL of the site on the address bar than rely on the embedded link.

Trend Micro uses its Smart Protection Network to protect users from this threat by detecting the spam samples, malicious URLs, and all the malware related to this attack. Mobile users are also protected by the Smart Protection Network via its mobile products.

We have reported this to Google.

Hashes for the related detections are as follows:

  • 03f078d14c6714631f2f6acc78d0f5f23e80da70
  • de0563e92daea91d028d5b26a2e2c01477af1ac8

With additional insight from Chloe Ordonia, Sylvia Lascano, Francis Atanzo, and Gideon Hernandez.

Leave a Reply

Your email address will not be published. Required fields are marked *