Threat Analysis of Fake Virus Alerts Using WebView Monitor

“…On mobile devices, attacks redirect the users to unwanted websites by unwanted page transition. Figure 1, adapted from [12], shows the flow diagram of an attack that redirects a user to unwanted websites. The steps of the attack are described as follows:…”

“…According to this flow diagram, an attack that redirects a user to an unwanted website uses multiple malicious websites such as the landing site, intermediate site, and unwanted website. In addition, the URL of intermediate site 2 is generated by executing the JavaScript code of intermediate site 1 by either of the following two operations [12].…”

“…In some cases, redirection to unwanted websites does not occur. On the landing site, attackers set one of the following three conditions to make the redirection occur when the user taps anywhere on the landing site [12].…”

“…From the communication data, the FQDN is extracted as a keyword from the URLs of the intermediate site and the unwanted website because the landing site may redirect the user to the intermediate site and the unwanted website. The URL of the intermediate site is sometimes created from the specified URL and a randomly created character string [12]. Furthermore, the URL of the unwanted website sometimes includes the user's device information [12].…”

“…-The URL of an unknown malicious website posted by an attacker can be discovered in a timely fashion by collecting the URLs from Twitter's Streaming API. Most Flow of an attack that redirects a user to unwanted websites [12] malicious websites discovered by the proposed method were not detected by Google Safe Browsing. -The proposed method analyzes the collected malicious websites using an Android device and generates a blacklist for mobile devices.…”

Method of Generating a Blacklist for Mobile Devices by Searching Malicious Websites

“…On mobile devices, attacks redirect the users to unwanted websites by unwanted page transition. Figure 1, adapted from [12], shows the flow diagram of an attack that redirects a user to unwanted websites. The steps of the attack are described as follows:…”

“…According to this flow diagram, an attack that redirects a user to an unwanted website uses multiple malicious websites such as the landing site, intermediate site, and unwanted website. In addition, the URL of intermediate site 2 is generated by executing the JavaScript code of intermediate site 1 by either of the following two operations [12].…”

“…In some cases, redirection to unwanted websites does not occur. On the landing site, attackers set one of the following three conditions to make the redirection occur when the user taps anywhere on the landing site [12].…”

“…From the communication data, the FQDN is extracted as a keyword from the URLs of the intermediate site and the unwanted website because the landing site may redirect the user to the intermediate site and the unwanted website. The URL of the intermediate site is sometimes created from the specified URL and a randomly created character string [12]. Furthermore, the URL of the unwanted website sometimes includes the user's device information [12].…”

“…-The URL of an unknown malicious website posted by an attacker can be discovered in a timely fashion by collecting the URLs from Twitter's Streaming API. Most Flow of an attack that redirects a user to unwanted websites [12] malicious websites discovered by the proposed method were not detected by Google Safe Browsing. -The proposed method analyzes the collected malicious websites using an Android device and generates a blacklist for mobile devices.…”

Method of Generating a Blacklist for Mobile Devices by Searching Malicious Websites