Beware: URL Shorteners Concealing Android Malware, Including Banking and SMS Trojans

  • Home
  • Beware: URL Shorteners Concealing Android Malware, Including Banking and SMS Trojans

Beware: URL Shorteners Concealing Android Malware, Including Banking and SMS Trojans

By now, you’re likely aware of the risks associated with clicking on unfamiliar URLs. Whether received in a message, hidden under a social media post, or encountered on a website, users often resort to URL shortener services to compact lengthy links. These services serve various purposes, from shortening URLs to concealing original domain names and tracking visitor analytics to monetizing clicks.

Monetization involves displaying ads upon clicking a shortened link, generating revenue for the link creator. However, the downside is that some of these services employ aggressive advertising, including scareware tactics. These tactics involve presenting false claims of device infections, leading users to download dubious apps or participate in questionable surveys, offering adult content, initiating premium SMS service subscriptions, enabling browser notifications, and making deceptive prize offers.

In our recent analysis, we discovered a piece of Android malware, named Android/FakeAdBlocker, distributed through link shorteners. This malware downloads and executes additional payloads, such as banking trojans, SMS trojans, and aggressive adware, from its Command and Control (C&C) server.

Distribution Tactics

The content displayed to victims by monetized link shorteners varies based on the operating system. Advertisements and applications served by these links may lead to legitimate or unwanted behavior. Unfortunately, our observations indicate that the majority lead to the latter.

iOS Targets

For iOS users, these websites flood victims with unwanted ads and create events in their calendars by automatically downloading an ICS file. These calendar events falsely claim the devices are infected with malware, aiming to trick victims into clicking embedded links that lead to more scareware advertisements.

Android Targets

Android users face more severe risks. Scam websites might initially provide victims with a malicious app to download, later proceeding to visit or download the expected content. Our observations reveal two scenarios for Android users:

  1. Victims attempting to download an Android application outside Google Play are prompted to enable browser notifications and download an app named adBLOCK app.apk, disguising itself as an ad-blocking application. However, it downloads Android/FakeAdBlocker, hijacking the victim’s tap or click to deliver a malicious application.
  2. Victims seeking to download a file are shown a webpage with steps to download an application named Your File Is Ready To Download.apk. This misleading name attempts to make users think they are downloading the desired app or file, when, in fact, it’s Android/FakeAdBlocker.

Telemetry Insights

Android/FakeAdBlocker was initially detected in September 2019, and we’ve observed over 150,000 instances of this threat being downloaded to Android devices from the beginning of this year until July 1st. Our telemetry data reflects various threat names associated with this malware.

Automatic Removal of Spam Events

Uninstalling Android/FakeAdBlocker won’t remove the spam events it created. However, users can use apps like Calendar Cleanup, available on the Google Play store, to automatically remove these events. Care should be taken to adjust the date and time settings to cover the targeted range of days for removal.


Our telemetry indicates that many users download Android apps from sources outside Google Play, exposing themselves to malicious apps delivered through aggressive advertising. Android/FakeAdBlocker serves as a prime example, emphasizing the importance of cautious behavior and secure app downloads. This malware, disguised within scareware ads, can lead victims to unintended financial costs or additional security threats, highlighting the need for heightened user awareness.