Advertisement network installing Android FakeAV (Mobile Defender)

One month ago I was trying to find a streaming site to watch a Spanish soccer match and I found It was a redirection to the famous site Tarjeta Roja, but the interesting thing was that when I browsed the site with my mobile phone I saw the typical Antivirus scanner saying that my device was infected. Also, an app called “androidav_free.APK” (24f0a666a714e26c6c07ab407e37b112) was trying to be downloaded to my device.

The source of this fake page was one of the advertisement networks of the site, Mobicow. After some redirections and some tracking URLs this network was returning the following URL to the user's browser:


This page was loading Javascript code from here:


The code was obfuscated and this was the second stage of Javascript code:
Taking a look at the script content we can see that it contains all the functions necessary to show the  fake infection page to the user. Also, we can see that the following URL was used to download the app:



Syndicate content