One month ago I was trying to find a streaming site to watch a Spanish soccer match and I found futbolenvivoaldia.com. It was a redirection to the famous site Tarjeta Roja, but the interesting thing was that when I browsed the site with my mobile phone I saw the typical Antivirus scanner saying that my device was infected. Also, an app called “androidav_free.APK” (24f0a666a714e26c6c07ab407e37b112) was trying to be downloaded to my device.
The source of this fake page was one of the advertisement networks of the site tarjetaroja.eu, Mobicow. After some redirections and some tracking URLs this network was returning the following URL to the user's browser:
hxxp://cleanupnowonline10.biz/?u=Y0vbAf0fW9lIhVAxPi2nZQo
This page was loading Javascript code from here:
hxxp://cleanupnowonline10.biz/js/wapc.js
The code was obfuscated and this was the second stage of Javascript code:
Taking a look at the script content we can see that it contains all the functions necessary to show the fake infection page to the user. Also, we can see that the following URL was used to download the app:
hxxp://cleanupnowonline10.biz/apk.php
