ICEPick-3PC malware compromises third-party tools to steal Android IPs

SC Magazine
Original Source
SC Magazine

This article originally appeared in SC Magazine on January 9, 2019.

ICEPick-3PC malware compromises third-party tools to steal Android IPs

A new malware dubbed ICEPick-3PC is stealing device IP addresses en masse since at least spring 2018.

A new malware dubbed ICEPick-3PC is stealing device IP addresses en masse since at least spring 2018.

The malware executes after its authors hijack a website’s third‐party tools which are often pre-loaded onto client platforms by self-service agencies and are designed to incorporate interactive web content, such as animation via HTML5, The Media Trust said in a Jan. 9 blog post. 

As a result of the malware’s infection techniques, researchers recommend advertising agencies and marketers reconsider moving from managed services to self-service platforms. 

If a user visits a website with a compromised third-party library the malware runs a series of checks on a user’s device before running.

Once accessed, the malware conducts checks on the user agent, device type, mobile operating system, battery level, device motion and orientation, and a check on the referrer to avoid known malware scanners.  

After the checks are completed the malware makes an RTC peer connection between the infected device and a remote peer before sending the extracted device’s IP to the attacker. 

So far, ICEPick-3PC has affected several recognized publishers and e-commerce businesses in retail, healthcare, and a variety of other industries.

Researchers speculated the malware target Android devices because they are open source and because their vulnerabilities are known. 

“The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organized cybercrime rings,” researchers said in the blog. “If this is the case, the attack on recognized publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future.”

The malware was first spotted when it was used to spam users with phishing redirects designed to mimic Walmart or Amazon cards prompting users to shave sensitive information to claim their prizes. 

Over time the malware adopted new stealth and persistence capabilities that allow attackers to target users for political and financial gain. 

To prevent attacks and protect sites from infections, researchers recommend publishers and e-commerce businesses thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders and scan interactive ads and site pages for unauthorized code.