This article originally appeared in KoDDoS on January 10, 2019.

According to yesterday’s report published by The Media Trust, the last year’s malware called ICEPick-3PM is currently stealing IP addresses of unprotected devices, mostly focusing its attacks on the Android operating system. The malware was originally noticed in early 2018, and since then, it managed to impact a wide range of different businesses.

Researchers claim that the malware targets anyone and anything, including e-commerce, publishers, healthcare, retail, and more. After the initial detection, the malware spammed the owner of the infected device via phishing scams which mostly offered gift cards from retail giants such as Walmart, Amazon, and others. However, it asked that the device users provide their personal data in return.

Now, according to researchers, the malware executes as soon as its creators gain access to different sites’ third-party tools. These tools are usually pre-loaded onto the platform by self-service agencies. By design, these tools incorporate interactive web content, like HTML5-based animation.

This is where ICEPick-3PM tends to attack, and in a recent move, it affected over 100 clients after hackers successfully hijacked third-party tools that the websites were using. Because of this, researchers recommend that marketers and advertising agencies rethink their priorities before moving away from managed services.

How does the malware affect websites’ users?

When it comes to regular website users and visitors, the malware (which has already compromised the site) starts running different checks on the user’s own device. Due to the fact that Android systems contain a number of well-known vulnerabilities, the malware will attempt to exploit them in order to find its way onto the device. It will then scan the device for information such as the type, the exact operating system, device orientation, motion, and everything else that it can find.

After completing these checks, it will make an RTC peer connection between a remote peer and the device, in order to allow hackers to extract the infected device’s IP. Researchers have described the malware as very sophisticated, with advanced techniques and capabilities, which include persistence, stealth, and alike. It appears that the malware gained these new abilities slowly, over the course of the previous year. Since then, it mostly used them to conduct attacks based on political and/or financial reasons.

Thanks to its skills, the malware is believed even to be able to break through additional levels of protection, such as VPNs. This would expose the user who wrongfully believes to be protected, while their device is actually wide open for exploits and potential future attacks.

Finally, researchers recommend that businesses carefully review self-service agencies they cooperate with. Any security weakness can mean that their website will use infected tools, which will, in turn, continue to affect countless other users. Researchers also named some of the tools used to attack unsuspecting website visitors, stating that one of them is TweenMax, which is one of GSAP’s most popular tools. The second one that researchers have warned about is CreateJS, so businesses are advised to stay clear of these two especially.