Some applications go too far in their attempt to get installed on users systems. Many of these fall into the potential unwanted program (PUP) category. One of these is MegaRapido, which primarily targets Brazilians. A recent sample we tested tries to connect to protectmedia.net, which is already marked as suspicious by McAfee SiteAdvisor. Instead of directly parsing the URL, this PUP uses the goo.gl redirection service to obscure its aim.
Late we have observed many other examples of suspicious software using goo.gl redirects to hide their tracks. Using goo.gl, PUPs and other malware try to evade static string-based URL checks by security vendors. On executing, a window appears asking the user to install DealPly add-ons.
The only button provided is “Avançar” (Yes/I agree). Users have no option to decline this offer, abort the installation, or even minimize this window unless they click “Avançar.” This “forceful acceptance grant” is a borderline ransomware activity, which makes this software fall into the PUP category. After accepting the terms, users are asked to give contact details, only numbers from Brazil are deemed valid. However, even after providing a valid Brazilian number, an error message says that SMS sending to the particular number has failed.
Not stopping here, the latest variants have also embedded hardcode that attempts to uninstall certain security products to evade detection.
We found other redirect strings hidden in the binary; one logged us directly into their web-tracking account.
The following stats are taken from the Extreme web-tracking account of the PUP author.
From that account a lot of intelligence can be inferred. For example, we see the number of hits for this URL, more than 700,000 per month.
Next we see the top three culprits that lead users to the adware page. All of these are marked as suspicious by McAfee SiteAdvisor.
We can see that this particular adware concentrates on Brazil, with more than 12 million hits.
And that 99.9% of the users who landed on this adware page were using Internet Explorer.
McAfee detects these variants as MegaRapido and Midia. Based on hit count, these applications are very prevalent in the wild, and although not technically “malware” they can still annoy users. Keep your antimalware solution and website reputation add-on up to date to avoid being trapped by these PUPs.