In a previous post, "Fake apps: Behind the effective social strategy of fraudulent paid-archives," we exposed the social engineering technique behind Win32/Pameseg - our detection for a family of "paid-archives."

We described the use of "low-ball" techniques and explained how users are led to believe they are making an informed choice. However, the choice ultimately leads to the user being deceived into doing what the attacker wants - downloading and executing an installer.

The scheme begins with a request for a fee - a cost that was not previously made clear to the user. This hidden cost is revealed by a second request, for example by asking the user to send a premium SMS message to get an activation code to continue to complete the installation.

This monetization model of paid-archives certainly appears to be deceptive - it targets users in order to secure a financial gain, and it is this classic deception that warrants its detection as a trojan.

With this finding, we have reassessed more than a hundred signatures related to the Pameseg family name and reclassified them from program to trojan. And, because paid archive applications contain traces of builders, partners and SMS payment networks, we have extracted this information and used a link-analysis method to find the underlying connections for proper grouping and identification. This resulted in identifying 13 new families of paid-archive (the list is also included the in Win32/Pameseg encyclopedia description - Additional information section).

Connection map showing installers are part of a widespread platform-independent campaign

It's important to note that these fake installers, specifically those using paid-archives monetization, are part of a widespread platform-independent campaign. They also target Mac OS X users (Trojan:MacOS_X/Pameseg.A) and mobile devices running the Android operating system (Trojan:AndroidOS/SMSFakeSky.A).

This signature alignment effort allows us to more accurately classify these paid-archives as malicious - following in the footsteps of similar past realignments of other misleading malware that rely on social engineering for success, such as Rogue security software and Ransomware.

Stay safe and stay informed.

Methusela Cebrian Ferrer
MMPC Melbourne