Level 50
Content Creator
Malware Hunter
A strain of malware that spreads on the web via advertising platforms has mounted a large-scale, mass data harvesting campaign, opening up thousands of Android users to follow-on attacks. Researchers said it’s likely there’s an organized crime ring operating behind the scenes.

Named ICEPick‐3PC by the Media Trust, the malware is a sophisticated form of adware using rarely seen techniques, according to Mike Bittner, digital security and operations manager at the firm.

“Publishers and website owners are outsourcing advertising management – what goes into delivery of an ad, such as its animation, is then handled by third-party code,” Bittner told Threatpost. “During the implementation of this code by third-party agencies, malicious code is injected into the library to hijack that operation.”

Specifically, the bad code has been seen being injected into the GreenSock Animation Platform (GSAP), which is a library of JavaScript tools for HTML5 animation.

“Malicious code is injected into TweenMax, one of GSAP’s most popular tools, and CreateJS, another suite of tools, while self‐service agencies implement the libraries on a website,” the Media Trust noted in a posting Wednesday about the malware.

When a user clicks on an infected ad, the malware makes an RTC peer connection between the infected device and a remote peer. It then profiles the user’s device, and sends the extracted device IP to the remote user. The malware’s name, ICEPick-3PC, is actually a nod to the ICE protocol used to establish the RTC peer connection.

The malware harvests device fingerprinting information such as user agent, device type and whether the device is an Android device. It also checks the battery level, and the device’s motion and orientation activity in order to verify that it’s actually being used by a human being. If the device checks out as an attractive target, ICEPick‐3PC extracts IP information.

“One main component of this attack that’s interesting and that speaks to its sophistication is the fact that it actually establishes a peer-to-peer connection and successfully extracts the private IP address of the Android user,” Bittner said. “That’s something we have never before seen on a massive scale. Usually you see adware performing simple redirects to pop-ups resulting in a phishing attempt.”