'LuckyBoy' Malvertising Campaign Hits iOS, Android, XBox Users


Level 85
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection.
Dubbed LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada.
According to security vendor Media Trust, the malware checks for a global variable ‘luckyboy’ that allows it to detect whether blockers, testing environments, and active debuggers are present on the device. If any is detected, the malware won’t execute.
Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates. [...]
“LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive,” The Media Trust notes in a report shared with SecurityWeek.
The security firm says it is currently working with Google and TAG Threat Exchange to isolate the buyer and block them from launching these campaigns.