Full Disclosure: Although I work at McAfee Labs as an Anti-Malware Researcher, the views expressed here are entirely my own. No company resources or intellectual property were used to research or write this blog post.

TL;DR : Please don’t sue me.

A few days ago, I clicked on a link shared by a friend of mine on Facebook that was hosted on storypick[dot]com. I was using my Android phone and let Chrome open the page for me. Before I could read the contents of the page, I got a pop-up that looked like this:

This was the first time I had seen an intrusive ad on Android. (Also the first time I used Chrome on Android, usually I use Opera with a Desktop User Agent by default so I may have been living under a rock all this time)

I decided to click OK to see what I got.

7 serious viruses? Oh no, I must do something about it at once. *clicks OK*

Advice taken. The last thing I need is complete failure. *clicks OK*

To my surprise, I was redirected to Clean Master by KS Mobile, a very popular app with more than a 100 million users. I’ve been using it on all my older android devices for as long as I can remember.

WTF? Why was I redirected to this app through such a shady ad? Did I unknowingly install malware on my older devices? Was I misleading my friends by recommending malware all this time? Were a 100 million people duped into thinking that they have a clean app installed?

What’s even worse is that the app’s description has the cheek to claim that TrustGo (developers of a mobile security product) screwed up by flagging them for “potentially pushing unwanted ads” and were certain that it’s a false positive.

I’m sorry KS Mobile, but I’m with TrustGo on this one if they encountered a similar ad to what I was shown.

I decided to dig a little deeper by reverse engineering the Clean Master APK. Fortunately (or unfortunately, depending on how you look at it), I only found the usual code artifacts found in ad-supported apps (such as sending a little information about the device, how the app was used to KS Mobile servers and/or their ad partners). Nothing major. In fact, the code for their main application was well written and it was clear that the developers of Clean Master put in a lot of thought and effort into their product. But why would they resort to using a FakeAV themed advertisement to get people to install their app?

A day later, the Clean Master Page removed the false positive message so I decided to visit that page again on my phone, but this time I was armed with a packet sniffer to see what was really going on. It turned out that I got a similar ad without the FakeAV elements.

Although it now looks like Google’s DoubleClick ad network served the ad, it was a redirect by the original AdNexus network as we can see from the network logs.

The response content contained packed JavaScript which unpacks to the following (along with other JS+HTML code needed to display the ad):

I wish I had a packet capture log of the original ad so I could compare what had really changed but as I didn’t, I was satisfied at this point and closed my investigation.

I can only speculate as I did not contact TrustGo or KS Mobile, but it looks like they were asked by TrustGo to replace the FakeAV themed ad with something else.

Whatever the case, I think this strategy is really dangerous. I can only wonder if there were regular users who got the same ad as I did, installed Clean Master and were happy with the app. The next time they receive a similar FakeAV themed ad on their phone or computer, I wouldn’t blame them if they clicked on it and installed whatever they were asked to install as they got tremendous value out of an ad the last time they clicked on it. The next time however, they could have their devices infected and wouldn’t even know it.

I wish I knew who served the original ad and who’s to blame, but I don’t have enough evidence to support such conclusions. What is clear though, is that contrary to KS Mobile’s claim, the “potentially unwanted ads” were not false positives at all.

Even though there is a very realistic chance that a third-party attacker set up the ad so that future malicious ads could get higher click rates, I’ve decided to never use KS Mobile’s apps and stop recommending it to others until they publish more details as to what really happened. I am not satisfied with their “it’s a false positive” response.

Are you?