ICEPick-3PM malware compromises third-party tools to steal Android IPs

News by Robert Abel

A new malware dubbed ICEPick-3PM is stealing device IP addresses en masse since at least spring 2018.

A new malware dubbed ICEPick-3PM is stealing device IP addresses en masse since at least spring 2018.

The malware executes after its authors hijack a website’s third-party tools which are often pre-loaded onto client platforms by self-service agencies and are designed to incorporate interactive web content, such as animation via HTML5, The Media Trust said in a 9 January blog post. 

As a result of the malware’s infection techniques, researchers recommend advertising agencies and marketers reconsider moving from managed services to self-service platforms. 

If a user visits a website with a compromised third-party library the malware runs a series of checks on a user’s device before running.

Once accessed, the malware conducts checks on the user agent, device type, mobile operating system, battery level, device motion and orientation, and a check on the referrer to avoid known malware scanners.  

After the checks are completed the malware makes an RTC peer connection between the infected device and a remote peer before sending the extracted device’s IP to the attacker. 

So far, ICEPick-3PM has affected several recognised publishers and e-commerce businesses in retail, healthcare, and a variety of other industries.

Researchers speculated the malware target Android devices because they are open source and because their vulnerabilities are known. 

"The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organised cyber-crime rings," researchers said in the blog. "If this is the case, the attack on recognised publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future."

The malware was first spotted when it was used to spam users with phishing redirects designed to mimic Walmart or Amazon cards prompting users to shave sensitive information to claim their prizes. 

Over time the malware adopted new stealth and persistence capabilities that allow attackers to target users for political and financial gain. 

To prevent attacks and protect sites from infections, researchers recommend publishers and e-commerce businesses thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders and scan interactive ads and site pages for unauthorised code. 

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews