Help Malware distributing website detects operating system?

[JSS1900]

Hello,

I am currently receiving SMS messages trying to distribute the Android based FLU BOT malware.

The script that the websites run can detect the legitimacy of the operating system. If you try to access the website hosting the malware on anything other than an Android device, it re-directs you to a legitimate website.

Thus, I have tried user agent switchers and Android emulators, however, it can still detect that i am not using the actual operating system.

I have made sure the screen resolution is that of a mobile device. The IP range of the desktop is a non-mobile ISP, however I don't think that would be the issue as surely victims would access the malware website on their private WiFi connection? Browser leakage websites also cannot detect the OS on the desktop when using an emulator.

Is anyone aware of how they are detecting the operating system (fingerprinting)?

 

[puppykickr]

What browser are you using?
Are cookies and or javascript enabled?

Browsers give off information about themselves and the device they are being used on.

Have you tried using a VPN?

As for the texts, why not just block them?

Here are some apps for you to try.

https://f-droid.org/en/packages/acr.browser.lightning/

https://f-droid.org/en/packages/ch.protonvpn.android/

https://f-droid.org/en/packages/com.kaliturin.blacklist/

 

[JSS1900]

I am using an Android emulator, which means I am using the Android default browser. VPN shouldn't matter for the reason I said previously.

 

[svim]

What operating system is the host running? If the Android install you're running is through emulation any online access is still going to have to travel through the host operating system's network stack.

 

[JSS1900]

Yes, but if a victim were to access the malware website on a WiFi connection on their phone, why would it show any different to accessing the website through an emulator on a Windows 10 computer.

 

[svim]

An Android emulator is just software running inside of a host operating system, in your example Win10. It's that Win10 PC that's connected to a local network, that is itself then connected to router-modem, that's connected to the Internet. It's that base operating system that's connected either by wire (Ethernet) or wrielessly (WiFi) to the router, and any online traffic to and from your virtual Android set up still has go through that Win10 PC connection. If you need to cut back on that chain of translated IP addresses, don't use an emulator. Just start using an actual Android device. Or start being more vigilant and responsible about your web browser habits, and switch to more privacy-focused web browsers like Firefox Focus or Brave.

 

[JSS1900]

No that doesn't indicate how the web-server could be detecting I am not using a genuine Android device.

 

[mikedt]

What emulators have you tried exactly?

I sometimes use Bluestacks running on a MacBook, and any websites I've tried have always determined that as Android, and not MacOS.

 

[svim]

No that doesn't indicate how the web-server could be detecting I am not using a genuine Android device.

Well yes it does. It's still your Win10 PC that's the actual network connection. Any emulator is still just 'virtual'.