Android virus “whatsappupgradeservice.com”

Posted on by

Something really weird is going with my Android phone: from time to time it opens me browser with this link. By domain whatsappupgradeservice.com I immediately realised that it’s fake.

whatsappupgrade android virus

I checked the logic: after you click the button “Ok” it redirects you to page with even more interesting domain name – update-1.com. (full link) And I see this:

virus android site

The page says that I should upgrade Whatapp application as soon as possible. And when you click green button it forward you to mobl-apps.com, where you see:

android virus browser page

So as we see the final goal of these bastards is to subscribe you to a paid service (12 euro per week).

whois for this domain name of course does not provide any information:

Domain Name: MOBL-APPS.COM
Registrar: GODADDY.COM, LLC
Sponsoring Registrar IANA ID: 146
Whois Server: whois.godaddy.com
Referral URL: http://registrar.godaddy.com
Name Server: NS55.DOMAINCONTROL.COM
Name Server: NS56.DOMAINCONTROL.COM
Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Updated Date: 06-nov-2014
Creation Date: 06-nov-2014
Expiration Date: 06-nov-2015

Only when it was registered and where.

By IP – 31.3.102.91 – we could also get a hosting:

inetnum:        31.3.102.0 - 31.3.102.255
netname:        XLIS-VPS35
descr:          XL Internet Services Amsterdam Network
country:        NL
admin-c:        XLIS-RIPE
tech-c:         XLIS-RIPE
status:         ASSIGNED PA
mnt-by:         XLIS-NL-MNT
mnt-domains:    XLIS-NL-MNT
created:        2011-05-25T19:27:38Z
last-modified:  2011-05-25T19:27:38Z
source:         RIPE  Filtered

role:           XL Internet Services Hostmaster
address:        XL Internet Services BV
address:        Delftsestraat 5b
address:        3013AB Rotterdam
address:        The Netherlands
phone:          +31 10 270 94 70
fax-no:         +31 10 433 44 60
abuse-mailbox:  abuse@xl-is.net
nic-hdl:        XLIS-RIPE
admin-c:        XLIS-RIPE
tech-c:         XLIS-RIPE
remarks:        ------------------------------------------------
remarks:        E-mail is the preferred contact method!
remarks:        ------------------------------------------------
remarks:        Please use one of the following addresses:
remarks:        abuse@xl-is.net   - for abuse notification
remarks:        support@xl-is.net - for technical questions
remarks:        info@xl-is.net    - for anything else
remarks:        ------------------------------------------------
mnt-by:         XLIS-NL-MNT
created:        2007-01-11T12:57:00Z
last-modified:  2011-01-03T17:26:11Z
source:         RIPE  Filtered

% Information related to '31.3.96.0/21AS35470'

route:          31.3.96.0/21
descr:          XL Network
origin:         AS35470
mnt-by:         XLIS-NL-MNT
created:        2011-04-08T15:36:05Z
last-modified:  2011-04-08T15:36:05Z
source:         RIPE  Filtered

so it’s Rotterdam. Probably it’s good to call the hosting provider and ask WTF?!

The most weird thing that I did not install any new applications, moreover I removed almost all that I had and installed 3 different anti-virus applications and made scan – without any result.

Also I went to app manager “run” tab: no strange apps were there.

If you know the solution – please share, because I’m going to reinstall the whole operation system :(