New malware strain IcePick-3PC steals device IP addresses

• IcePick-3PC malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare.
• The malware targets Android devices as they are open-source and their vulnerabilities are known.

Researchers detected a new malware strain dubbed as ‘IcePick-3PC’ which is capable of stealing device IP addresses by hacking a website’s third-party tools. The malware has affected several publishers and e-commerce businesses including industries such as retail and healthcare.

Researchers from The Media Trust spotted the malware when it was used to spam device owners via a phishing campaign. The phishing scam offered gift cards from Amazon and Walmart, urging users to share their personal information for claiming their prizes.

More details on the malware

Michael Bittner, Digital Security & Operations Manager at The Media Trust explained in a blog post that IcePick-3PC malware steals device IP addresses by hacking a website’s third-party tools which are often pre-loaded onto client platforms by self-service agencies. The tools are designed to incorporate animation content via HTML5.

When a user visits a website with a compromised third-party library, the malware runs a series of checks on the user’s device before running.

“The malware conducts the usual checks on user agent, device type, whether the device is an Android device, battery level, device motion and orientation, and referrer,” the blog post read.

Once the checks are completed, the malware makes an RTC peer connection between the infected device and a remote peer before sending the extracted device’s IP to the attacker.

“The DSO suspects, given the malware’s level of sophistication and advanced techniques, that it is likely the product of dark code from organized cybercrime rings. If this is the case, the attack on recognized publishers and e-commerce businesses might portend a larger-scale attack, or, at the minimum, the illegal trading of user information in the near future,” the blog post added.

Researchers noted that JavaScript tools named GreenSock Animation Platform used for animations in HTML5 were identified as the self-service agencies, which is usually used with malicious code injections found in TweenMax and CreateJS.

Researchers' recommendations

• Researchers recommend advertising agencies, retail companies, and marketers to switch from managed service providers to self-service platforms.
• They recommend publishers and e-commerce businesses including retail companies to scan interactive ads and site pages for unauthorized codes.
• Researchers further ask them to thoroughly examine the self-service agencies they work with for security weakness or vulnerabilities.

“To prevent attacks and protect sites from infections, researchers recommend publishers and e-commerce businesses thoroughly vet the self-service agencies they work with for security weaknesses and avoid repeat offenders and scan interactive ads and site pages for unauthorized code.” researchers wrote in the blog.