‘LuckyBoy’ Malvertising Campaign Targeting Mobile and Other Connected Devices Users


In order to prevent detection, a newly discovered malware campaign targeting smartphone and other connected computer users makes extensive use of obfuscation and cloaking.

Dubbed LuckyBoy, the tag-based, multi-stage promotion focuses on fans of iOS, Mac, and Xbox. After December 2020, with witnessed promotions influencing consumers in the U.S. and Canada, it has infiltrated over 10 Demand Side Platforms (DSP), mostly Europe-based.

The malware tests for a global ‘luckyboy’ variable, according to security vendor Media Trust, which helps it to detect whether blockers, testing environments, and active debuggers are present on the system. The malware won’t run if any is found.

The malware activates a monitoring pixel designed to redirect the user to harmful material, including phishing sites and bogus app updates, if it operates on a target setting.

LuckyBoy has been found to work in bursts: on Thursday evenings, limited campaigns are launched, with just a few corrupted tags, and continue over the weekend.

As the campaign proceeds through steps, several tests are conducted, with comprehensive code obfuscation and domain exclusion used, and device-specific information retrieved.

The data obtained from the computer includes country code, window size, graphic detail, number of CPU cores, battery level, current domain, plugins, webdriver presence, and whether or not touch is enabled, likely to be set up for potential attacks.

The malware constantly executes checks to ensure that ‘luckyboy’ remains the value of the global attribute. Otherwise, after providing a clean interface to the user, the script ends execution and exits.

LuckyBoy is likely to run experiments before initiating a larger offensive, testing to gauge their success. The Media Trust reports that the campaign has been reported to run on tags wrapped with malware blocking code, bypassing these protections as further proof that its complexity is remarkable.

The protection company says it is actively collaborating with Google and TAG Vulnerability Exchange to isolate and discourage customers from initiating these promotions.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.