CyberWire Daily The scareware rabbit hole. [Research Saturday]
6 snips
Mar 7, 2026 Marcelle Lee, cybersecurity consultant and threat intelligence researcher, walks through uncovering a mobile scareware campaign after a single click. She traces domains with Censys and VirusTotal, decodes device fingerprinting in URLs, and pivots to apps in the Play Store. She maps behaviors to MITRE ATT&CK and shows how free tools and AI speed practical investigations.
AI Snips
Chapters
Transcript
Episode notes
Scareware Uses Encoded URL Device Fingerprints
- Device fingerprinting was embedded in long encoded URIs to tailor content by OS, country, and campaign ID.
- The encoded strings let operators serve curated scareware or ad content based on detected device attributes.
Check Developer Info Before Installing Apps
- When scareware directs you to apps, inspect developer contact info and other apps before installing anything.
- Marcelle flagged generic Gmail contacts and suspiciously high download counts as red flags for Antivirus Protector and Antivirus Cybergate.
Downloads And Ratings Can Be Fabricated
- App ratings and download counts can be manipulated via bot farms or paid services, so they aren't reliable trust indicators.
- Marcelle noted one app showed a million downloads yet could be inflated by fake traffic.