Meta Quest users targeted in Windows app scam — here's what you need to know

 A white padlock on a dark digital background.

If you’re looking for the Meta Quest app for Windows - be careful, as experts have found a malicious spoof version infecting endpoints with adware and infostealing malware.

Rsearchers from eSentire revealed they recently observed a fake Meta Quest website, at oculus-app[.]com - a site, seemingly identical to the authentic version, which allows visitors to download the app, but bundled with malware.

The site has solid standings on search engines, thanks to different SEO poisoning techniques, the researchers said. As a result, there is a high chance users searching for Meta Quest will end up on the malicious site, instead - as once they download the app and run the installer, they will also get a Windows batch script which fetches a second batch script form the command-and-control (C2) server which ultimately retrieves a final batch file.

Viewing ads

The malware will first check to see if Microsoft’s Edge browser is running, and checks when was the last time a user interacted with the browser. When the endpoint is idle for nine minutes, the script will open new tabs, navigate to certain URLs, scroll up and down the page randomly, and inject clicks. All of this results in ad revenue for the malware’s operators.

Furthermore, the adware, called AdsExhaust, can grab screenshots and simulate keystrokes, it was said.

"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," eSentire said. "These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators."

AdsExhaust is also relatively good at hiding, the researchers concluded. If it spots mouse movements (which means a user is at the computer), it will close the opened browser, and create an overlay to hide its actions.

"AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue," the researchers concluded. "It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities."

Via TheHackerNews

More from TechRadar Pro