Was bicycling home the other day, when I noticed I had received a text message.
The message says "we tried to deliver a package, but you weren't at home so it was returned to sender, please check this link for details". The message itself struck me as odd, because I get packages delivered all the time and none of the companies send messages like this. Looking at the link itself made me 80% sure it was fake, as which company would use a dynamic DNS provider in their links instead of just linking to their company website?
Being curious I still wanted to see what the link was trying to do, so later on I used this tool to retrieve the link without revealing my IP address or executing it. The HTML source looked like this — obviously trying to do something shady.
After unescaping the characters in the string I could see that it was simply XORring a bunch of values, then building a string by calling fromCharCode on each and combining them into code which it then evals. I did the same steps so I could see what the code does without executing it.
Below is the thus deobfuscated code.
Now I could finally see what it was trying to do. It turned out to be very simple: first it figures out which OS you are running. If you are on Android, then it shows an alert claiming that your Chrome is out of date and seems to try to get you to install some "update" which in reality would be the malware payload. I didn't examine further there.
If you are on iOS like I am, then it does nothing at all, although in the past it seems they were trying to then gather your bank details, although for some reason that is now commented out.