Security experts from GFI.com warn about the malicious Tweets that include spammed URLs with the .tk extension. After being clicked, these URLs lead to Russian web page pretending to be an official Anti-Virus page notifying its victims about malware detected on their machines. However, this virus has been found to distribute rogue anti-virus programs similar to the ones that are released by FakeVimes or Winwebsec. It is especially dangerous for Android users but it has also been found to be targeting PC users as well.
According to GFI, random Twitter users have been tweeted with the URLs with .tk extension. After being clicked, these links redirect victim to googleapi17.ru/l(dot)php?l=os&r=5519&a=29# which presents itself as Anti-virus Scanner (typically to scammers, grammar mistakes are included) ? page and reports something like that:
Anit-Virus ScannerCheck your phone for viruses!Maybe Your phone is infected , and someone has access to your personal information, such as photos, messages, call history, contacts, history of sites visited, passwords to websites and more. Immediately start scanning for viruses!
Depending on which machine, PC or smartphone, victim is on, he is additionally offered to download a file. Computer users are offered to install VirusScanner.jar while smartphone users – VirusScanner.apk. Luckily, .jar file seems to be not working because of some error. However, .apk file can easily be ? installed on the smartphone and additionally give rogue anti-virus for the victim, reported as Trojan.Android.Generic.a.
It should be expected that scammers will change the destination of the malicious URL in the future, so you should avoid on clicking all suspiciously-looking tweets. In order to ? prevent such attacks in the future, you should definitely start using mobile anti-virus software.