HomeWinBuzzer NewsMicrosoft Warns of Skype In-App Ads That Expose Users to Malware

Microsoft Warns of Skype In-App Ads That Expose Users to Malware

A Reddit user has complained that a malicious ad appeared on Skype’s home screen, pretending to be a Flash update for his browser. The Redditor has since deconstructed the code, while several other users have reported similar issues.


The Internet is a place where you can find pretty much anything. Along with the good content, however, comes a huge variety of things designed to exploit security vulnerabilities and the goodwill of several users.

A Reddit user has now revealed in a thread that a malicious ad appeared while he was on 's home screen. The ad pretended to be a Flash update for the computer's browser and would prompt the user to download an HTML application named “FlashPlayer.hta.”

It appears that once opened, that HTML app would download a malicious payload, which could potentially harm a computer in the long run. The Redditor didn't run the application, instead, he has already deconstructed the code and has posted it publicly on Reddit.

Other users have complained about malicious ads inside Skype, with the “fake Flash update” as a common denominator.


How the malicious code works

In response to the Reddit thread, ZDNet has contacted several experts to deconstruct the code and explain how it works. According to malware experts, the malicious ads have the following characteristics:

  • They target Windows machines by pushing a file download
  • When users open the file, they trigger obfuscated JavaScript
  • The code starts a new command line, then deletes the app the user just opened
  • It then runs a PowerShell command, which downloads JavaScript Encoded Script (JSE) from a domain that no longer exists

In addition, ZDNet has contacted Ali-Reza Anghaie, co-founder of firm Phobos Group, to comment on the matter. Anghaie has said that “This is what's generally called a ‘two stage dropper'. It's effectively the utility component of the malware that then decides what else to do based on the command and control it connects to.”

Microsoft: Customers should be cautious

Responding to the issue, a spokesperson has said that the Redmond giant should not be held responsible.

The company's spokesperson has explained that “[Microsoft is] aware of a social engineering technique that could be used to direct some customers to a malicious website. [Microsoft continues] to encourage customers to exercise caution when opening unsolicited attachments and links from both known and unknown sources and install and regularly update .

A spin-off of Locky ransomware?

According to the Reddit thread and to the several experts that ZDNet has contacted, this “fake Flash update” could be a spin-off of a recent Locky campaign. The Locky ransomware malware uses a JavaScript file in order to download ransomware to computers.

In November 2016, Microsoft warned against a Black Friday malware. Using the large volume of Black Friday purchases, the Locky ransomware malware could successfully spoof emails.

The Locky ransomware also hit Facebook and other social media, in November 2016. The security firm called Check Point uncovered this new method of distributing malware code through image files.

Kostas Papanikolaou
Kostas Papanikolaou
Kostas is a former sports journalist and an amateur gamer. Combining his love for technology with his writing experience, he enjoys covering news about Microsoft. Being an artistic “soul”, he is also writing poems and short stories.

Recent News

Table of Contents: