The attacks starts with spoofed emails made to look like a wedding invitation or a "failed delivery" USPS notification.
If the user checks out the email via a PC and follows any of the offered links, he is served with a malicious zip file called Wedding_Invitation_Chicago.zip. Once run, it installs a variant of the Kuluoz downloader Trojan.
If, on the other hand, an Android user clicks on the link, he will be served the LabelReader.apk file, which contains the Mobile Defender android scareware - tested and described earlier this year by Sophos' Paul Ducklin.
The fake AV solution tries to make the victim believe that his phone is infected with a host of malware, and offers to clean it up if the user is willing to pay for a full version.
"In addition to displaying fake messages of infection, the APK also has the functionality to intercept incoming and outgoing phone calls as well as messages," says FireEye's Vinay Pidathala, and adds that it can also end incoming calls.
Users who have not enabled the “Allow installation of apps from Unknown Sources” setting on their Android devices (it comes disabled by default) are safe from these types of attacks and need to worry only about malicious apps offered on Google Play.
Those who have enabled it might want to consider using a legitimate Android AV solution, because attacks like this are bound to continue for some time. Or, they could always revert the setting to the safer mode.