Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Android pop-up/hijacker


  • Please log in to reply
14 replies to this topic

#1 morganae

morganae

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:01:05 AM

Posted 14 May 2015 - 09:29 AM

I'm good with Windows, pretty darned good some would say, but I am a total newbie when it comes to Android so I am reaching out to those of you who have far more experience than I.

 

I am running Jellybean (device doesn't support newer) on a Motorola Xoom tablet.  Recently I have been getting a popup that says "The page at whitcombteam.com says" and then it's pure gibberish, as if it's looking for a language module that I don't have.

 

All there is is an OK button, if I tap anywhere it goes to the next screen which is a clear phishing attempt and another popup that says:

 

"The page at www.gauwzaken.com says:

 

WARNING!

Your Phone has (13) Virus!

The Virus may comput you data.

Please follow the instructions to remove the Virus"

 

It's clearly a crappy attack, the english is all screwed up and I'd never trust a popup anyhow.

 

The odd part is that it happens in Firefox and Chrome.  Supposedly you can long press a notification and learn what app is sending it, that is not working.  Long pressing does nothing.

 

I can hit the back button and go back to my page, but not until it also opens the play store and tries to get me to download "Lazy Swipe".

 

Anyone know how to remove a hijacker from Android?  I've used Malwarebytes and the AVG antivirus (yeah, it's not that great but I can't afford a real one) with no luck.


Edited by computerxpds, 14 May 2015 - 09:43 AM.
Moved from DOS/PDA forum to Android OS forum


BC AdBot (Login to Remove)

 


m

#2 morganae

morganae
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portland, OR
  • Local time:01:05 AM

Posted 14 May 2015 - 11:01 AM

I ran a factory reset on the tablet, all that did was change the advertisment and pop-up text.

 

Now it says:

 

"The page at play.google.com.app.stores.appflz.com says

 

Your Android is outdated!

Your Device may be slow and limited if you do not update your system.

Click OK and follow the instructions to continue using your device."

 

It then sends me to: play.google.com.app.stores.appflz.com/Smartyads/US/DU/alert_keyboard_grn.php?installer=Flash_player_11_for_other_browsers&browser_type=KHTML&dialoffer=false

 

It an app for something called Android Booster.

 

Clearly not something I want, but I am surpised to see this return after a full factory reset.

 

Using Chrome this time.


Edited by morganae, 14 May 2015 - 11:04 AM.


#3 chalie

chalie

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 16 May 2015 - 03:36 AM

I'm having this same exact problem. I can't figure it out. It happens in Chrome and Internet on galaxy note 4...would like to get rid of this asap

#4 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,714 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:01:05 AM

Posted 16 May 2015 - 02:24 PM

See if this helps either one of you: http://androidforums.com/threads/android-chrome-redirection-virus-malware-adware.878655/


MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#5 shimself

shimself

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 20 May 2015 - 08:54 AM

I'm seeing this but under WINDOWS!  I think it's the independent.co.uk website.  It then offers to install a supposed java update


Edited by shimself, 20 May 2015 - 08:54 AM.


#6 TB5

TB5

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 24 May 2015 - 06:44 AM

I too have this problem. However, I'm only noticing it when I use LastPass web browser to open XDA. It would seem that the browser is Chrome based, because while looking for a solution, I've come across several threads like the one Jacee posted. To make matters worse, the solution that they're talking about involves deleting the chrome folder, which LastPass doesn't have.

I've tried using SD Maid to search for any instnces of "g.doubleclick" in file names. Found four, and deleted them. I checked, (and changed) my DNS. I've wiped, and reinstalled LastPass multiple times, in multiple ways. All to no avail.

Since I very rarely use the lastpass browser, I'm about ready to throw in the towel on this one, but for obvious reasons, I would greatly prefer to have a clean device. Does anyone have any further insight on how to get rid of this?

Should also mention that I use a rooted 2013 Nexus 7 with CM 12.

Edited by TB5, 24 May 2015 - 06:49 AM.


#7 GalaxyS5-411

GalaxyS5-411

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 29 July 2015 - 10:40 PM

I sent my Galaxy S5 to SAMSUNG for a repair. I got it back today, put SIM card in (no SD Card, so it is a factory clean install right, literally from the factory).

I boot it up, and don't yet add my google account info, or anything that is unique to my cloud accounts. I don't install any apps or modify the system.

I run through the startup configuration, and select all options to make phone most unlikely to "talk" to 3rd party or google or SAMSUNG.

I then open CHROME BROWSER and type: www.drudgereport.com - within a few seconds I get a popup with this: afhvnd.png

I killed Chrome the first time, then it happened again.

So I did factory reset, thinking - this was weird.

Then I read on Forum that it might be router DNS.

I am at a hotel, so I changed wifi - 

Same issue.

So then I disable wifi - do factory reset.

Same thing.

So then I do a factory reset - and allow the S5 to do a full OS Update.

Stay on the 4G network with T-Mobile, and ignore the wifi, same thing.

I set max security in the browser, block popups and disable Java.

I also tried the default OS Browser that comes with the phone.

Same thing.

It finally stopped for a few hours, but then came back - this time when I clicked on a link to an ap.com news story -

Same popup, same result when you click OK.

Takes you to this URL:

play.google.com.app.stores.appflz.com/smartyads/US/360/lp.html

And the following Screen Shot:

 

ndmlqb.png

I called SAMSUNG, they told me to send them back the phone.

I am hoping to find a solution, on here, but I have ruled out the DNS router issues that some people have talked about.

This malware was on the phone when it came back from SAMSUNG warranty repair - 

It had the malware before it ever touched a wifi (since un-boxing from warranty repair).

Any ideas?

 

Text in malware / Virus pop-up:

 
The page at
play.google.com.app.stores.ap...
WARNING!
Your Phone has (13) Virus!
The Virus may comput you data.
Please follow the instructions to remove Virus
 
OK

Edited by GalaxyS5-411, 30 July 2015 - 05:41 PM.


#8 GalaxyS5-411

GalaxyS5-411

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 30 July 2015 - 04:12 PM

Going to try to load old firmware w/ Odin, we will see. Still having same issue on 4G and WiFi

*UPDATE (see below) still in same position.

Reported to: eNom & Host Exploit


Edited by GalaxyS5-411, 30 July 2015 - 05:47 PM.


#9 GalaxyS5-411

GalaxyS5-411

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 30 July 2015 - 05:33 PM

So, re-imaged the OS today. I am wondering if it is drudgereport.com that is jacked up - not my phone? I can't get the pop-up on any other sites... and I have tried it on wifi and 4g w/ Airplane mode on. Anyone else having this issue w. this website? I did Odin and blew everything away and re-imaged. No bueno.

I left SIM card out, re-imaged, and tried w/ WiFi in Chrome - same pop-up.

It happens in Chrome and in the built in internet browser on the Galaxy S5. Malware popup re-directs to app store to download 360 virus scanning android software.



#10 gearinreview

gearinreview

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:05 AM

Posted 02 August 2015 - 05:01 PM

 

I sent my Galaxy S5 to SAMSUNG for a repair. I got it back today, put SIM card in (no SD Card, so it is a factory clean install right, literally from the factory).

I boot it up, and don't yet add my google account info, or anything that is unique to my cloud accounts. I don't install any apps or modify the system.

I run through the startup configuration, and select all options to make phone most unlikely to "talk" to 3rd party or google or SAMSUNG.

I then open CHROME BROWSER and type: www.drudgereport.com - within a few seconds I get a popup with this: afhvnd.png

I killed Chrome the first time, then it happened again.

So I did factory reset, thinking - this was weird.

Then I read on Forum that it might be router DNS.

I am at a hotel, so I changed wifi - 

Same issue.

So then I disable wifi - do factory reset.

Same thing.

So then I do a factory reset - and allow the S5 to do a full OS Update.

Stay on the 4G network with T-Mobile, and ignore the wifi, same thing.

I set max security in the browser, block popups and disable Java.

I also tried the default OS Browser that comes with the phone.

Same thing.

It finally stopped for a few hours, but then came back - this time when I clicked on a link to an ap.com news story -

Same popup, same result when you click OK.

Takes you to this URL:

play.google.com.app.stores.appflz.com/smartyads/US/360/lp.html

And the following Screen Shot:

 

ndmlqb.png

I called SAMSUNG, they told me to send them back the phone.

I am hoping to find a solution, on here, but I have ruled out the DNS router issues that some people have talked about.

This malware was on the phone when it came back from SAMSUNG warranty repair - 

It had the malware before it ever touched a wifi (since un-boxing from warranty repair).

Any ideas?

 

Text in malware / Virus pop-up:

 
The page at
play.google.com.app.stores.ap...
WARNING!
Your Phone has (13) Virus!
The Virus may comput you data.
Please follow the instructions to remove Virus
 
OK

 

I am having the exact same problems on a Galaxy note4 using google chrome.When redirected to that site Which either uses the address in your post or this one( http://www.paulgrenwood.com/361/US/smt.php?v=133&key=65_49604&subid=726809&img=1)   it instantly downloads and apk. "deskgenie_289.001.007.apk". I have tried every suggestion on this site. from resetting my damned router (regardless of how stupid I knew that solution to be) to factory wiping and resetting my phone. No avail. I can get the problem to stop by going to settings> Site settings> Javascript then choosing blocked, however. if I add a site to it say "www.facebook.com" or anysite I tried it with "www.cnn.com" too, the problem comes on even stronger. I have no idea what to do. I'm at a loss. 



#11 ScrewTheseAds

ScrewTheseAds

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 04 August 2015 - 03:14 AM

Hey everyone, 
I'm suffering from the same problem here. I think I've found a solution online. Dont yet know if it works but here's what it is: http://malwaretips.com/blogs/remove-android-virus/

Basically, just go on Google Play Store and type Adware, find any Adware Blocker that you think is good, or just use the one that is mentioned in the link. It will scan your phone for any app that is promoting ads and let's you decide whether you want to delete it or not.

Hopefully this works. You won't need to do a factory reset or any other thing. :D  
 



#12 tjpsnj

tjpsnj

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 04 October 2015 - 12:38 PM

Most of the replies advise to download something like antivirus or adware.

Neither of those will work because Android OS is locked.  Unlike Linux, MAC or Windows the vendor, Google in this case, does not allow kernel access to the Operating System.

Due to that the app, the browser in this case, is hijacked or redirected before the adware can do anything about it.  Thus you are redirected to an app page asking if you want to go to that site or not. 

I am looking for a way to block these hijacks in a way that eliminates me from being interrupted and advised they attempted.

This is the question at the top of the thread.  I would buy a proxy if I could afford an enterprise solution like that and apply it to my network. 

How long until google protects chrome or bleeping computer stops selling av that doesn't really help because they are locked out by the OS in the first place? 



#13 Yumiax

Yumiax

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:05 AM

Posted 23 June 2016 - 07:12 AM

Hi, I was able to rid myself of the adware by clearing my browser data and all of my cache. After that I was able to access my browser again. Hope this may help anyone else. Antivirus apps simply were not helpful with this issue for me.

#14 PeterLapedona

PeterLapedona

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:05 AM

Posted 06 February 2017 - 07:46 AM

Same experience as Yumiax. In my case, the "Internet" app provided with the Samsung S4 was blocked by similar ad trap. Going into Applications, then Applications Manager, then the Internet app, clicking on "Clear Data" solved the problem. Just to make sure, I did the same with Google Chrome, via menu, settings, and Privacy, deleting all cookies etc. Perhaps the blocking malware was not as sophisticated in my case, but it looked just like the ones described here and absolutely did not allow to move past it.



#15 Nzyme

Nzyme

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:35 PM

Posted 11 July 2017 - 09:58 AM

Install Adguard period






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users