WingNews logo WingNews
top | item 25726019

(no title)

TooCreative | 5 years ago

Strange article

    I unlocked my phone and two
    accidental clicks led me to
    agree to a dialog that my brain
    immediately registered as suspicious
What type of dialog can pop up on your Android screen after unlocking and install "malware"? What is "malware" here? It looks like they mean an app from the play store?

    The next day, I picked up my phone and
    when I launched Chrome, I immediately
    noticed it was displaying a spammy URL.
How can one app alter the behavior of another?

discuss

order

sloshnmosh|5 years ago

What I believe the author is saying is that he received a push notification to chrome from the malicious app.

Coincidentally, I just spent my Saturday evening pouring over malicious JavaScript hosted on Cloudfront that does extensive browser fingerprinting and if a match is made to an Android device a fake Captcha pops up in Chrome which actually enables push notifications and from there a full screen pop-up appears that vibrates the devices and claims the phone is infected with (N) viruses and the “repair now” button pulls up the Play Store app to install DFNDR antivirus/cleaner.

If you look at the reviews of that app you’ll see all the angry reviews of users having their browsers hijacked.

The app itself is just an advertising server wrapped around Avast’s detection engine and is funded by the Chinese Qihoo.

It harvests users social media data and charges the users almost $10 a month after a 3 day trial period.

Novice users are unable to delete the app if “advanced protection” is enabled because it becomes a device administrator and uses deceptive language to confuse the user trying to remove the app.

If the app gets installed it will not let you clear the storage of the app from within settings even if you had never opened the app and before you agree to any terms and conditions.

The fake virus warnings that lead to DFNDR have been going on every single day since 2013.

I’m putting together a webpage that will include the JavaScript and other details as we speak.

The Google Play Store is a dumpster fire full of scam apps and Scummy developers.

varenc|5 years ago

> fake Captcha pops up in Chrome which actually enables push notifications

Wow, this sounds like a classic clickjacking vulnerability. That’s still possible on modern[ish] Android? Definitely interested in your write up.

TooCreative|5 years ago

    he received a push notification
    to chrome from the malicious app
What does that mean? How does an app send a "push notification" to Chrome?

ytch|5 years ago

> How can one app alter the behavior of another?

In Defcon 2, author finds a log with intent:

{act=android.intent.action.VIEW

Android will handle The URI with default app. The malware sends HTTP url, so it will be opened by default browser.

tjpnz|5 years ago

Something similar happened to me a few years back after I accidentally tapped an ad in Chrome (an ad delivered by Google no less). While I didn't get infected the site did start displaying system like prompts (my phone was also vibrating at this point and playing the same sound I get when there's a natural disaster) saying my device was infected and that I should tap OK to download an apk.

I did several things after this:

- Reported the ad to Google (no followup from their side - naturally).

- Removed Chrome.

- Installed Firefox and uBlock Origin.

aembleton|5 years ago

How did you remove Chrome?

Schlaefer|5 years ago

> What type of dialog can pop up on your Android screen after unlocking and install "malware"? What is "malware" here? It looks like they mean an app from the play store?

That would be the case if you enable sideloading, but that isn't mentioned in the article. Is it possible to install an app via popup without going through the store? This needs some clarification.

jm_l|5 years ago

They mention at the bottom of the article that they did enable side loading, that's how the app was installed.

llarsson|5 years ago

Can't an app ask for a website to be opened, and then that would cause the standard browser to display said website and URL?

It does not sound to me like the Chrome app was infected, just told to open a page.

UncleMeat|5 years ago

Yes this is basic (and incredibly common) behavior. The alternative is often much worse (an embedded WebView in each app to do things like open TOS pages).