Jump to content

m.novelcamp.net pop up s


Recommended Posts

Hi @Mahadev,

You are the only one with that launcher, and I can't find a version of it anywhere to analysis.  It's worth a try though.

@aniytik 

1 hour ago, aniytik said:

And just a suggestion - may this issue be connected not with the installed, but recently uninstalled (during 2-3 months) apps? Can it be a kind of harmfull leftover afer their uninstallation?
After the factory reset I installed the same set of apps that I used to have all the time and during my struggle with those pop-ups. And now everything is fine. The problem has gone. No more pop-ups.

It certainly could be.  In that case, the infected app would need to installed again, and then have data/cache cleared before uninstalling again.  Most likely many already uninstalled many apps trying to figure things out before it was submitted to me. If that's really the case, this one is going to be like a needle in a haystack to solve... which it already feels like to me. 

Nathan

Link to post
Share on other sites

  • Replies 150
  • Created
  • Last Reply

Top Posters In This Topic

Hi @Brianwc, @Grimlich, @bud11, @imma, @77Vero, @Mahadev, & Everyone else following this thread!

This is the most beautiful thing I've seen as a threat researcher! I was able to reproduce the issue!

Screenshot_20190225-102015.thumb.png.b66b866c2f50200207f9080730acd820.png

Just as many of you experienced, it happened while using Google PLAY!  We have all three of these installed on my test device:

devian.tubemate.v3      TubeMate 
com.snaptube.premium      Snaptube 
com.rahul.videoderbeta      Videoder Video Downloader 

 

I correct in my assumption I previously stated:

On 2/22/2019 at 11:42 AM, mbam_mtbr said:

It appears there is a correlation with the third party APK site en.uptodown.com.  Furthermore, m.novelcamp.net and other sites seen are all related to a the site BatMobi.  There is actually a direct reference to BatMobi in the app  package name: com.rahul.videoderbeta app name:  Videoder Video Downloader ( @Brianwc).  I was able to create a detection for this —  Android/Adware.BatMobi.NC. 

However, others don't have this app, and I have yet to find detections — don't worry, I'm working hard to find something.  In the meantime, if you have any of these apps, I suggest uninstalling to see if it fixes the issue:

com.snaptube.premium      Snaptube @imma
devian.tubemate.v3      TubeMate @Mahadev
Anything else downloads/installed from en.uptodown.com — especially under category Video and Audio Downloaders

If you are hesitate to uninstall, it also may be worth trying to clear the cache on these apps as they all have built in browsers.  This could explain why clearing the cache on Google Chrome doesn't work, because the stored info causing the pop ups may be within these browsers instead.  Worth a try!

I'll keep working away at this issue.

Please let me know if any of this works,

Nathan

On 2/22/2019 at 1:07 PM, mbam_mtbr said:

Update.  I created detection Android/Adware.BatMobi.SnapMango for the following:

com.snaptube.premium      Snaptube  

It will be detected in future database versions.

Nathan

Therefore, we have a 100% positive source of infection!

So now, we need to figure out why simply uninstalling does not fix the issue.  What is being leftover (as @aniytik pointed out) that is causing this?  I would suggest reinstalling (I know, crazy) and clear both the data & cache, and uninstalling again.  However, I'm going to look deeper into this to find a more concrete solution.

Progress people, progress!!!

Nathan

Edited by mbam_mtbr
Link to post
Share on other sites

Now that we have pinpointed the infection, let's see if we can remove it properly.  These are the steps I'm going to try myself to remove the infection:

Removing infected app

  1. Go to Settings > Apps 
  2. In the listed Apps, find infected app and click it
    1. Remember this is anything from the source en.uptodown.com — devian.tubemate.v3 (TubeMate), com.snaptube.premium (Snaptube), com.rahul.videoderbeta (Videoder Video Downloader), etc
  3. In App info, click Force Stop
  4. Click Storage
    1. Press Clear Data (this clears the cache as well)
  5. Click Back button to return to App info
  6. Click Uninstall

Clearing Chrome cache

  1. Go to Settings > Apps > Chrome
  2. In the App info, go to Storage
    1. Press Clear Cache
      1. Press Manage Space
        1. Press Manage under All site storage, including cookies and other locally stored data
          1. Two options here:
            1. Press Clear Site Storage... to clear all site data
            2. Find the offending site(s) (m.novelcamp.net) and click on it in list
              1. Press Clear & Reset

The infection uses what is called Chrome Custom Tabs, which uses Chrome. Thus, clearing Chrome's cache after uninstalling the infection should remove.

Extra cleanup and if you already removed infection

If you already removed the infection, you can use a file manager like ASTRO to remove old folder/files.  You would remove from the internal shared storage this directory Android/data/<infection package name>.  Some apps will also leave folders at the root of the internal shared storage as well — even after uninstalling.

Not done yet

Hopefully this does the trick, but considering we have users that are still getting popups after a factory reset, there is still research to do.  This is at least a good start at least.

Nathan

Edited by mbam_mtbr
Repeated steps
Link to post
Share on other sites

5 hours ago, mbam_mtbr said:

Bonjour  @Brianwc ,  @Grimlich ,  @ bud11 ,  @imma ,  @ 77Vero ,  @Mahadev , et  tous les autres qui suivent ce fil!

C'est la plus belle chose que j'ai vue en tant que chercheur sur les menaces! J'ai pu reproduire le problème!

Nathan

:)

Vos recherches aideront grandement les utilisateurs des applications mentionnées plus haut qui n'auront bientôt plus ces pop-ups (on l'espère et l'on croise les doigts).

Désolée, je suis francaise, et mes notions en anglais sont très ... moyennes alors j'espère que google traduction vous aidera à comprendre mon message.

Me concernant, j'ai du, à un moment donné, télécharger Youzik MP3 directement sur leur site (et qui n'est plus disponible au téléchargement semble-t-il).

Je l'ai désinstallé (vidé cache -> forcé l’arrêt -> désinstallé) + stockage, données en cache, effacement données en cache, et j'ai une autre application Mp3 Download (https://play.google.com/store/apps/details?id=music.downloader.mp3.powermusic ).

Et à vrai dire, je ne sais plus lorsque les pop-ups sont apparues. Est-ce à cause de Youzik ? A cause de cette autre application qui vient du Google Play ?

J'ai lu beaucoup sur ce sujet, bien évidemment, depuis que cette pop-up est apparue.

Me concernant, j'ai désactivé pendant un temps chrome installé en natif sur mon smartphone ( vidé cache -> forcé l’arrêt -> désactivé) + effacement des données en cache. Chrome étant présinstallé d'office, je ne pouvais pas faire autre chose.

Plus aucun navigateur et la pop-up qui réapparait en lançant Chrome pourtant désactivé. C'est assez bizarre non ?

J'ai désactivé Android System Web Viewer qui permet d'afficher du contenu web dans les applications. Je me suis dis, que, peut-etre, c'est à cause de cette application que la pop-up revient sans cesse, et ce, meme s'il n'y a plus de navigateur "fonctionnel", chrome étant désactivé.

Du coup, j'ai installé Opera qui refuse les pop-ups (théoriquement), je n'ai ai pas depuis 1 journée (un record !) ...

 

Par contre, je ne sais pas si mon téléphone courre un risque en ayant désactivé le web viewer...

 

Link to post
Share on other sites

54 minutes ago, Sarah9333 said:

Not to be a pain in the ass or anyting but this same pop-up mess has been happening to me first in Samsung internet and now in chrome when I changed my default settings. And I don't have any of those apps that you listed as a problem.

Yep. Me too.

I don't and never installed any of those app. But the pop up is still happening everytime I use Play Store to update some apps.

How to detect the SDK if we don't really know which app is infected?

Link to post
Share on other sites

Mine is random. I've never noticed it happening after updating, but then again I do have a couple of apps that update automatically. It happens about once a day, that I've noticed, for the past 4-6 weeks. First in Samsung internet, now in chrome. the only difference is when it opened in the Samsung internet it was the novel camp link. And now when it opens in chrome it opens as app square.

Link to post
Share on other sites

So glad I finally found some good research and info about this matter. My Note 8 is now bombarded with novelCRAP & appSH*T! Wish i never gave up root now. 😢

While rooted I never had this issue. Only a couple of weeks after removing root did this start my Chrome browser woes. Yes, I have Videoder AND there Play Store app Premium Adfree (mentioned above by Brianwc).

Like I said, it took about 2 weeks before the pop-ups started to happen after removing root and factory resetting my Note 8. The pop-ups would happen after every other Play Store app update that I did. Now, they happen at random with increasing frequency. So much do that I installed the Play Store app Block Site to help combat this.

I've come up with another site that I haven't seen mentioned in my redirects (see attached pic).

I'll do the removal procedures listed above by mbam_mtbr.

Once again, I'm thankful to see the best anti-malware company diligently working so hard to save us from the BS. I only hope Samsung isn't embedding this nonsense into their software too.

Thank Malwarebytes!

20190226_083849.jpg

Link to post
Share on other sites

Bonjour @77Vero,

Merci pour l'information! Il semble que music.downloader.mp3.powermusic n’est plus disponible. Je vais voir si je peux le trouver, et Youzik MP3.

J'ai moi-même réfléchi à la corrélation entre Webview et ce problème. Cependant, je pense que si vous souhaitez désactiver quoi que ce soit, il serait préférable de désactiver Javascript dans Chrome. Il n'est pas dangereux de désactiver WebView, mais vous perdrez des fonctionnalités.

J'espère que Google Translate fonctionnera également pour traduire l'anglais vers le français.

Merci pour l'aide!

Nathan

Link to post
Share on other sites

Hi @Sarah9333 & @Lines,

If you like to send me an Apps Report, I can see if I can find anything that may be causing the issue.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Link to post
Share on other sites

Hi @OnMy2ndGP,

Thanks for the newest website to block.  I guarantee there will be more.  These type of ad websites come and go frequently.   They know that their websites will be blocked, so they come up with new ones until it is blocked as well.  That's way it's so tough to keep up with blocking them all.  There is constantly a new stream of ad websites popping up.

This issue isn't dependent on Samsung.  We have people with LG's, Xiaomi's, etc.  I think we are seeing a lot of Samsung's because a lot of people have Samsung's :) 

Feel free to send an Apps Report as well if you like.

Nathan

Link to post
Share on other sites

I also noticed that this issue started happening with me when i installed this app

https://play.google.com/store/apps/details?id=com.app.downloadmanager&amp;hl=en

i quickly uninstalled it as it was not needed but then the issue started. i now tried all your steps clearing cache of chrome and system browser and clearing data and cache of google play and google app, will inform if the issue happens tomorrow or again.

Link to post
Share on other sites

I've had the novelcamp/appsquare/dailyluck etc pop-ups opening on my browser for at least 6 weeks now. The last day or so they've now started opening immediately after I've updated any apps on Google Play. I have none of the apps installed that have been flagged as a possible issue 🤷‍♀️ Really starting to 🤬 me off now! 

Michelle. 

 

Link to post
Share on other sites

Hi @MichelleZW,

You're not alone in that feeling :)  Send me an Apps Report, and I take a look.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Edited by mbam_mtbr
Link to post
Share on other sites

I do not have any of the apps mentioned but I might have a little more info to help add to your investigation. I was on my phone when I happened this time and it was right after one of my apps updated that I doubt anyone else has. It is the my Ozarks app which is a local electric company. However anytime the pop-up has occurred there are 2 strange files in my download folder that were created around the time of the pop up (see screenshot). I do not have any com.google files in there though. 

 

 

Screenshot_20190226-212836__01.jpg

Link to post
Share on other sites

14 hours ago, OnMy2ndGP said:

So glad I finally found some good research and info about this matter. My Note 8 is now bombarded with novelCRAP & appSH*T! Wish i never gave up root now. 😢

While rooted I never had this issue. Only a couple of weeks after removing root did this start my Chrome browser woes. Yes, I have Videoder AND there Play Store app Premium Adfree (mentioned above by Brianwc).

Like I said, it took about 2 weeks before the pop-ups started to happen after removing root and factory resetting my Note 8. The pop-ups would happen after every other Play Store app update that I did. Now, they happen at random with increasing frequency. So much do that I installed the Play Store app Block Site to help combat this.

I've come up with another site that I haven't seen mentioned in my redirects (see attached pic).

I'll do the removal procedures listed above by mbam_mtbr.

Once again, I'm thankful to see the best anti-malware company diligently working so hard to save us from the BS. I only hope Samsung isn't embedding this nonsense into their software too.

Thank Malwarebytes!

20190226_083849.jpg

I did downgrade to videoder 14 then I created a fake file and put it in my mnt/sdcard/android/data    look for rahul.videoder beta files > plugins  folder > temp_new  you will see videoder trying to download and install 14.2 but the file is called 135_complete_videoder.apk    i made a simple text file with same name so it could not download the real APK loaded with malware.  So what I need to do is re-engineer 14.2 with no malware need a good android code guy :) 

Link to post
Share on other sites

I've been facing the issue for a week now. Have and use the latest premium version of Videoder on 3 devices of mine, but the adware appeared on only one of them. Not uninstalling the app or of curiosity and since really like it.

Today, after the appsquare site opened yet again, found a 200kb .com file in my Download folder. Attaching it here for you to investigate.

Warning for the rest: the file attached is most probably a virus, don't Download it unless you know what you're doing!

.com.google.Chrome.zip

Link to post
Share on other sites

Hey Everyone,

Just so we are all up to date,  I did more research into .com.google.Chrome.xxx, and it appears those are typically just incomplete download files.  Thus, they are not a concern. An incomplete APK can't install.

Also, I believe that this infection is also associated with Android/Adware.InMobi.  We are seeing variants that are not only on various third party app stores, but also on Google PLAY.  Both Android/Adware.BatMobi and Android/Adware.InMobi used to be low level.  There are variants of InMobi that aren't even considered Adware, and thus are not detected by anti malware scanners.  It almost seems like something happened on these Ad SDKs sever side that now all of sudden they decided to start showing ads in Google PLAY.  So an app that used to not give you any problems now is hosting pop ups.  I'm once again trying to reproduce this on a test device to confirm my findings.

I think it's also important to state that the websites the pop ups are redirecting to look to be harmless — although annoying.  Thus, if you have an app that is causing the pop ups you REALLY want to keep, you are probably in the clear if you are not to annoyed by the pop ups.

Nathan

Edited by mbam_mtbr
More Info
Link to post
Share on other sites

@mbam_mtbr
I want to make it clear for myself and talk it through in a schematic way. For example, during one year I had my classic (let's call it like that) set of apps. Everything was fine, no pop-ups.
Later I wanted to add some more apps, got classic+some sh*t set of apps. I didn't like and uninstalled some sh*t apps. Later I started to face pop-ups (WHY? Was it connected with simple uninstalling without preventive clearing all their data-cache-memory etc?), having my classis set of apps that during a year didn't cause any problem. I got angry, did a factory reset, installed my classic set of apps again - and everything is fine again, no pop-ups.
So what was the trigger? What in my situation played a part called "all of sudden decided to start showing ads"? Installing some apps from Google Play with the servers of these apps going mad and starting to show ads? Google Play partial madness? Or what?

Link to post
Share on other sites

10 hours ago, Brianwc said:

I did downgrade to videoder 14 then I created a fake file and put it in my mnt/sdcard/android/data    look for rahul.videoder beta files > plugins  folder > temp_new  you will see videoder trying to download and install 14.2 but the file is called 135_complete_videoder.apk    i made a simple text file with same name so it could not download the real APK loaded with malware.  So what I need to do is re-engineer 14.2 with no malware need a good android code guy :) 

Good catch. I'm big on Android but far from a doing any sort of coding. I see this happen far too often with apps. I still use Cheetah Mobile QuickPic but it's a resigned version 4.5.2.2...the last version before they went crazy with user data and ads. It didn't even show up as an update in the Play Store either.

Back on topic, it's ironic that just like on my PC, it's usually Malwarebytes that is first to resolve a malware issue. 😍

Link to post
Share on other sites

On 2/26/2019 at 8:47 PM, mbam_mtbr said:

Hi @Sarah9333 & @Lines,

If you like to send me an Apps Report, I can see if I can find anything that may be causing the issue.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

I've sent the report and just messaged you the ticket number. Thank you!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.