Jump to content
Brianwc

m.novelcamp.net pop up s

Recommended Posts

Bonjour

 

Nous avons tous chacun un modèle de téléphone différent, nous avons tous des navigateurs différents, certains téléphones sont rootés, d'autres non. Certains ont fait le choix d'acheter les applications pour ne pas être enquiquinés par la publicité, d'autres non ...

Nous avons tous donc des profils différents et des matériels différents et pourtant nous sommes tous victimes de ces pop-ups.

1er point commun J'ai remarqué que les pop-ups se lancent pour tous plus ou moins à chaque installation ou mise à jour d'une application.

2ème point commun : ces installations ou mises à jour sont effectuées à partir du google play store ...

C'est bizarre non ?

Un problème avec le google mobile ads ?

Share this post


Link to post
Share on other sites

In Chrome go to chrome://serviceworker-internals and unregister dangerous service workers

Share this post


Link to post
Share on other sites

With Blokada I have been able to verify that with Videoder after updating apps in Play Store blocks novelcamp, appsquare, na.hasmobi.net and Others. If I clear the Play Store cache and force close Videoder and I clear its cache when I update apps it does not redirect to those webpages. 

Share this post


Link to post
Share on other sites

It's been 72 hours and I haven't got the popup again, thank God finally.

What I did:-

Wiped the cache partition from recovery mode, changed the default browser to opera, wiped cache and data of Google play and Google app.

Share this post


Link to post
Share on other sites

I think we should get in touch with the developers of Videoder and require them to update the app without adware

Share this post


Link to post
Share on other sites

I have huge doubts the app has anything to do with it. I have the latest version of the app installed and used on 3 devices of mine. Only 1 of 3 got infected, and even that once doesn't seem to show adds anymore. A collegue of mine who's phone also have been showing adds for a few days now has never had any video downloading apps installed.

Share this post


Link to post
Share on other sites
4 minutes ago, Lovehepburn said:

I have huge doubts the app has anything to do with it. I have the latest version of the app installed and used on 3 devices of mine. Only 1 of 3 got infected, and even that once doesn't seem to show adds anymore. A collegue of mine who's phone also have been showing adds for a few days now has never had any video downloading apps installed.

In my case I have verified that the cause is Videoder. Version 14 does not have that problem

Share this post


Link to post
Share on other sites

It's not the app itself, it's the BatMobi Ad SDK within the app.  BatMobi has always been pretty low level, and as far as Adware goes, not the most aggressive.  Heck, some versions aren't even aggressive enough to detect.  Then all of sudden, you all started getting ads within Google PLAY.  Perhaps they get A LOT of push back by developers and backed off.  Also, there are quite of few apps in Google PLAY with hidden BatMobi.  Evidenced by this issue not just be restricted to just third party app stores.   Maybe, just maybe this all fixed itself 🤞 

Nathan 

Share this post


Link to post
Share on other sites
6 minutes ago, mbam_mtbr said:

It's not the app itself, it's the BatMobi Ad SDK within the app.  BatMobi has always been pretty low level, and as far as Adware goes, not the most aggressive.  Heck, some versions aren't even aggressive enough to detect.  Then all of sudden, you all started getting ads within Google PLAY.  Perhaps they get A LOT of push back by developers and backed off.  Also, there are quite of few apps in Google PLAY with hidden BatMobi.  Evidenced by this issue not just be restricted to just third party app stores.   Maybe, just maybe this all fixed itself 🤞 

Nathan 

In my case it's Videoder, an app out of Play Store. With Blokada active I have verified after updating the apps through Play Store that blocks novelcamp, etc ... and when I force close Videoder and delete the app cache those pages do not appear in the blocking notification. Maybe the developers of Videoder should modify something. 

Share this post


Link to post
Share on other sites
Just now, jansen said:

In my case it's Videoder, an app out of Play Store. With Blokada active I have verified after updating the apps through Play Store that blocks novelcamp, etc ... and when I force close Videoder and delete the app cache those pages do not appear in the blocking notification. Maybe the developers of Videoder should modify something. 

That doesn't happen in version 14

Share this post


Link to post
Share on other sites
3 minutes ago, jansen said:

Isn't in Play Store. It's out. Here https://www.videoder.com/

Its strange, an app that isn't in the Play Store but when you update other apps that are in Play Store open Chrome with advertising

Share this post


Link to post
Share on other sites

@jansen,

It's really not too hard to code.  You just add a function in the code to do something (in this case, open ad using Chrome Custom Tabs) whenever Google PLAY opens/updates/installs/etc.  

Thanks @imma!  Well, that confirms it — definitely BatMobi!  That means there are hidden versions of BatMobi sitting somewhere in apps from users that have only installed from Google PLAY.  I've been looking for it all along, but going to have to dig deeper.

Nathan

Share this post


Link to post
Share on other sites
Posted (edited)

Hi @77Vero,

We will look into it ASAP!

Also, you can use this method to uninstall for current user (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.gangyun.beautysnap

Nathan

 

Edited by mbam_mtbr

Share this post


Link to post
Share on other sites

Bonjour Nathan

 

Le lien :

https://www.virustotal.com/fr/file/eaea2688fbd380ca972997999e54c2980f159e54ba44e956b7d1091709ae3ffb/analysis/

 

Je vais tenter de me motiver et suivre la procédure d'installation.

 

Merci

Share this post


Link to post
Share on other sites

Hi! Wanted to ask if you can also study the app "ai.type" - as I have collected information regarding it on my device.

It is popping up in a browser window sent through Linux browser (AKA the Android System Webview) during/after Google Play apps update; however, ai.type does not appear to be using Batmobi - even though they are sending analytics and ad association data 40-60 times/minute. They do use Adjust.io ad kit, however, and decided to communicate data with the server just before launching popup on test device.

They used spoofed app ID "com.apalon.myclockfree" with referrer from Mobobeat.biz, and utilized domain for callback URL, ".stats-location.com".

Would you check this app, ai.type, to reproduce, and see if it has integration with Batmobi? The registration in the XML data sent has 302 codes, which signals redirects similar to those already mentioned.

This is the same redirection scheme being used in "click302.h5mone.com" - therefore, I wanted to provide data I had gathered as well. Please get back to me soon.

Share this post


Link to post
Share on other sites
3 hours ago, DragonMaster Jay said:

Hi! Wanted to ask if you can also study the app "ai.type" - as I have collected information regarding it on my device.

It is popping up in a browser window sent through Linux browser (AKA the Android System Webview) during/after Google Play apps update; however, ai.type does not appear to be using Batmobi - even though they are sending analytics and ad association data 40-60 times/minute. They do use Adjust.io ad kit, however, and decided to communicate data with the server just before launching popup on test device.

They used spoofed app ID "com.apalon.myclockfree" with referrer from Mobobeat.biz, and utilized domain for callback URL, ".stats-location.com".

Would you check this app, ai.type, to reproduce, and see if it has integration with Batmobi? The registration in the XML data sent has 302 codes, which signals redirects similar to those already mentioned.

This is the same redirection scheme being used in "click302.h5mone.com" - therefore, I wanted to provide data I had gathered as well. Please get back to me soon.

I'm extremely interested that you've got your suspicions on this one,as I've had the ai.type keyboard and ai.type emoji plugin installed for a long time, but have had my suspicions about it throughout this whole saga. I did read a news article about it being a risk months ago,but dismissed it,as I'm nowhere near as "techy" as a lot of you.

Michelle.

Share this post


Link to post
Share on other sites
On 2/23/2019 at 10:12 PM, Brianwc said:

Check this out even the malwarebytes is mentioned here about trying to solve oh and factory reset does not work  https://piunikaweb.com/2019/02/23/our-analysis-on-annoying-chrome-ad-popups-on-samsung-phones/

Author here.

Thanks @mbam_mtbr for encouraging me to post here. Although I'm not a victim, but got involved in the situation by helping a friend.

The Batmobi SDK is definitely playing a prime role here. I did give a shoutout to Videoder via Twitter, but they did not respond. I'm now planning to drop a mail to the dev & PR person.

As I said in the article, I'm trying to dump the firmware of my friend's phone and do some reversing to investigate possible presence of Batmobi SDK inside Samsung stock apps. I'll post my findings here.

Share this post


Link to post
Share on other sites

Im going to use 14 version till someone repacks 14.2 without adware.  14 will create a folder on sdcard/andriod/data   called com. Rahul.videoderbeta  inside that two folders cache and files.  Inside files it creates a folder called plugins. With another folder called temp new.  What i did to prevent it from downloading 14.2 i created a junk file called 135_complete_videoder.apk  this prevented the app from downloading 14.2 since the filenames are the same. 

Share this post


Link to post
Share on other sites
1 hour ago, Brianwc said:

Im going to use 14 version till someone repacks 14.2 without adware.  14 will create a folder on sdcard/andriod/data   called com. Rahul.videoderbeta  inside that two folders cache and files.  Inside files it creates a folder called plugins. With another folder called temp new.  What i did to prevent it from downloading 14.2 i created a junk file called 135_complete_videoder.apk  this prevented the app from downloading 14.2 since the filenames are the same. 

I have contacted through email with the developers of Videoder without answer. So I think they know it and their intentions seem dark to me

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.