Android Chrome redirects, Unknown calendar entries

[fuerchter]

Hey there,

on my Android phone, I've been having weird redirects to unsafe looking ("Congratulations!") sites in it's browser recently (since at the very least August 2nd). They seem to happen very infrequently, which caused me to be kind of lazy in trying to fix it. I usually browsed what I'm assuming are safe websites (can provide examples of them and the unsafe sites, not sure if I can just post those links) as the redirects occur.

I tried running some anti virus scanners (including Malwarebytes, see "Screenshot_20190827-155852-edited.png" e.g.). Only Trend Micro's "Mobile Security & Antivirus" actually found something, a .crdownload file, which I removed from the phone, but am keeping on my main PC. A virustotal scan of that file. Since removing it though, the redirects still happened.

 

I cleared my Chrome's history and cache a few minutes ago, and can report back if that changed anything (as I said, the redirects are rather infrequent).

 

Aside from this, I have also had strange calendar entries in my Google account, similar to this. Examples of what this looks like on my end are in the attachments. The Google support post recommends setting "Automatically add invitations" to No. Doing this stops them from showing up, however I have been unable to find any emails in my inboxes that could have caused them. I searched my mails by those event titles, email address "gserviceaccount" and "(filename:ics OR filename:vcs)" for example.

I'm unsure whether these two issues are related or not.

 

Some version numbers on my phone, in case they're helpful:

Android: 7.0 (I have a Huawei Honor 6X, so afaik this is the most recent Android version for it)
EMUI: 5.0.3
Chrome: 76.0.3809.111
Calendar: 6.0.44-261313226-release

 

If I could get any help with this, I'd appreciate it.

[deep_logic]

I have something very similar. I'm at my wits' end on this. I downloaded an app off of Google Play store about 3 weeks' ago, "6 PACK ABS IN 30 DAYS" or something. Google sent me a notice that this had malware and to uninstall. I did uninstall. But the Chrome browser malware keeps coming up and sending me to "crpto-news.space". I've unistalled other apps that I suspected my kids downloaded, but still keeps popping up. 

I have cleared the cache as well, but it's totally random. 

I have Malware bytes AND Avg anti-virus AND the ADD ONS detector on Google Play store, but still no go. I will download the Trend Micro mobile anti virus. I hope that will do it. 

Thanks for the info.

[a_Mbam]

Hello,

These calendar events are created from Gmail spam, therefore Malwarebytes for Android cannot detect these as they come in. MBAM for Android is an app and file scanner and does not scan incoming Gmail.

This must be a growing issue as Android Authority just published an article on how to remove these nasty events.

https://www.androidauthority.com/google-calendar-spam-1022909/

Unfortunately, Google doesn't seem to be taking action on this behavior at this time, so our only recourse is to manually remove these and DO NOT click on the embedded links.

Regards,

-Armando

[deep_logic]

Thx for the tip MBAM. I just realized my calendar was populated with this malware! 

FYI, the Trend Micro app HAS NOT found any issues. So, I have Malware Bytes, AVG, Trend Micro and the ADDONS detector, but nothing has been found.

Any ideas?

 

[a_Mbam]

Deep_logic,

Unfortunately not, unless you can find a very good spam filter for Gmail service. This isn't an app or file issue, these events are created from spam emails similar to the Nigerian Prince or Hot Singles type of messages Gmail is flooded with. Google or any other email service that has this issue must fix.

-Armando

[deep_logic]

Ok, now I'm really at the end of my rope. I have now installed: 1. Malware bytes 2. AVG 3. Trend Micro 4. AddONS detector 5. VirusTotal.

One other thing I did was to lock down my permissions (however I'm not confident I got everything).

I'm still getting these popups. What's strange is that the pop ups aren't using the full screen, but only the top portion and it always says, "PROMOTION". This is why I think this was a malware off of the Google Play app. 

I may have to reset, but damn, I'd like to know what this is.

thanks

[mbam_mtbr]

Hi @deep_logic,

Besides the Google Calendar issues you are having, you may also be experiencing Broswer related ads.  

. This is caused by the way most browsers handle redirections executed by javascript code.  Most browsers don't do a great job of preventing these redirects, which also cause ad pop-ups.  Advertising affiliates are aware of this, and exploit this weakness.  Even if an advertising affiliate is shut down for using this exploit, they just come back with a different affiliate id and are right back at it.

The best way to block these pop-ups are to try a different browsers, disable javascript, install a browser with ad blocking (like Opera), and/or install Ad-block Plus.

If you encounter these pop-ups again, back out of them using Android's back key. Also, clearing your history and cache will help stop the ads from reoccurring.

If this doesn't solve the issue, feel free to send us an Apps Report and we can double check there is no Adware installed.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan