Jump to content

Techofires (IdeaPlus) browser hijacker

Jonny6980
 Share

Recommended Posts

Jonny6980

Jonny6980

Posted
Posted

Recently, some random websites have been popping up on my phone (Samsung Galaxy A7 2018), with loads of different names such as Techofires, Sigonews, itfaclty, Ideapuls and now gohi. I have never signed up to any of these sites, and have done a little google search on them which picked up that it was a browser hijacker that can be very malicious, and can reinstall itself on my phone if it is removed (which malwarebytes and other antiviruses do not pick up/recognize) and would like to see if anyone else is having this problem. I saw another post on this forum and apparently it has something to do with browsers being unable to block them.

I'm really worried about this, as I have no idea whether it is actually on my phone and has some sort of keylogger, or is able to hide itself in apps. One website declared that it is able to get on your device through bad updates, and a myriad of other ways. I am worried that it has got hold of my banking details, as I have all my banking things set up on this phone. Since the websites started popping up, I have started getting texts from my bank saying that random amounts of money were unable to be transferred (though it is saying this for my old card which is no longer valid)

What I want to try to get rid of it:

 - Factory reset my phone, and get rid of everything (I have already backed everything up on onedrive and google)

What I have tried to get rid of it:
 - Downloaded multiple trusted antiviruses to see if I can purge it (Unsuccessful)

 - Cleared everything (History, cookies, caches) on duckduckgo (which is my default browser) (Unsuccessful)

I just want to see if there is any way to get rid of it, or if anyone knows more about it and what it can do.

Sincerely, Jon.

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Malware is the overarching concept of malicious software.  Like there is a taxonomy in the animal and plant kingdoms, there is a taxonomy to malware.

The basic sub-types of malware are;  viruses, trojans and exploit code.

Calling a piece of malware an "adware virus" is akin to calling a Ford F150 and "Ford Dodge".  Both are sub-types of automobiles but are different manufacturers.  Adware and viruses are different sub-types of malware.

Adware is a sub-type of trojans just like a F150 truck is manufactured by Ford.

 

Link to post
Share on other sites
Jonny6980

Jonny6980

Posted
  • Author
Posted
1 minute ago, David H. Lipman said:

Malware is the overarching concept of malicious software.  Like there is a taxonomy in the animal and plant kingdoms, there is a taxonomy to malware.

The basic sub-types of malware are;  viruses, trojans and exploit code.

Calling a piece of malware an "adware virus" is akin to calling a Ford F150 and "Ford Dodge".  Both are sub-types of automobiles but are different manufacturers.  Adware and viruses are different sub-types of malware.

Adware is a sub-type of trojans just like a F150 truck is manufactured by Ford.

 

what does that mean

Link to post
Share on other sites
  • 3 weeks later...
mbam_mtbr

mbam_mtbr

Posted
Posted

Hi @Ronan1,

We are pretty sure it's browser related. This is caused by the way most browsers handle redirections executed by javascript code.  Most browsers don't do a great job of preventing these redirects, which also cause ad pop-ups.  Advertising affiliates are aware of this, and exploit this weakness.  Even if an advertising affiliate is shut down for using this exploit, they just come back with a different affiliate id and are right back at it.

The best way to block these pop-ups are to try a different browsers, disable javascript, install a browser with ad blocking (like Opera), and/or install Ad-block Plus.

If you encounter these pop-ups again, back out of them using Android's back key. Also, clearing your history and cache will help stop the ads from reoccurring.

However, if you like me to check for Adware on your mobile device regardless, I certainly can do that.  You would need to send an Apps Report.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Nathan

Link to post
Share on other sites
ntula

ntula

Posted
Posted

I had the same problem and tried everything. it got so bad with attacks happening every few minutes and interfering with the phone use, which is illegal, not just annoying. antivirus and malware apps found nothing. then I started just deleting apps.. and even that did not work. until I tried the appwatch app and then by an error it showed me the culprit. it is Peel remote, the IR remote control app that comes from Samsung that you cannot delete without rooting, you can only disable. what happened was that appwatch showed me that the browser chrome was the culprit, but when I clicked on the info in the activity log output, it took me to the peel remote app settings. when I tried that again, it took me to chrome, so it is trying to hide it's activity. what I had to do was boot into safe mode, force quit, delete data and then disable the app. the reason no virus or malware apps can find it is that it is a legitimate app that was programmed with a back door to this. the irony is that this started to occur right when Samsung announced the new phones and it is a Samsung app and I had done an app update.

in the process of searching for the culprit, I even was able to find the exact name of the persons, and their physical addresses, of the persons who wrote the web pages, which contain quite of bit of "push" and data collecting code in a java script. in addition to this, the annoying pages were on topics that I had searched for, so it is clearly invading your privacy. some of the links on the pages go back to a product search on amazon for the search topics, for example I had searched for a car part and then a car info ad site appeared with a single link in the main body that took me to a  general car part search on amazon. in addition to this, facebook, which I rarely use was being logged into. now peel remote was removed from the play store but Samsung still is updating it. I strongly suggest you contact the FCC and file a complaint against the "domains by proxy", owned by go daddy, that profits from these fly by night domains, peel, Samsung, amazon, and the web page authors.

 

things to do, delete facebook spyware app, prevent apps from other sources, do not use apps that contain ads that are not verified and if you can, just buy them.

Link to post
Share on other sites
Ronan1

Ronan1

Posted
Posted
19 minutes ago, ntula said:

I had the same problem and tried everything. it got so bad with attacks happening every few minutes and interfering with the phone use, which is illegal, not just annoying. antivirus and malware apps found nothing. then I started just deleting apps.. and even that did not work. until I tried the appwatch app and then by an error it showed me the culprit. it is Peel remote, the IR remote control app that comes from Samsung that you cannot delete without rooting, you can only disable. what happened was that appwatch showed me that the browser chrome was the culprit, but when I clicked on the info in the activity log output, it took me to the peel remote app settings. when I tried that again, it took me to chrome, so it is trying to hide it's activity. what I had to do was boot into safe mode, force quit, delete data and then disable the app. the reason no virus or malware apps can find it is that it is a legitimate app that was programmed with a back door to this. the irony is that this started to occur right when Samsung announced the new phones and it is a Samsung app and I had done an app update.

in the process of searching for the culprit, I even was able to find the exact name of the persons, and their physical addresses, of the persons who wrote the web pages, which contain quite of bit of "push" and data collecting code in a java script. in addition to this, the annoying pages were on topics that I had searched for, so it is clearly invading your privacy. some of the links on the pages go back to a product search on amazon for the search topics, for example I had searched for a car part and then a car info ad site appeared with a single link in the main body that took me to a  general car part search on amazon. in addition to this, facebook, which I rarely use was being logged into. now peel remote was removed from the play store but Samsung still is updating it. I strongly suggest you contact the FCC and file a complaint against the "domains by proxy", owned by go daddy, that profits from these fly by night domains, peel, Samsung, amazon, and the web page authors.

 

things to do, delete facebook spyware app, prevent apps from other sources, do not use apps that contain ads that are not verified and if you can, just buy them.

I have a mi 9. I was able to delete peel app. What I should do now? 

 

Early today I deleted chrome data and installed a Ad block. Then I few hours later it opened a menu to choose wich app I wanted to open some link. In this situation how can I confirm the software is trying to open the link? 

Link to post
Share on other sites
ntula

ntula

Posted
Posted

not sure exactly, I got rid of it for now, but it may come back, peel may not be the only one. ES file manager, pulled from the play store, was doing similar stuff with click fraud ware. 

 

the other thing I found is that the malware relies on a default browser to be set, background data, and wifi when data is restricted. also, chrome cannot be deleted and in fact, when you delete the data, it keeps relaunching from a forced quit state.

 

I plan on just buying a new phone and suing go daddy  for the expense of that and lost time. go daddy is hosting these sites while hiding the domain owners and is not taking them down per complaints. is is illegal to intentionally interfere with the use of a phone or other electronic device. slam dunk case.

Link to post
Share on other sites
ntula

ntula

Posted
Posted

also, the peel I disabled was the one that came as pre-instlaled bloatware on the phone, it cannot be deleted and may be being exploited by another party.

 

things to look for are running services, background data use... etc... also, check the activity log, if a virus or malware executes an external activity, like a push or system level even, it will show up unless the virus is set to delete the logs.

Link to post
Share on other sites
ntula

ntula

Posted
Posted
On 11/15/2019 at 11:26 AM, mbam_mtbr said:

Hi @ntula,

You may be onto something.  Although it isn't getting any hits by any anti-malware vendors as being adware, it's no longer available on Google PLAY.  I'll look into tv.peel.app more and see what I can find.

Nathan

I think that peel has an open port for persons to exploit and infect devices and in this case may be using it or the update was either altered by someone or it was intentional. whether it is by peel is unknown, but when peel was originally bundled with Samsung products for their ir capacity, it was ad free, then it got worse with every update. this problem came to me after I updated everything via the play store. peel was on my phone from Samsung but is appears that it could either update via Samsung or the play store. things I did notice was that if I put my phone in airport mode, it would still try to open the browser page with an error, meaning that it was coming from a source besides the browser since I had the browser quit and background data restricted. since peel cannot be deleted on my Samsung phones and is in a sense protected and listed as a legit OEM app, it can get passed scans and is a optimum tool for someone to exploit for adware. it already has the permissions set to do the damage.

Link to post
Share on other sites
mbam_mtbr

mbam_mtbr

Posted
Posted

Hi @ntula,

Maybe try the below, and see if it stops the ads.

You can use this method to uninstall for current user (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 tv.peel.app

I'm not seeing anything that indicates it's straight Adware, but it could just be that I don't have the right version to research.  If you like, you could send me an Apps Report and I can gather the exact hash of the one you think is causing ads.  You'll need to do this before the uninstall steps noted above.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Link to post
Share on other sites
mbam_mtbr

mbam_mtbr

Posted
Posted

Hey Everyone,

I just created a detection for a very small sample set of Peel Remote that is displaying aggressive ads.  The detection is Android/Adware.Peel.  However, if it is preinstalled on your mobile device, you'll still need to use the process mentioned in my last post to uninstall for current user.

Nathan

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.