Jump to content

Recommended Posts

4 hours ago, zealstarwind said:

I recently updated from the previously mentioned umx phone to an updated U693CL and I am getting a pop-up in Chrome, it always opens a new tab for g21news.com after a set random time. Malwarebytes doesn't detect anything and I suspect it's changed or the app is hidden behind admin commands. Also there is a modified home screen that will not allow me to remove Google search bar on the home screen. If assurance wireless was looking into it they ain't doing crap about it as they probably know and are getting payed by the manufacturer. 

There have been a variety of issues like this for our UMX phones the past couple years.  Assurance is well aware and they do nothing.  Usually the problem persists for awhile and then UMX fixes it with an update so the phone will be fine for months, but then another one pops up.  There is nothing you can do about it unless you use ADB to disable the system app that the virus is factory installed in.  For example I disabled Wireless Update a couple years ago and then my phone and nothing on it ever updated until I knew the virus had been fixed by UMX and reset my phone.

The virus you have didn't seem as bad.  I cant remember which system app it is in.  But I don't have the G21 news virus anymore because I think a later update had fixed it.  Go through the update routine again to see that you have the latest update installed.  With the last update that I have I don't see any virus activity.

Link to post
Share on other sites

  • Staff
13 hours ago, zealstarwind said:

I recently updated from the previously mentioned umx phone to an updated U693CL and I am getting a pop-up in Chrome, it always opens a new tab for g21news.com after a set random time. Malwarebytes doesn't detect anything and I suspect it's changed or the app is hidden behind admin commands. Also there is a modified home screen that will not allow me to remove Google search bar on the home screen. If assurance wireless was looking into it they ain't doing crap about it as they probably know and are getting payed by the manufacturer. 

Hi @zealstarwind,

See this post to resolve g21news.com homepage: 

Nathan

Link to post
Share on other sites

I do not have any apps on my phone that didn't come preloaded besides me installing discord. It is probably baked in and I have disabled all extraneous apps I could. This is just a thing with assurance wireless and umx where every phone comes prebaked with malware to pop up ads. 

Link to post
Share on other sites

On 4/6/2021 at 11:23 AM, zealstarwind said:

I do not have any apps on my phone that didn't come preloaded besides me installing discord. It is probably baked in and I have disabled all extraneous apps I could. This is just a thing with assurance wireless and umx where every phone comes prebaked with malware to pop up ads. 

I think it's in the settings app.  I had the G21news virus last year, but later updates got rid of it.  When you get a new phone it may be several updates behind so you have to go through the update process several times until it  says that you have the most up to date.

Link to post
Share on other sites

Hey guys,

I wanted to give my two cents on this issue since it has also been bothering me. I appreciate all the replies and have tried every single solution possible, but I still couldn't get rid of the damn tarot card site or G21 news. It was driving me insane. And I recently fell victim to a serious breach in my personal privacy that I might have to seek legal counsel for. I couldn't think of anything that would be the cause, other than my phone.

 I called my service provider and simply requested a new phone that WASN'T of the UMX brand. They sent me a Wiko, and after a brief search, I found next to none malware complaints for this brand akin to the UMX phones.

I've only been using it for today so far and I haven't found any issues, but if I do I'll give an update just to be informative. I don't know if requesting a new phone is an option for everyone here but if it is and you can't do anything about the malware on your current phone, maybe consider it. And make sure it's not another UMX. If I find out my previous phone had anything to due with my security compromise, I am seriously considering suing someone.

Link to post
Share on other sites

  • Staff
14 hours ago, Darien said:

Hey guys,

I wanted to give my two cents on this issue since it has also been bothering me. I appreciate all the replies and have tried every single solution possible, but I still couldn't get rid of the damn tarot card site or G21 news. It was driving me insane. And I recently fell victim to a serious breach in my personal privacy that I might have to seek legal counsel for. I couldn't think of anything that would be the cause, other than my phone.

 I called my service provider and simply requested a new phone that WASN'T of the UMX brand. They sent me a Wiko, and after a brief search, I found next to none malware complaints for this brand akin to the UMX phones.

I've only been using it for today so far and I haven't found any issues, but if I do I'll give an update just to be informative. I don't know if requesting a new phone is an option for everyone here but if it is and you can't do anything about the malware on your current phone, maybe consider it. And make sure it's not another UMX. If I find out my previous phone had anything to due with my security compromise, I am seriously considering suing someone.

Hi @Darien,

Good to hear you convinced Assurance Wireless to send a non-UMX phone.  Also avoid ANS.  If available, I would try to stick to phone manufacturers that are more well known.  Unfortunately, you can no longer see the phone options on Assurance Wireless' website or I'd give recommendations.

Nathan

Link to post
Share on other sites

  • 1 month later...

A repost from me, from another thread:

I work in the technical field of smartphones, including Android, so I have more than sufficient technical knowledge.  I have been helping a family friend, a senior, with solving this exact issues on the U693CL.  I am dumbfounded why Assurance and UMX allow this to continue to happen.  I implemented some tools from the previous rounds to shutdown and clean off these malware pushes.  After 3 UMX security updates, and based on behaviors I saw and tracked, I am certain the Android Security updates pushed out by UMX has weakness/vulnerabilities.  It may seen like it cleaned off some malware but in reality, it activates another one but in dormant state.  It acts as a backdoor to execute code that would otherwise subject to some Android OS level restrictions and it invokes APIs only true developers would know.

The g21news hijack was triggered by the "TopicNews" app.  Before the recent security update, that apk was called "Topic" app, I had it disabled and uninstalled via ADB shell commands.  Back at that time, the hijacked sites and pops were various game sites.  The phone system snapshot I took shows the update somehow changed the apk name and re-install re-enable it.

In addition, there has been frequent Google Play Protect notifications indicate it found an app or blocked an app from being installed that was deem malicious.  This happens when the phone is not touched or used, so some code is executing all these malicious behavior.

I logged the IP traffics and EVERY, I mean EVERY hijacked browser redirect or pop up ad that mask the screen are hosted by IP addresses in China.  Domain names are all registered with China-based domain registrars.  Servers seem to be hosted on systems with IP address serviced or registered through Alibaba, Tencent, or one of the other Chinese internet powerhouses.

I have done multiple soft/hard factory restore, and after the phone downloads the latest security updates, it would be back to the same situation with these malware, hijack and ad redirect.

From these info, I am inclined to believe Assurance is not the main culprit but it's extreme careless or have no expert inhouse to monitor or address these problems.  The key issue is with UMX.  I agree with the author of various post from Malwarebytes, there appears to be a break or vulnerability in UMX's software development custody to allow this to happen relatedly, and to both U683CL and now U693CL.

Last note, while these phones use low-end chipset from Qualcomm, like the 210/215 used in the U693CL, they are actually very capable chipset and can be a very suitable and functional modern entry-level phone for the low-income lifeline users and their day to day needs.  These malwares are so active, evasive and heavy, they render the phone completely useless, which is just super sad, especially during COVID when people really need their phone and internet.

Link to post
Share on other sites

By the way, if Assurance tell you the issue will go ahead once merged/transitioned to the T-Mobile network, then they are grossly misinforming customers.  I've checked with industry contacts, the Assurance put out bids for phones knowing the Sprint network will be decommissioned.  For a couple of years now, all the new phone designs are required to support all of T-Mobile LTE bands, including the latest bands, 12, 41, 66 and 71.  These phones will not need to be replaced and they simply have to send you a new T-Mobile based SIM card.  This means whatever backdoor and weakness will still be in the phone.

It seems like UMX is doing this on purpose, to generate ad money.  If they want to fix this, it should be doable when that offend apk is in the factory image.  There is no technical limit why this could not be done quickly and efficiently as a permanent fix.

Link to post
Share on other sites

1 hour ago, _W_ said:

In addition, there has been frequent Google Play Protect notifications indicate it found an app or blocked an app from being installed that was deem malicious.  This happens when the phone is not touched or used, so some code is executing all these malicious behavior.

I logged the IP traffics and EVERY, I mean EVERY hijacked browser redirect or pop up ad that mask the screen are hosted by IP addresses in China.  Domain names are all registered with China-based domain registrars.  Servers seem to be hosted on systems with IP address serviced or registered through Alibaba, Tencent, or one of the other Chinese internet powerhouses.

I installed noroot firewall as recommended, and have pretty much blocked everything except a few trusted apps (blocked ALL wireless updates, google services, android services etc).  Bothersome, but at least now I can use my phone.  They are unable to install junk, but I don't know if this is actually protecting my data or not.

  • Like 1
Link to post
Share on other sites

20 hours ago, iBeleave said:

I installed noroot firewall as recommended, and have pretty much blocked everything except a few trusted apps (blocked ALL wireless updates, google services, android services etc).  Bothersome, but at least now I can use my phone.  They are unable to install junk, but I don't know if this is actually protecting my data or not.

I thought about that but the phone is being used by a non-tech senior, so it's another layer of permission that may cause more problems.  I do believe there is value in Android security update pushed by UMX sans the malware/adware in the payload.  The issue is still that they have a software development process custody issue, or maybe they are doing this on purpose.

Do you do block-all and then grant permission based on access attempt, or have you developed a block list (from the malware's triggered activities)?  If so, can you share block list?

Link to post
Share on other sites

13 minutes ago, _W_ said:

I thought about that but the phone is being used by a non-tech senior, so it's another layer of permission that may cause more problems.  I do believe there is value in Android security update pushed by UMX sans the malware/adware in the payload.  The issue is still that they have a software development process custody issue, or maybe they are doing this on purpose.

Do you do block-all and then grant permission based on access attempt, or have you developed a block list (from the malware's triggered activities)?  If so, can you share block list?

One wireless update got rid of the malware briefly, and another put it back, even when I had supposedly turned off updates, so I just stopped them all.

Yes, it would be very bothersome for most people, I think, and especially a senior.  However, once it is setup it's not bad.


NoRoot allows me to get notified of each access attempt, and choose to accept/deny based on wifi and/or data access.  I denied everything that came up, except my own apps (K9 email, podbean, duckduckgo on specific use).  A bunch of things are lumped together, not sure why, such as Android System which includes Android System, Wireless Update, Settings - I know that some of these were allowing malware in, so that whole group is denied.  Also Google play services group, and Google Play Store - which prevents installation of new stuff from them, which was also happening (a bit obnoxious if I actually want to install something myself).  Also something called Mobile Installer which was involved in the malware.

 

Link to post
Share on other sites

I poked around the phone some more.  Whomever designed the UMX software or did the Android integration are extremely lazy and just very careless engineers if I am being nice.  I found traces of settings and conduits related to Chinese cellphone carriers that should never be in a phone destined for the US, taking up storage.  There are several setting themes and overlays for CMCC (China Mobile) and CT (China Telecom) they are left in the phone software.  On phones destined for China, those settings allow some carrier-base information exchange, like getting plan information, data/min used/left, and host any popups the carrier wanted to show, but why in US phones?  There are usually build flags for each carrier's version of the phone software, so carrier specific stuff are not supposed to get pulled in.

I spot several software Sprint outsourced to InnoPath, which generally comes on all Sprint phones, like Mobile Installer.  They are backend tools for Sprint to push update and manage devices.  I would suggest not disable them if it's showing as from InnoPath.  Assurance/Sprint is transitioning customers to T-Mobile network and may need to push changes to the phone settings.  In theory, they can do everything through Android APIs but they may automate those steps with their own tools like the ones from InnoPath.

Anyways, I am really stunned by the things I am seeing here.  I think the users should consider file formal complaints to FCC to hold Assurance responsible for better oversight of their vendors.  With these malware/adware, the phone can't even make or receive calls, with the ads blocking critical screen display information.  How can people count on this phone during an emergency?  I'd imagine most of Assurance customers won't have the resources or tools to constantly try to cleanup these malware/adware every couple of months.

Link to post
Share on other sites

  • 2 weeks later...

I am glad people are bringing these issues with Assurance Wireless and the UMX brand to light. While I am admittedly a novice at the inner workings of mobile operating systems, I know enough to understand that what UMX is doing isn't right and completely intentional. I was able to use the information from everyone here to stop the g21news redirects, but now I am facing a new line of issues, primarily redirecting me to a "gaming" site, 592onegame, which appears to be American in origin (at least according to their IP), and running through a Cloudflare server . As if this wasn't bad enough, I have recently been getting redirected to a site claiming to be Google and trying to get me to take a survey for a "prize" in the form of a gift card or Cash app deposit. Now they are going beyond ad revenue to blatant phishing attempts. Malwarebytes says there are no issues detected, so I am left to assume this is further interference from UMX. If I didn't need this phone so badly and could afford the change, there is no way I would continue using it. For those here who are better versed in mobile security, please continue doing what you can to help those who, like me, are being victimized by these companies. My thanks to you.

Link to post
Share on other sites

I spent some time last several weeks to track down the browser redirect on launch.  The people wrote those malicious codes are savvy.  I used an array of tools to monitor the Android OS but it seems the code can detect the tools are running, so it won't pop/re-direct.  The moment I disable the tools, it starts to pop again. The level of maliciousness is sickening.  I am working on some the methods to monitor the OS more transparently.  The malware code is very deeply embedded in the OS.

I think best recourse is for users to file FCC complaint and force Assurance to take responsibility and drop these phone vendors.  With T-Mobile/Sprint buying power, it's shocking that they don't take more aggressive action on these phone vendors.

Link to post
Share on other sites

2 hours ago, _W_ said:

I think best recourse is for users to file FCC complaint and force Assurance to take responsibility and drop these phone vendors.  With T-Mobile/Sprint buying power, it's shocking that they don't take more aggressive action on these phone vendors.

I agree!  Assurance said I needed a new phone for the T-Mobile change, so I talked to them for a long time to convince them to NOT send me another UMX phone (currently have U683CL).  Finally one customer service rep agreed to send me a Wiko, but when it arrived, it was actually U693CL - they say that is all they have now.  I filed a complaint with the FCC last week, so Assurance called me, but insist nothing they can do.  They say all their devices are "approved" by the government!  I am going to look at a different phone company that will let me choose my own phone.

Link to post
Share on other sites

3 minutes ago, iBeleave said:

Assurance said I needed a new phone for the T-Mobile change...

The agents in the Philippines are clueless.  T-Mobile/Sprint merger was known in the industry for sometime and many Assurance phones, even old ones, can support  T-Mobile LTE network fully.  It was a requirement to the Chinese phone makers.  It's just a matter of sending a T-Mobile based SIM and these phones can work on T-Mobile network with not the need of a new phone.  The other problem is Wiko mayhave licensed their name to ANS, so the ANS phone is now under the Wiko brand.  This mess is not going away.

I can't imagine with these phones causing so many problems and Assurance having to send replacement or warranty them, that it's cheap for Assurance to do this, instead of just let consumer the option to use other unlocked phones.

  • Like 1
Link to post
Share on other sites

  • 1 month later...

I don’t know if I will have gotten rid of the problem through this method but for some reason the news 21 website had data that was stored in the site settings.

 Chrome >Settings >site settings>data stored

As if there was some login information that someone signed up for for, no did that, but I deleted it and we will see.

I just wanted to put this here since i was looking for a solution to this and I happened upon this forum and since there was no solution found, i thought that i might add what I’m trying, cuz this is the second phone from them, different brand, that’s having these pop up issues and i’m starting to wonder if it’s unsolvable, but i won’t be back lol

i also installed 3 antivirus/antimalware programs, (found something bad, but didn’t solve the problem). i would also just recommend just not keeping personal stuff on the phone, a child uses the phone we have, so it’ll never have banking and stuff on it, i don’t too much trust these phones internally.

 plus, this seems like a chrome issue, i’m gonna try a different browser, firefox, the ducked-one, maybe they like attacking chrome?

 here’s bonus info, cuz outer protection is hard to find, might as well protect the POS if you need it.

Oujietong Case for Unimax UMX... https://www.amazon.com/dp/B08J7ZGV5R?ref=ppx_pop_mob_ap_share

[3 Pack] shields for Unimax UMX https://www.amazon.com/dp/B08XLPPQZR?ref=ppx_pop_mob_ap_share

 

GL all!

Link to post
Share on other sites

1 hour ago, Yie said:

I don’t know if I will have gotten rid of the problem through this method but for some reason the news 21 website had data that was stored in the site settings.

 Chrome >Settings >site settings>data stored

As if there was some login information that someone signed up for for, no did that, but I deleted it and we will see.

I just wanted to put this here since i was looking for a solution to this and I happened upon this forum and since there was no solution found, i thought that i might add what I’m trying, cuz this is the second phone from them, different brand, that’s having these pop up issues and i’m starting to wonder if it’s unsolvable, but i won’t be back lol

i also installed 3 antivirus/antimalware programs, (found something bad, but didn’t solve the problem). i would also just recommend just not keeping personal stuff on the phone, a child uses the phone we have, so it’ll never have banking and stuff on it, i don’t too much trust these phones internally.

 plus, this seems like a chrome issue, i’m gonna try a different browser, firefox, the ducked-one, maybe they like attacking chrome?

 here’s bonus info, cuz outer protection is hard to find, might as well protect the POS if you need it.

Oujietong Case for Unimax UMX... https://www.amazon.com/dp/B08J7ZGV5R?ref=ppx_pop_mob_ap_share

[3 Pack] shields for Unimax UMX https://www.amazon.com/dp/B08XLPPQZR?ref=ppx_pop_mob_ap_share

 

GL all!

I also just noticed some app that might have something to do with it, comments say it’s spyware, but we did NOT install, it’s not even on the home screen, you must go to

Google Play >{your-picture}> manage apps& devices

the app was called INSTANT NEWS, seems many many people are having this issue, just read the comments in the google play store, {see pic}, the app’s full name is INSTANT NEWS-THE DAILY MAGAZINE by HUUB, blue icon with a folded blue/white newspaper on it. 

1F6E3613-AA0E-4426-9F32-E152A609890F.thumb.jpeg.cff64c34fbc10bb4ba2c905075a0cca4.jpeg

i think i found the root of the issue and this is perhaps what that log in information was for (that i mentioned in my initial post)

 it sets itself to auto update in your system but don’t keep itself on your homescreen, i definitely think something sneaky is going on despite what the respondent on the app’s comments say.

 although the pop-ups has not shown up since i deleted that log in info earlier, i was trying to find the source, and i think this app may be it!

Link to post
Share on other sites

my last update, so i just realized that you cannot uninstall this app, i suggest clear the cache, force quit, disable, AND clear the cache again lol 

hopefully the bugger doesn’t come back!

it’s a different icon in the phone than the app store, be wary and beware, smh, the bloatware on these phones are out-of-control!!!! i disable all the ones i don’t need, like amazon (please don’t shop on these phones)

B04CC9F8-2509-4965-A7F8-1CEAD84CEA10.thumb.jpeg.0bf7ddd02181750b0e4c2142d120feee.jpeg

so far though, since my very first post, the website has NOT shown up, or popped up, {and i have tried to make it re-pop-up again, nothings but crickets} since then, i have just been trying to tie up any loose ends that this issue might re-stem from. 

Link to post
Share on other sites

14 minutes ago, Yie said:

my last update, so i just realized that you cannot uninstall this app, i suggest clear the cache, force quit, disable, AND clear the cache again lol 

hopefully the bugger doesn’t come back!

it’s a different icon in the phone than the app store, be wary and beware, smh, the bloatware on these phones are out-of-control!!!! i disable all the ones i don’t need, like amazon (please don’t shop on these phones)

B04CC9F8-2509-4965-A7F8-1CEAD84CEA10.thumb.jpeg.0bf7ddd02181750b0e4c2142d120feee.jpeg

so far though, since my very first post, the website has NOT shown up, or popped up, {and i have tried to make it re-pop-up again, nothings but crickets} since then, i have just been trying to tie up any loose ends that this issue might re-stem from. 

OMG they made me a liar, but i just want to help in anyway that i can, in the words of cartoon Jackie Chan’s uncle, one more thing … change the chrome homepage, the annoyance-ware also made itself the default page for chrome, smh absolutely ridiculous. it looks like i had stopped the pop ups but then when i opened a new tab it popped up, it made me pop up the #^¢%ing site myself *facepalm*

55995CD9-749F-4AE3-BE0A-A2ACE3A19242.thumb.jpeg.5c31701568a9e092987caad96ffb27b9.jpeg

i hope this helps me, and anyone else, but we got what we paid for. 

Link to post
Share on other sites

3 minutes ago, Yie said:

OMG they made me a liar, but i just want to help in anyway that i can, in the words of cartoon Jackie Chan’s uncle, one more thing … change the chrome homepage, the annoyance-ware also made itself the default page for chrome, smh absolutely ridiculous. it looks like i had stopped the pop ups but then when i opened a new tab it popped up, it made me pop up the #^¢%ing site myself *facepalm*

55995CD9-749F-4AE3-BE0A-A2ACE3A19242.thumb.jpeg.5c31701568a9e092987caad96ffb27b9.jpeg

i hope this helps me, and anyone else, but we got what we paid for. 

There are multiple sources of virus on the UMX.  Eventually an update will take them all away and the phone will be virus free for awhile until after another update something like g21news appears.

 

I hadn't had g21news since last year, but I've seen other people on here reporting it.  Make sure your phone is updated to the latest, you have to manually check for updates, it doesn't just go to the latest.

"News" is a virus that has always been on the phone.  The other

viruses appear in vital system apps which can make ADB uninstalling something you may not want to do.

My phone seems virus free at the moment as it started acting up again over a month ago with another Chrome hijacker and Topic so I ADB uninstalled the following:

news

com.huub.instantnews

topicnews

com.android.part.iinews

hidden menu

com.teleepoch.hiddenmenu

 

Does anyone know what hidden menu is. I uninstalled it because Malwarebytes recommended I uninstall it in the past.


EXAMPLE:  adb shell pm uninstall -k --user 0 com.teleepoch.hiddenmenu

Link to post
Share on other sites

1 hour ago, Yie said:

OMG they made me a liar, but i just want to help in anyway that i can, in the words of cartoon Jackie Chan’s uncle, one more thing … change the chrome homepage, the annoyance-ware also made itself the default page for chrome, smh absolutely ridiculous. it looks like i had stopped the pop ups but then when i opened a new tab it popped up, it made me pop up the #^¢%ing site myself *facepalm*

All these things you are discovering and trying were known and tried for many months now.  The pop up on Chrome will come back.  It's very deeply embedded.  I put the device is debug mode and ran a bunch of tools and the thing can detect that and would never popup.  The moment I remove the tools, it pops up - it's just a matter of time.

Link to post
Share on other sites

1 hour ago, stvvv said:

Does anyone know what hidden menu is. I uninstalled it because Malwarebytes recommended I uninstall it in the past.


EXAMPLE:  adb shell pm uninstall -k --user 0 com.teleepoch.hiddenmenu

Generally, they are some sort of debug function embedded by the device manufacturer.  TeleEpoch is the ODM for this phone.  UMX is just a retail brand name.  I removed it in my case but it doesn't seem to have any effect on suppressing the Chrome popups.

Link to post
Share on other sites

34 minutes ago, _W_ said:

Generally, they are some sort of debug function embedded by the device manufacturer.  TeleEpoch is the ODM for this phone.  UMX is just a retail brand name.  I removed it in my case but it doesn't seem to have any effect on suppressing the Chrome popups.

what about not using chrome altogether? from everything i keep reading all i see is that it seems to be a chrome issue, what about firefox, or other browsers?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.