Android: chrome redirect (not same as others posted on here)

[ferdo]

I just took a short cut on Anon00 post below and removed the Barcode app from my Android phone. Dorputolano ads stopped.

[markratx]

On 12/22/2020 at 3:51 PM, rosho01 said:

btw, how did you guys find this thread? 

did you search on the same urls i posted?

I searched for the URL it was trying to open, vbg.dorputolano.com and found your posting.

Thank-you for figuring this out.

[Grifta]

I had an additional problem. Whenever I unlocked my phone, it would automatically open a Chrome browser to this garbage site.

Either way, same as above, I searched the url and found this post, and uninstalled Barcode Scanner. Problem fixed.

Thank you.

[Grifta]

I flagged this to the app's creator, and he refuses to believe that it's happening. He says that it's a clone of his app or something.

Either he's BSing, or he honestly doesn't know that someone has done something to his app. Either way, hopefully he will fix it. Only solution is uninstall for now.

[jarapper]

I'm new to forums really so bear with me. I don't see the actual steps Anon00 posted that solved it. I checked my google activity and i see apps (formatted like app.google.function.com or com.google.helpr, etc) but I don't see anything I can do to clear/remove them.  I did delete Barcode scanner and I am waiting to see if that vbg.dorputolano.com thing returns but if there is a fix by Anon00 I don't see what it is

[Grifta]

@mbam_mtbr
The dev is saying that he hasn't updated it since 2019, and that something else must be exploiting something in his code to push this. The result is currently the same, but this is just a heads up incase he fixes the issue then this would be mislabeled as adware in your system.

Bug report discussing this issue: https://github.com/zxing/zxing/issues/1345

[mbam_mtbr]

1 hour ago, Grifta said:

@mbam_mtbr
The dev is saying that he hasn't updated it since 2019, and that something else must be exploiting something in his code to push this. The result is currently the same, but this is just a heads up incase he fixes the issue then this would be mislabeled as adware in your system.

Bug report discussing this issue: https://github.com/zxing/zxing/issues/1345

Thanks for letting me know.  I'm confident that if he fixes the issues, our detection will not detect a cleaned up version.

Nathan

[rosho01]

On 1/12/2021 at 9:29 PM, Grifta said:

I flagged this to the app's creator, and he refuses to believe that it's happening. He says that it's a clone of his app or something.

Either he's BSing, or he honestly doesn't know that someone has done something to his app. Either way, hopefully he will fix it. Only solution is uninstall for now.

some of the adverts go to reputable companies (virgin media in this case, for me) - i wonder how these companies benefit from these nefarious practices w/o any consequences? bit like ads on torrent sites i guess, probably go through an agency/3rd party and absolve of all responsibility. 

 

and a Q for the mods @mbam_mtbr - how can this persons app get infected en route to being downloaded? would that not mean a bigger vulnerability in the pipeline/infra possibly impacting every app (with similar code weaknesses) which is downloaded? or is the guy talking BS? 

 

[rosho01]

btw, when googling this issue a while back, it seems there are similar malware on other barscanner apps going back a few years - perhaps its to do with how these bar code apps are designed? and they are then infected en route to being downloaded - however this occurs, not sure.  

[jarapper]

I got several emails directing me to specific posts but those don't say anything about what I can do.  Am I missing something?  deleted barcode scanner and went to site settings and removed all the sites listed that were suspicious, when was all but google.com and youtube.com.  I'll monitor chrome for the problem but hopefully it won't happen again

 

[rosho01]

11 hours ago, jarapper said:

I'm new to forums really so bear with me. I don't see the actual steps Anon00 posted that solved it. I checked my google activity and i see apps (formatted like app.google.function.com or com.google.helpr, etc) but I don't see anything I can do to clear/remove them.  I did delete Barcode scanner and I am waiting to see if that vbg.dorputolano.com thing returns but if there is a fix by Anon00 I don't see what it is

 

"So I guess my solution is for you all to check your myactivity.google. com and look for when these sites popped up and what happened before or after them and then delete that app or whatever it is".

 

which bit dont you get?

[mbam_mtbr]

3 hours ago, rosho01 said:

and a Q for the mods @mbam_mtbr - how can this persons app get infected en route to being downloaded? would that not mean a bigger vulnerability in the pipeline/infra possibly impacting every app (with similar code weaknesses) which is downloaded? or is the guy talking BS? 

 

It's not really getting infected in route.  What happens a lot of time is a legitimate app developer puts a free app on Google PLAY, and uses what is called an Ad SDK to gain revenue through ads.  The Ad SDK is simply a piece of code that is added into there app.  There are many good, reputable Ad SDKs that display ads within the app when it is opened.  However, sometimes these Ad SDK get a bit aggressive, and suddenly we have to flag it as Adware.  In this case, the Ad SDK must be removed with the code to not get flagged.

Another method is a legitimate app is introduced to Google PLAY, and downloaded by users.  But then at some point code is added by the app developer that displays aggressive ads.  When the app is updated, the once legitimate app now is Adware.

Hope that all makes sense,

Nathan

[jarapper]

The entries in myactivity showed a lot of suspicious activity which I cleared and reset.  The thing is that what apps happened right before the trigger of the popups and ads was something I didn't understand. A few were Updater! but my list wasn't as clearly revealing as i believe yours is. so i was confused.

But I had checked my activity but I didn't scroll down enough to see site settings and so I very much appreciate your redicting me there. There is a site settings option in security/clear browsing history and that's where I kept going which of course didn't do anything.

[rosho01]

11 minutes ago, jarapper said:

The entries in myactivity showed a lot of suspicious activity which I cleared and reset.  The thing is that what apps happened right before the trigger of the popups and ads was something I didn't understand. A few were Updater! but my list wasn't as clearly revealing as i believe yours is. so i was confused.

But I had checked my activity but I didn't scroll down enough to see site settings and so I very much appreciate your redicting me there. There is a site settings option in security/clear browsing history and that's where I kept going which of course didn't do anything.

do you still have a problem after uninstalling the barcode app? 

[jarapper]

I haven't seen it -Yeah.  So my hat off to Anon00. 

Is there a safe way to test my phone  to see if their ad processes/apps are still embedded on my phone. 

As a die note, I'm getting a bit more of an understanding how a forum works!

 

[rosho01]

9 hours ago, jarapper said:

I haven't seen it -Yeah.  So my hat off to Anon00. 

Is there a safe way to test my phone  to see if their ad processes/apps are still embedded on my phone. 

As a die note, I'm getting a bit more of an understanding how a forum works!

 

well then it looks like the issue is resolved, which is good. 

run malwarebytes and/or AV scans to check for other issues. 

theres plenty of info on how to do this on here. any other issues, search these forums. 

[rosho01]

On 1/14/2021 at 10:45 PM, mbam_mtbr said:

It's not really getting infected in route.  What happens a lot of time is a legitimate app developer puts a free app on Google PLAY, and uses what is called an Ad SDK to gain revenue through ads.  The Ad SDK is simply a piece of code that is added into there app.  There are many good, reputable Ad SDKs that display ads within the app when it is opened.  However, sometimes these Ad SDK get a bit aggressive, and suddenly we have to flag it as Adware.  In this case, the Ad SDK must be removed with the code to not get flagged......

thanks for the explanation Nathan, makes perfect sense. 

[mohan37]

I didn't see the barcode app in My Activity, but i had the app installed and say this behavior starting today, so I've removed it with fingers crossed.  Big thanks for helping solve this issue (assuming it worked)!

[SamsungUser476895673]

Same thing was happening to me -Samsung Duo needed barcode app. Worked for 3 years. Didnt hace this problem untill 2021. I've reported barcode scanner for innapropriacy. Please report this app.

[CloverBoy74]

Just wanted to chime in, Galaxy S8+ user, my phone all of a sudden started doing the same thing the OP said...deleted that app and so far, so good.   I did install the mobile version of MWB yesterday (before reading this thread) and it didn't pick it up though, kind of disappointing.

[mbam_mtbr]

Hey Everyone,

We updated our detection to pick up more samples of Android/Adware.AdQR.FBG.  This will be effective in future database versions.  If it still isn't being detected, please send me an Apps Report BEFORE deleting so we can add/update detections.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1. Open the Malwarebytes for Android app.

2. Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Thanks for the support everyone!

Nathan

[rameneater]

This started happening to my Samsung S8, I think after I used the QR code reader to bring up a restaurant menu website.

I started keeping track of the websites that were opening, and then the times.  It wasn't long before a search brought me here.

1.        ultimate-cleaner.com    
2.         mobiland.online    
3.         taicheetee.com    (this one came up A LOT)
4.         rouonixon.com    
5. 2021-02-01    10:34:00 AM    delightcmain.xyz    
6. 2021-02-01    11:04:00 AM    vbg.dorputolano.com   -->  25twentyday.com
7. 2021-02-01    11:34:00 AM    vbg.dorputolano.com   -->  25twentyday.com
8. 2021-02-01                             Uninstalled "BARCODE READER" (I think I might have installed this when I first got the phone, not realizing that the S8 came stock with a "built-in" code reader?)
9. 2021-02-01    12:04:00 PM    No webpage spawns.    
10. 2021-02-01    12:05:00 PM    Clicked QR Scanner from the Samsung 8 Menu Bar. The camera opens and appears to read codes as expected.    
11. 2021-02-01    12:49:00 PM    No webpage spawns up to this point.

Thanks for the help everyone.

[Joeyjojo]

I just installed this one and i like it. No ads so hopefully no more tabs opening up by themselves 

[Hamal]

I never had this app : "Barcode Scanner" on my LG G5; however I get the same problem with "doportunalo". I followed your suggestions and looked in chrome history, but didn't find anything matching with any app... except Google Play Store. In desperation,  I've turned off "Google Play Store" & "Goolgle Chrome", and now I have no more ads !

Thank you guys for your help...

[TBone]

Thanks Anon00 for the barcode scanner tip. It worked as stated.