Jump to content

Android: chrome redirect (not same as others posted on here)


Recommended Posts

  • Staff

Hey @rosho01, @shellsort@LopjoMeboy, @One1two, @Anon00, @TRSands, @dolceping21, @Zzudwa, @brandin09, @Doobs, @Syed01, @ferdo, @markratx, @Grifta, @jarapper, @mohan37, @SamsungUser476895673, @CloverBoy74, @rameneater, @Joeyjojo, @Hamal, and @TBone,

I just wanted to update everyone that I finally found time to do deeper analysis on this Barcode Scanner, and found it is WAY more nefarious then I originally thought.  I am in the process of writing a blog about this app and how it lied dormant (sleeping) before turning malicious.  My question to all of you is how long did you have this app installed?  Months? Years?

It appears on the update on December 4th, code was added to the app that caused the issue.  Before that time, it was a clean/innocent scanner app.  The added code used obfuscation tactics similar to a lot of malware.  Thus, this why our first detection needed to be updated to catch more variants.  I'm keeping a close eye on this one to make sure other variants that we don't catch pop up.  Let me know if you come across a variant we don't detect.  However, I'm pretty confident the detection I have in place catches them all.  We also escalated the detection to Android/Trojan.HiddenAds.AdQR because of it's blatant malicious intent.  This will be described further in the blog.  Hoping to have it published early next week.

Thanks to everyone that posted up, and especially @Anon00 who tracked it down right away.

Nathan

  • Thanks 2
Link to post
Share on other sites
  • Replies 63
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Hello! This happened to me this morning as well. I did a ton of googling to find a solution and it was a mix and match of things. I think I've found my problem, (not sure if it'll be different fo

Hi All First post. Hopefully not too many more.  Getting redirects to numerous sites e.g. cometocleannow.com vbg.dorputolano.com rouonixon.com ....the redirect happens often wh

Hey @rosho01, @shellsort, @LopjoMeboy, @One1two, @Anon00, @TRSands, @dolceping21, @Zzudwa, @brandin09, @Doobs, @Syed01, @ferdo, @markratx, @Grifta, @jarapper, @mohan37, @SamsungUser476895673, @CloverB

Posted Images

1 hour ago, mbam_mtbr said:

Hey @rosho01, @shellsort@LopjoMeboy, @One1two, @Anon00, @TRSands, @dolceping21, @Zzudwa, @brandin09, @Doobs, @Syed01, @ferdo, @markratx, @Grifta, @jarapper, @mohan37, @SamsungUser476895673, @CloverBoy74, @rameneater, @Joeyjojo, @Hamal, and @TBone,

I am in the process of writing a blog about this app and how it lied dormant (sleeping) before turning malicious.  My question to all of you is how long did you have this app installed?  Months? Years?

......This will be described further in the blog.  Hoping to have it published early next week.

Thanks to everyone that posted up, and especially @Anon00 who tracked it down right away.

Nathan

Hi @mbam_mtbr

thks for the update.

looking fwd to the blog 🍿🍿.

mine was installed prob 18mths+ ago (android, play store). i couldnt find how you can find out when i installed the app on the phone, as its uninstalled (googled it also). 

pls can you let us know when the blog is published by bumping this thread? 

good work, everyone. 

thks.

rosho. 

 

Link to post
Share on other sites
  • Staff
47 minutes ago, rosho01 said:

Hi @mbam_mtbr

thks for the update.

looking fwd to the blog 🍿🍿.

mine was installed prob 18mths+ ago (android, play store). i couldnt find how you can find out when i installed the app on the phone, as its uninstalled (googled it also). 

pls can you let us know when the blog is published by bumping this thread? 

good work, everyone. 

thks.

rosho. 

 

Yes, I will definitely post up the link when it's live.

Unfortunately, there really isn't a great way to see when an app was installed.  You can get a rough estimate if you go to the app in App Info and look under the data usage, but that would only apply if you still have it installed.  I think it's safe to say that most users have had this app installed for quite a long time before it went malicious.

Nathan

  • Like 1
Link to post
Share on other sites
11 hours ago, mbam_mtbr said:

Hey @rosho01, @shellsort@LopjoMeboy, @One1two, @Anon00, @TRSands, @dolceping21, @Zzudwa, @brandin09, @Doobs, @Syed01, @ferdo, @markratx, @Grifta, @jarapper, @mohan37, @SamsungUser476895673, @CloverBoy74, @rameneater, @Joeyjojo, @Hamal, and @TBone,

I just wanted to update everyone that I finally found time to do deeper analysis on this Barcode Scanner, and found it is WAY more nefarious then I originally thought.  I am in the process of writing a blog about this app and how it lied dormant (sleeping) before turning malicious.  My question to all of you is how long did you have this app installed?  Months? Years?

It appears on the update on December 4th, code was added to the app that caused the issue.  Before that time, it was a clean/innocent scanner app.  The added code used obfuscation tactics similar to a lot of malware.  Thus, this why our first detection needed to be updated to catch more variants.  I'm keeping a close eye on this one to make sure other variants that we don't catch pop up.  Let me know if you come across a variant we don't detect.  However, I'm pretty confident the detection I have in place catches them all.  We also escalated the detection to Android/Trojan.HiddenAds.AdQR because of it's blatant malicious intent.  This will be described further in the blog.  Hoping to have it published early next week.

Thanks to everyone that posted up, and especially @Anon00 who tracked it down right away.

Nathan

I've had mine for a few years. I was pulling my hair out when I finally had the insight to go to the forums. As soon as I read @Anon00 post, I thought hang on, barcode scanner was on the recent apps. I double checked, yep, uninstalled straight away, rebooted and problem solved. I too, wasn't worried when I 1st saw it on the recent apps cause I was looking for an app I hadn't downloaded. I'm so grateful to @Anon00 

  • Thanks 2
Link to post
Share on other sites

Nathan, Barcode Scanner is not a unique app name on the Google Play Store.  There are multiple apps with the same or very similar names by other developers that are currently taking the heat for the app by LAVABIRD LTD that has been removed.  I suggest you edit your blog entry to clearly identify the developer in question so that innocent developers do not continue to be unfairly tarred by the same brush.

 

 

Link to post
Share on other sites
13 minutes ago, NonSuch said:

Nathan, Barcode Scanner is not a unique app name on the Google Play Store.  There are multiple apps with the same or very similar names by other developers that are currently taking the heat for the app by LAVABIRD LTD that has been removed.  I suggest you edit your blog entry to clearly identify the developer in question so that innocent developers do not continue to be unfairly tarred by the same brush.

 

 

is the massive screen print on the blog with all those details you mention not enough?

fair enough.....it doesnt come up in the google search, but its user error if they dont click on the article and read it. 

image.png.6da951508cf4a892bc8779785ca41f7c.png

  • Like 1
  • Thanks 1
Link to post
Share on other sites
  • Staff
16 hours ago, NonSuch said:

Nathan, Barcode Scanner is not a unique app name on the Google Play Store.  There are multiple apps with the same or very similar names by other developers that are currently taking the heat for the app by LAVABIRD LTD that has been removed.  I suggest you edit your blog entry to clearly identify the developer in question so that innocent developers do not continue to be unfairly tarred by the same brush.

 

 

Hi @NonSuch,

Agreed.  We will have an update by end of day.

Nathan

 

Link to post
Share on other sites
45 minutes ago, Patxi_mb said:

It's not so easy. I haven't this app but I have the problem.  Another app must have the problem too.
Virustotal cannot find it.

hi

the solution provided by anon00 should highlight what app is causimg the issue.

pls id it, and post what app it is. 

thks.

Link to post
Share on other sites

Hey guys, my wife's phone had this barcode app and was getting these popups. I hate to say that after removing the app 2 days ago, we are still getting the popups on her phone. She didn't have google activity turned on, so I've just enabled it and am waiting for the next instance. But either other apps are using this same code, or it is somehow persistant. Malwarebytes isn't finding anything. I'll update again once I can gather more info the next time it happens.

Link to post
Share on other sites
  • Staff
20 minutes ago, kidder014 said:

Hey guys, my wife's phone had this barcode app and was getting these popups. I hate to say that after removing the app 2 days ago, we are still getting the popups on her phone. She didn't have google activity turned on, so I've just enabled it and am waiting for the next instance. But either other apps are using this same code, or it is somehow persistant. Malwarebytes isn't finding anything. I'll update again once I can gather more info the next time it happens.

Hi @kidder014,

There could be some leftover browser related ads going on here.  I would try clearing your history and cache of the web browser.

Nathan

Link to post
Share on other sites
  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.