Android: Unknown Chrome hijacker

[TookieLaRue]

Im having this problem as well. I have an assurance wireless umx, model U693CL. G21 news is constantly popping up as my homepage. I change it constantly, it always goes right back. I've also noticed that I'm getting new pages in new tabs that are ads for games. How do I stop this. I'm ok when it comes to phones but need someone to help walk me through.

[stvvv]

28 minutes ago, TookieLaRue said:

Im having this problem as well. I have an assurance wireless umx, model U693CL. G21 news is constantly popping up as my homepage. I change it constantly, it always goes right back. I've also noticed that I'm getting new pages in new tabs that are ads for games. How do I stop this. I'm ok when it comes to phones but need someone to help walk me through.

 

The UMX phones from Assurance (mine too) have had viruses on and off for the past couple years that are usually factory installed in system apps that can be disabled but not removed.  If you disable, you will lose functionality of that part of the system which may or may not be an issue. 

Several times UMX cleared the viruses off the phones with an update, but after a few months a new virus appeared.  I had the g21news.com virus in Dec/Jan, but then an update took it away so it seems that my phone has been virus free for the past few months.  If you get a new phone or do a factory reset the phone will update, but it may be several updates behind so you may have to go through the update process to manually check for updates and let them install two or three times until it says that you have the most current version.  I think you may need to get to the most current update and then your phone will be virus free at least for now.

We've been working on the UMX U693CL viruses in this thread: 

 

[Ierrepa]

The very same problem has been manifesting itself all over my UMX U693CL  Assurance Wireless issued phone as well.   Many Thanks to all involved with this comment thread and the process of eliminating this preprogrammed malware, I will attempt the factory reset action A.S.A.P. then come back and post my findings and it's effectiveness.

[_W_]

I work in the technical field of smartphones, including Android, so I have more than sufficient technical knowledge.  I have been helping a family friend, a senior, with solving this exact issues on the U693CL.  I am dumbfounded why Assurance and UMX allow this to continue to happen.  I implemented some tools from the previous rounds to shutdown and clean off these malware pushes.  After 3 UMX security updates, and based on behaviors I saw and tracked, I am certain the Android Security updates pushed out by UMX has weakness/vulnerabilities.  It may seen like it cleaned off some malware but in reality, it activates another one but in dormant state.  It acts as a backdoor to execute code that would otherwise subject to some Android OS level restrictions and it invokes APIs only true developers would know.

The g21news hijack was triggered by the "TopicNews" app.  Before the recent security update, that apk was called "Topic" app, I had it disabled and uninstalled via ADB shell commands.  Back at that time, the hijacked sites and pops were various game sites.  The phone system snapshot I took shows the update somehow changed the apk name and re-install re-enable it.

In addition, there has been frequent Google Play Protect notifications indicate it found an app or blocked an app from being installed that was deem malicious.  This happens when the phone is not touched or used, so some code is executing all these malicious behavior.

I logged the IP traffics and EVERY, I mean EVERY hijacked browser redirect or pop up ad that mask the screen are hosted by IP addresses in China.  Domain names are all registered with China-based domain registrars.  Servers seem to be hosted on systems with IP address serviced or registered through Alibaba, Tencent, or one of the other Chinese internet powerhouses.

I have done multiple soft/hard factory restore, and after the phone downloads the latest security updates, it would be back to the same situation with these malware, hijack and ad redirect.

From these info, I am inclined to believe Assurance is not the main culprit but it's extreme careless or have no expert inhouse to monitor or address these problems.  The key issue is with UMX.  I agree with the author of various post from Malwarebytes, there appears to be a break or vulnerability in UMX's software development custody to allow this to happen relatedly, and to both U683CL and now U693CL.

Last note, while these phones use low-end chipset from Qualcomm, like the 210/215 used in the U693CL, they are actually very capable chipset and can be a very suitable and functional modern entry-level phone for the low-income lifeline users and their day to day needs.  These malwares are so active, evasive and heavy, they render the phone completely useless, which is just super sad, especially during COVID when people really need their phone and internet.

[Ierrepa]

Yeah doing a  factory reset and running the Updates was a very temporary fix if you can call it that at all.  It only meant more work for me in placing my phone into the very same undesired and unwanted state..back to square one and it changed nothing in the device at all, it seemed to make it ever more present in any browser window that I set up and activated and applied to my phone.  A never ending circle of nonsense and all that  time wasted towards essentially going nowhere fast.   Arrgh.  

[smitherean]

Same issue as well. Have an Assurance Wireless U693CL that I got in July 2020.  It worked fine for about 6 months, then all of sudden these pop up ads started appearing for g21news stories, tarot card readings, just a bunch of B.S. crap.  This happens constantly when I try to browse, as I open apps, whatever, up pop the ads totally interrupting my use of the device.  After installing Malwarebytes, and scanning phone, it alerted to adware issue in the android "phone" application system area.

Android/PUP.Riskware.HiddenAds.YTHX.

installed application: (android icon) Phone. 

 Kinda need this app to make and receive calls?  So the phone's battery now has issues and won't last through the night. So I called Assurance and told them about my problems.  The agent to her credit tried to help me out with the pop up adware issue. Tried a few things, seemed to improve.  Of course no pop ups while talking to her. A few minutes after our conversation--- pop up ads started again, yikes...Sending "new" phone (Wiko Lite 2) out soon (because of battery Issue). Hopefully it will not have the pre-installed adware popup code embedded inside.

[Ierrepa]

Yeah, man that is totally what happens on my phone too. My ever messed up phone from Assurance Wireless also a U693CL  model.  It has more problems than all the phones that I have ever owned combined and this same crap is always manifesting itself whenever I use that possessed device.

[_W_]

I hate  to break it to you guys but the Wiko brand seem to have licensed their name to ANS in the US.  Their parent company TInno has had an interesting past but I think is a bit better than TeleEpoch that made the UMX phone.

Assurance try at all cost not to ship out Wiko phones as insisting on UMX phones.  If you manage to get a Wiko phone, then you'd have to move to the T-Mobile network as they are shipped with T-Mobile network SIM now.

[mbam_mtbr]

Hi @smitherean,

Could you send me an Apps Report?  I like to check on exactly what is triggering Android/PUP.Riskware.HiddenAds.YTHX.

 

To send an Apps Report with Malwarebytes for Android use the following instructions.

1. Open the Malwarebytes for Android app.
2. Tap the Menu icon.
3. Tap Your apps.
4. Tap three lines icon in upper right corner.
5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwarebytes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

As far as g21news popups, there is way to stop those.  Follow the guidance below

 

Making UMX experience more tolerable

UMX devices come with a couple of common annoyances.  Here is how to make your UMX experience more tolerable.

The first common annoyance on UMX phones is the default browser's (Chrome) default homepage. The default homepage is usually g22news.com, g21news.com, or another annoying URL.  The culprit causing this to be set as the default homepage is Customizations.  Customizations is also responsible for occasionally putting ads in notifications.  You can disable Customizations in Apps info.  Make sure to have Show system selected in App info (click the three dots in upper right to find).

 

If for some reason you choose not to disable Customizations but don't want g21news.com to be the default homepage, here's how to change the homepage on Chrome:

• Settings > Homepage
• Change the Open this page to Chrome's homepage or change the g21news.com link to whatever URL you like

 

Next up is Online Plus.  It is responsible for the news pop up on the lock screen. Once again, you can just disable in App info.

Nathan

 

[_W_]

@mbam_mtbr  I think Customization and such are old last gen inserts.  They are evolving as quickly as you can find them.  Things like Online Plus, News and a few apps are always push installed by Assurance on activation, much like what Sprint does on their own branded phones. These are installed on all Assurance phone an an attempt to unify their appearance, i.e., color, wallpaper, app layout, so on, but UMX pushes something way beyond other brands.  The standard Assurance installs can be disabled and they generally stay disabled, but the UMX's specific malware are very invasive.  UMX is currently on U693CL model, which is like 3rd or 4th gen.  g21 or g22 news are not being set as Home Page - at least not in the traditional sense.  They are opening multiple Chrome tabs in a timed based fashion. The longer you wait between uses, the more tabs it seems to opened or set as an opening URL.

[1Exploitedapp1]

Honestly I just don't know, do you have any legitimate apps to look into apps certificates and activities, at this point with my phone(no offense I'm joking)but I'm paranoid you may be the culprit in my mobile...if you don't have an app to investigate think about the one I mentioned. I'm waiting on a new fone from assurance because they sent a defective replacement for the one that crashed...

 

[1Exploitedapp1]

Thanks, a little way over my head but I can get some of what you are saying. Suggestions for the assurance pH I'm waiting for now? I use it for playing a game and connect with family and friends,no social pages, no banking just my personal info no ss#. I have some things I need transferred to the new fone a game app,couple other and I'm concerned.

[Wugs]

Been having this same problem with a u69 cl .. has anything been figured out I've updated to the limit and it's bad enough that installing random apps again almost as soon as I delete them and even re-enabling apps I've previously disabled or just completely ignored that is disabled and so changing things sending notifications and stuff.  

Is there anything I can do? 

 

 

 

[_W_]

2 hours ago, Wugs said:

Been having this same problem with a u69 cl .. has anything been figured out I've updated to the limit and it's bad enough that installing random apps again almost as soon as I delete them and even re-enabling apps I've previously disabled or just completely ignored that is disabled and so changing things sending notifications and stuff.  

Is there anything I can do? 

 

 

 

Not yet.  I loaded various tools to monitor the phone's system, logs and kernel but the darn thing won't pop.  As soon as I remove the tools, it pops.  The people developed this is fairly skilled.  I just moved the elderly family member to a different phone, so I will try to dig deeper without worrying about losing their data.  Unfortunately, the Wiko phones seem to have nearly identical set of preloads and actually even more.  I checked with some industry contacts and I am certain Assurance has a big part in this.  They are getting money from Facebook and Amazon for each install, so they aggressively push those companies app into the phone.  I can certainly see Assurance is getting ad/click revenue from the other companies, so they seem to have vested interest in keeping this app/"malware" in the phone.  What stuck me as odd and alarming is that even the line is transitioned to T-Mobile network, they would not allow you to take the SIM out and put it into an unlocked or T-Mo native phone.  Assurance seems to insist on keeping people on these specific Assurance-branded phone that comes preloaded with these questionable software.

[Wugs]

Oh yes it even blocks me from using certain charge cords and no matter what things I do it's like that all come undone.. . With how so many have the issues and desk pros to literal experts can't figure out a solid working solution, along with how assurance and other companies reply and make statements about them . I 100% believe they are in on it and profiting from the invasion of our privacy and data .. but since admitting that would ruin them they won't... . I wish there was a good it laying way to stop it. At the moment I'm so glad I looked stuff up first. Losing all my personal info and data or worse just to be able to have a phone when is needed is a horrible trade off to me for a service advertised as a lifeline ... Could end up life destroyer for some even... 

The companies behind the release and all of the phones \ software really need to step up or just be banned ... Why couldn't the guys behind Linux have made the os\system app code .. 

[Brickstin]

I have this same phone, its worse then the last model, because at least I could bloody enable developer mode, unlock the bootloader etc.

This latest model prevents you from unlocking the bootloader and stops you from going into bootloader mode. 

The U693CL is completely controlled by the manufacture and I haven't seen any custom Firmwares for this model yet.. 

Here is the old phone that I had that did the same things:

Also have a look at this Published article about UMX and Assurance Wireless and the issues with that the FCC overlooked:
https://securityboulevard.com/2020/01/fcc-subsidized-sprint-phones-have-malware-preinstalled/

Please check out this other thread that I am participating in:

 

[Brickstin]

HAHAHAHA, WELL After Some Work I have been doing I have been using an app to Inspect APPS including System apps behind the user interface to pull all the APKs that come pre-installed from UMX Phones given out by Assurancewireless, I have been actually using ADB to remove all the bad APKs from the user profile, I don't think this will permanently remove the pre-installed malware entirely; I do know that certain apps pre-installed run payload to download its functionary package groups to infect the phone after factory reset but the apps still need internet to run their payload, I am going to uninstall all related apps that I have access to including the system build so the payload can't be executed all the time - IF I can manage to figure out exactly which apps does this, which I have a pretty good idea considering all the sprint indicators and other apps that I know of already.

 

Well I just Pulled Carrier Device Manager which is com.sprint.ms.cdm-1.7.6-1706.apk into the download directory and MALWAREBYTES DETECTED IT AS RANSOMWARE LMAO!! :

I'm going to keep pulling packages and extract them to unpack them all and screw around with them in Android Studio so I can try and learn something from them in detail.

SPRINT... ASSURANCE, UMX.. I swear they can't fool me anymore, we already have a De-bloated Custom ROM Floating around now to stop this BS permanently, NO MORE Adware/Malware, no more China BS, no more data being stolen and accounts being hacked into.

Right now I am testing these removals to see how they work, if I reboot it may come back (we'll see).

Trying this on original ROM firmware from UMX/Assurancewireless. I figured to screw around with this phone anyhow - not like I have anything important on it nor do I really use it other then for internet.. That is it.

 

I don't even use text or phone calls or drop in accounts with passwords anymore since the phone is entirely compromised in all aspects of security.. 

 

Check out some of the dangerous permissions this pre-installed app has (Shame on you UMX/Assurancewireless:

 

[Ierrepa]

Well I for one really appreciate all the time and work in this tedious process of seeking out the perpetrators of all this unmitigated use in the foreground and background of these models of phones.  The rudimentary misuse of customer information in an unprofessional manner that infringes on any customer with thier personal and private information, just by utilizing one of thier phones.

 

 

 

 

 

 

[ManuAFR]

I think it is a virus. Scan your cell phone in the mobile version of Malwarebytes, and if something is suspicious in Chrome / Cell, follow these steps:
1. Scan your phone, and if you have a virus see these steps.
2. Go to Chrome and check for unwanted downloads, history activity not done by you, and if your Chrome does not send it to google and sends it to a suspicious "browser" or web site, follow step 3.
3. Go to chrome://settings and select the option to delete data, but first do step 4.
4. Scan your cell phone again with Malwarebytes, if you do not detect any threat do this:
Go to Settings> Applications> Chrome> Data> Clear cache and data.
5. If step 4 doesn't work; Follow this step, go to chrome://settings and go to the option to delete data, delete the cache and data, and put your browser in default options and select your search engine.
6. If the ransomware is an application, follow these steps: Settings> Applications> Carrier Device Manager> Delete data and cache.
7. If it doesn't work go to your file browser and put the address /data/ and go to /app/com.sprint.ms.cdm-YPG3gKdf27RL-PVwqFUvcQ==/base.apk and delete the folder and its elements. (Just the /com.sprint.ms.cdm-YPG3gKdf27RL-PVwqFUvcQ==/base.apk folder) and that would be it. If you continue to have problems contact me at mrsalvayt@gmail.com

[ManuAFR]

Postscript: If you continue to have problems remove Chrome and install the Brave Browser, it is safer.

 

[_W_]

32 minutes ago, ManuAFR said:

I think it is a virus. Scan your cell phone in the mobile version of Malwarebytes, and if something is suspicious in Chrome / Cell, follow these steps:
1. Scan your phone, and if you have a virus see these steps.
2. Go to Chrome and check for unwanted downloads, history activity not done by you, and if your Chrome does not send it to google and sends it to a suspicious "browser" or web site, follow step 3.
3. Go to chrome://settings and select the option to delete data, but first do step 4.
4. Scan your cell phone again with Malwarebytes, if you do not detect any threat do this:
Go to Settings> Applications> Chrome> Data> Clear cache and data.
5. If step 4 doesn't work; Follow this step, go to chrome://settings and go to the option to delete data, delete the cache and data, and put your browser in default options and select your search engine.
6. If the ransomware is an application, follow these steps: Settings> Applications> Carrier Device Manager> Delete data and cache.
7. If it doesn't work go to your file browser and put the address /data/ and go to /app/com.sprint.ms.cdm-YPG3gKdf27RL-PVwqFUvcQ==/base.apk and delete the folder and its elements. (Just the /com.sprint.ms.cdm-YPG3gKdf27RL-PVwqFUvcQ==/base.apk folder) and that would be it. If you continue to have problems contact me at mrsalvayt@gmail.com

 

It's not related to this app.  It looks like they are using a Chrome/Android Partner API to push the URL.  Also, I would not recommend remove com.sprint.* apps.  Those apps are supposed to be signed and should come from Sprint.  Sprint may use the app to reconfigure your phone and so on, which is vital right now.  Sprint is shutting/converting sites everywhere onto to T-Mo side, and you may lose access to the network if your phone doesn't get config or provision updates.

[ManuAFR]

1 minute ago, _W_ said:

 

It's not related to this app.  It looks like they are using a Chrome/Android Partner API to push the URL.  Also, I would not recommend remove com.sprint.* apps.  Those apps are supposed to be signed and should come from Sprint.  Sprint may use the app to reconfigure your phone and so on, which is vital right now.  Sprint is shutting/converting sites everywhere onto to T-Mo side, and you may lose access to the network if your phone doesn't get config or provision updates.

Oh, so I only recommend formatting phone.

 

[_W_]

34 minutes ago, ManuAFR said:

Oh, so I only recommend formatting phone.

 

Formatting, or factory hard or soft reset wouldn't do it.  The code is dormant in the original factory image.  The Chrome pop will show up eventually, just give it a few days.  It's definitely host driven, as it seem to be given different URL to redirect to.  This seems like a malware to generate fraudulent clicks or visitor impressions to those sites.

[Wugs]

Wish there was an easy fix . It's like having a phone that your scared to use at all even in an emergency... Stuff is just hiding waiting for is chance.. I've done a ton to try and stop the random app download and stuff.. best I managed was getting it to stop as long as I don't restart but the other stuff I lack the ability and knowledge to even try to stop it

[_W_]

6 hours ago, Wugs said:

Wish there was an easy fix . It's like having a phone that your scared to use at all even in an emergency... Stuff is just hiding waiting for is chance.. I've done a ton to try and stop the random app download and stuff.. best I managed was getting it to stop as long as I don't restart but the other stuff I lack the ability and knowledge to even try to stop it

I think it's best to port the number out to a different lifeline carrier that takes any unlocked phone.  I agree that this is a huge headache to deal with.