Friday, June 19, 2015

How to remove adware (browser hijack or pop-up malware) from Android

The browser hijack style malware is getting pretty widespread on Android devices, especially the cheaper ones that can be purchased directly from overseas and come with pre-installed malware. Let’s see how to find the adware app that is causing the issue.

The symptom is usually the same: when the web browser is opened it is redirected to an unknown webpage advertising something totally useless. In some cases a virus infected APK Android package gets downloaded in the hope that it will get installed.

The app that is causing this issue is waiting in the background for the browser process (either Chrome or Android Browser) to start. When it does it asks it right away to display a webpage.

The intent

Android natively supports communication between apps, which in itself is very useful, for instance a webpage can be opened from the email client.
The code is pretty straightforward too:

Uri webpage = Uri.parse(url);
    Intent intent = new Intent(Intent.ACTION_VIEW, webpage);
    if (intent.resolveActivity(getPackageManager()) != null) {
        startActivity(intent);
    }

The default browser will catch this intent and execute it, open the webpage. As intents can be a good source of problems (for instance, misconfigured intents), the system generally logs them: what was the intent, and which UID sent it.

The UID is unique on the specific phone for each installed app’s and they are listed in

/data/system/packages.xml

Logcat

The first job is to try to consistently reproduce the browser hijacking. Usually force killing the browser, waiting a minute or so and restarting it will trigger the malware to try to hijack it again.

The second step is to install ADB tool on your computer, enable USB debugging on the phone, plug in to the computer and execute the following command:

./adb logcat > log.txt

This will dump thousand of system log messages to this text file. Now reproduce the browser hijacking and stop the logging.
In the log.txt file the interesting lines look like this:

...
V/ActivityManager(  729): notify app switch for new activity com.chrome.beta Where 0

I/ActivityManager(  729): START u0 {act=android.intent.action.VIEW dat=http://global.ymtracking.com/trace?offer_id=100678&aff_id=27742 flg=0x10000000 cmp=com.chrome.beta/com.google.android.apps.chrome.Main} from uid 10035 on display 0


D/ActivityManager(  729): notifyAppSwitch resumed: true; pkg:com.chrome.beta

...

The middle line is showing that the app under user ID 10035 asked the system to execute a specific URL, a well know malware site.

If the phone is rooted, run adb again in shell mode to have a look at the app database:

./adb shell
su
vi /data/system/packages.xml

And find the line that looks like this:

<package name="... ...version="4003006" sharedUserId="10035">

(if it’s not rooted, there are app that can map from UID to app name in the Play Store).

In my case it was a modified and virus infected YouTube app, but it can be anything. If it’s not a system app, simply uninstalling it from the apps it enough. If it is a system app and cannot be removed, it’s easy to disable the package so the system cannot execute it any more. Execute the shell again and disable the package:

pm disable com.package.name.that.is.infected

Reboot the phone and the popups should be gone. If they aren’t, maybe there is another app displaying ads, so repeat the above process and uninstall the other app too.

Why not just use a virus scanner?

While virus scanners are good at finding actual Android app that contain known viruses, a malware that is hijacking the browser and display popup ads not necessarily known as a virus. Maybe it was custom made for that phone and the wholesaler installed it to earn some extra revenue. Either way, run a virus scanner just to be sure. I’ve found that Nod32 and AVG work well, but only install them from the store! If they come pre-installed, they cannot be trusted.

Any comments? Please let me know.

18 comments:

  1. Thanks man! It worked for me on a chinese ROM.
    The infected app was YouTube for me too.

    ReplyDelete
  2. Thanx a lot. YouTube infected for me too.




    ReplyDelete
  3. Youtube for me also, on a stock Xiaomi Mi Pad 2. Now trying to install a stock youtube app.

    ReplyDelete
  4. Hi,
    I'm totally clueless when it comes to programming and such. All I know is that my tablet keeps opening up a website telling me that I'm the daily winner. I've installed the Android SDK Manager but now I have no idea how or where to "execute the following command: ./adb logcat > log.txt"...?
    Could you do a second version of this blog entry "for dummies"...? :-)

    ReplyDelete
  5. Thank you for this article. I'm also fairly clueless & don't have a rooted phone, but I appreciate the info.

    ReplyDelete
  6. I've been trying to follow your guide for a while, but with no success.
    I have a GalaxyS4 running Cyanogenmod 13
    Girlfriend has same issue on new Nexus6P
    Only apps we have are from the play store.
    I tried using notepad++ to search for strings like
    "act=android.intent.action.VIEW "
    But found nothing.
    I searched for the URL that is getting loaded by the browser, which does appear...
    "03-08 23:30:23.648 7391 7391 I chromium: [INFO:CONSOLE(18)] "Uncaught TypeError: fn is not a function", source: http://facebook.com-fb.info/fb4_2.html (18)"
    but looking a few hundred lines above or below this entry has not revealed any clues.

    If you have any ideas or suggestions please let me know!

    Thanks for your post, this is the 1st time I've used ADB, and it's not as scary as i thought it would be.

    ReplyDelete
  7. thanks for your post bro!! It was very useful for me!!

    ReplyDelete
  8. thanks for your post bro!! It was very useful for me!!

    ReplyDelete
  9. Thanks a lot! Very usefull article. I flashed my Chinese Umi Emax with an other rom from Umi (ColorOs). After two days I detected a trojan but the ads kept coming. My YouTube system app was causing al troubles as described above. Finally solved by this article.

    ReplyDelete
  10. Hi, very useful to me too, i found a PID 1053 ,and was launcher3 ,i had to clear its data and cache to back to normal, then rebooted android.
    this is the text inside the adb log.txt :
    " I/ActivityManager( 738): START u0 {act=android.intent.action.VIEW dat=http://www.i-connecting.net/?channel=11111 flg=0x10000000 cmp=com.android.browser/.BrowserActivity} from pid 1053"

    and all browsers were using the new home page with the link of malware site "http://www.i-connecting.net/?channel=11111"

    beware of porno pics and sites searchs in google from android. it can get these malware for launcher3 (it is the launcher of google, not remove it) ,try to delete the datas and cache, then reboot.

    ReplyDelete
    Replies
    1. I hope this can help who have the same problems.

      Delete
    2. To found the correspondent PId id number program name ,use OS MONITOR ,take it from google play.

      Delete
    3. from settings apps > all > "launcher3 "> clear data, clear cache,
      try also to "force stop" the launcher3, then launch it again.. notice that the desktop links icons (in the first page/layer) will be deleted but it is needed, i think...

      Delete
    4. I downloaded the adb tools from here:
      http://forum.xda-developers.com/showthread.php?t=2588979

      Delete
    5. adb tools for windows .. win 7 x64 ult.
      ./adb shell ---> I used "adb shell"
      su
      vi /data/system/packages.xml ---> vi was not found! and i didn't know how to install it and put it there.,.

      Delete
    6. My launcher 3 also infected. But i don't know how to reboot nor do I understand all the codes above, how to learn all this?

      Delete
  11. This comment has been removed by the author.

    ReplyDelete
  12. great information, I've been trying for two days now to remove this annoying redirection thing, I tried six antivirus and antimalware programs with no luck. now with this information I'm on the right path, BUT, I got as far as finding the redirection in the log file:

    I/ActivityManager( 657): START u0 {act=android.intent.action.VIEW dat=http://www.apxadtracking.net/iclk/redirect.php?apxcode=621762&id=eTJQeUeuKzjMIWuXeWb5KW4nmzjMIWuXKW25mb-0N-0N flg=0x10000000 cmp=com.android.browser/.BrowserActivity} from pid 943

    D/ActivityManager( 657): ACT-moveHomeTask toFront : false homeInFront = false

    D/ActivityManager( 657): launchFlags = 10000000, launchMode = 2, realActivity = ComponentInfo{com.android.browser/com.android.browser.BrowserActivity}, task.realActivity = ComponentInfo{com.android.browser/com.android.browser.BrowserActivity}

    that "PID 943" IS THE THING!!, but I can't find what app it is. I already tried some task manager that says "process id=blabla" but the thing wasn't in the list.
    by the way, I tried disabling youtube just in case, but it won't let me, an error message "youtube was disabled" keeps popping up and I close it but it pops up again, it makes the tablet almost unusable, it was tricky to get to enable youtube again to make the error message go away.
    I'm going insane, I get the redirection thing both on the built in browser and on chrome. I already delted cache, historial, everything, I disabled javascript, I deleted all data from the aplications, I removed chrome and installed it again, everything.
    it's frustrating because with the information avaiable here I'm close, I got to the "here's the hijacking!!" part in the log!!!, but I can't get the app id to delete it!!.

    ReplyDelete