How to remove adware (browser hijack or pop-up malware) from Android

The browser hijack style malware is getting pretty widespread on Android devices, especially the cheaper ones that can be purchased directly from overseas and come with pre-installed malware. Let’s see how to find the adware app that is causing the issue.

The symptom is usually the same: when the web browser is opened it is redirected to an unknown webpage advertising something totally useless. In some cases a virus infected APK Android package gets downloaded in the hope that it will get installed.

The app that is causing this issue is waiting in the background for the browser process (either Chrome or Android Browser) to start. When it does it asks it right away to display a webpage.

The intent

Android natively supports communication between apps, which in itself is very useful, for instance a webpage can be opened from the email client.
The code is pretty straightforward too:

Uri webpage = Uri.parse(url);
    Intent intent = new Intent(Intent.ACTION_VIEW, webpage);
    if (intent.resolveActivity(getPackageManager()) != null) {
        startActivity(intent);
    }

The default browser will catch this intent and execute it, open the webpage. As intents can be a good source of problems (for instance, misconfigured intents), the system generally logs them: what was the intent, and which UID sent it.

The UID is unique on the specific phone for each installed app’s and they are listed in

/data/system/packages.xml

Logcat

The first job is to try to consistently reproduce the browser hijacking. Usually force killing the browser, waiting a minute or so and restarting it will trigger the malware to try to hijack it again.

The second step is to install ADB tool on your computer, enable USB debugging on the phone, plug in to the computer and execute the following command:

./adb logcat > log.txt

This will dump thousand of system log messages to this text file. Now reproduce the browser hijacking and stop the logging.
In the log.txt file the interesting lines look like this:

...
V/ActivityManager(  729): notify app switch for new activity com.chrome.beta Where 0

I/ActivityManager(  729): START u0 {act=android.intent.action.VIEW dat=http://global.ymtracking.com/trace?offer_id=100678&aff_id=27742 flg=0x10000000 cmp=com.chrome.beta/com.google.android.apps.chrome.Main} from uid 10035 on display 0


D/ActivityManager(  729): notifyAppSwitch resumed: true; pkg:com.chrome.beta

...

The middle line is showing that the app under user ID 10035 asked the system to execute a specific URL, a well know malware site.

If the phone is rooted, run adb again in shell mode to have a look at the app database:

./adb shell
su
vi /data/system/packages.xml

And find the line that looks like this:

<package name="... ...version="4003006" sharedUserId="10035">

(if it’s not rooted, there are app that can map from UID to app name in the Play Store).

In my case it was a modified and virus infected YouTube app, but it can be anything. If it’s not a system app, simply uninstalling it from the apps it enough. If it is a system app and cannot be removed, it’s easy to disable the package so the system cannot execute it any more. Execute the shell again and disable the package:

pm disable com.package.name.that.is.infected

Reboot the phone and the popups should be gone. If they aren’t, maybe there is another app displaying ads, so repeat the above process and uninstall the other app too.

Why not just use a virus scanner?

While virus scanners are good at finding actual Android app that contain known viruses, a malware that is hijacking the browser and display popup ads not necessarily known as a virus. Maybe it was custom made for that phone and the wholesaler installed it to earn some extra revenue. Either way, run a virus scanner just to be sure. I’ve found that Nod32 and AVG work well, but only install them from the store! If they come pre-installed, they cannot be trusted.

Any comments? Please let me know.

Comments

  1. Thanks man! It worked for me on a chinese ROM.
    The infected app was YouTube for me too.

    ReplyDelete
  2. Thanx a lot. YouTube infected for me too.




    ReplyDelete
  3. Youtube for me also, on a stock Xiaomi Mi Pad 2. Now trying to install a stock youtube app.

    ReplyDelete
  4. Hi,
    I'm totally clueless when it comes to programming and such. All I know is that my tablet keeps opening up a website telling me that I'm the daily winner. I've installed the Android SDK Manager but now I have no idea how or where to "execute the following command: ./adb logcat > log.txt"...?
    Could you do a second version of this blog entry "for dummies"...? :-)

    ReplyDelete
  5. I've been trying to follow your guide for a while, but with no success.
    I have a GalaxyS4 running Cyanogenmod 13
    Girlfriend has same issue on new Nexus6P
    Only apps we have are from the play store.
    I tried using notepad++ to search for strings like
    "act=android.intent.action.VIEW "
    But found nothing.
    I searched for the URL that is getting loaded by the browser, which does appear...
    "03-08 23:30:23.648 7391 7391 I chromium: [INFO:CONSOLE(18)] "Uncaught TypeError: fn is not a function", source: http://facebook.com-fb.info/fb4_2.html (18)"
    but looking a few hundred lines above or below this entry has not revealed any clues.

    If you have any ideas or suggestions please let me know!

    Thanks for your post, this is the 1st time I've used ADB, and it's not as scary as i thought it would be.

    ReplyDelete
  6. thanks for your post bro!! It was very useful for me!!

    ReplyDelete
  7. thanks for your post bro!! It was very useful for me!!

    ReplyDelete
  8. Thanks a lot! Very usefull article. I flashed my Chinese Umi Emax with an other rom from Umi (ColorOs). After two days I detected a trojan but the ads kept coming. My YouTube system app was causing al troubles as described above. Finally solved by this article.

    ReplyDelete
  9. Hi, very useful to me too, i found a PID 1053 ,and was launcher3 ,i had to clear its data and cache to back to normal, then rebooted android.
    this is the text inside the adb log.txt :
    " I/ActivityManager( 738): START u0 {act=android.intent.action.VIEW dat=http://www.i-connecting.net/?channel=11111 flg=0x10000000 cmp=com.android.browser/.BrowserActivity} from pid 1053"

    and all browsers were using the new home page with the link of malware site "http://www.i-connecting.net/?channel=11111"

    beware of porno pics and sites searchs in google from android. it can get these malware for launcher3 (it is the launcher of google, not remove it) ,try to delete the datas and cache, then reboot.

    ReplyDelete
    Replies
    1. I hope this can help who have the same problems.

      Delete
    2. To found the correspondent PId id number program name ,use OS MONITOR ,take it from google play.

      Delete
    3. from settings apps > all > "launcher3 "> clear data, clear cache,
      try also to "force stop" the launcher3, then launch it again.. notice that the desktop links icons (in the first page/layer) will be deleted but it is needed, i think...

      Delete
    4. I downloaded the adb tools from here:
      http://forum.xda-developers.com/showthread.php?t=2588979

      Delete
    5. adb tools for windows .. win 7 x64 ult.
      ./adb shell ---> I used "adb shell"
      su
      vi /data/system/packages.xml ---> vi was not found! and i didn't know how to install it and put it there.,.

      Delete
    6. My launcher 3 also infected. But i don't know how to reboot nor do I understand all the codes above, how to learn all this?

      Delete
  10. This comment has been removed by the author.

    ReplyDelete
  11. This comment has been removed by the author.

    ReplyDelete
  12. For Entrepreneurship Android application improvement benefit is a Boon plane simulator games for android

    ReplyDelete
  13. . Intellijoy has planned this game, particularly for the children between four to seven years old.try this web-site

    ReplyDelete
  14. I found a way by going to browser app from settings Apps/browser/Force stop/Clear Cache/Clear data and close browser; then reboot.
    This worked for me.

    ReplyDelete
    Replies
    1. Hi guys just an update. By force stop did not solve the problem. Solved by a youtube vid. Install Sophos antivirus and root app delete. Root your tablet, scan and mark malicious apps . Remove them by root app delete on pro option. Done.

      Delete
  15. What a blog! This reading is connected with the current techniques and improved my outreach tactics. Thanks for sharing here
    click here

    ReplyDelete
  16. The jumbo teddy bear is nothing short of an essential childhood friend - one that can be held and comforted and can offer comfort in return. Any child or adult that has not experienced life with a jumbo teddy bear doesn't realize what they've been missing out on. When the original creator of the teddy bear, German company Steiff, realized that in order for their bear to remain competitive in an ever-changing toy market, they had to update their range. Other companies, which looked to Steiff for 'inspiration,' soon followed suit. Famous teddy bears

    ReplyDelete
  17. These security administrations give administrations to business buildings, neighborhoods and huge occasions. For bigger spots security groups assume up the liability of keeping up the security.surveillance systems reviews

    ReplyDelete
  18. As a client you can surf sites, get to your messages and achieve your goal on time with the assistance of your Android gadget.
    10 questions for an entrepreneur

    ReplyDelete

Post a Comment

Popular posts from this blog

MurMurHash3, an ultra fast hash algorithm for C# / .NET

Quick select algorithm - find the Kth element in a list in linear time

Octoprint as a systemd service - running it with high priority