I received an email from a family member, but it was obviously a spam/malware email not sent by them. I know not to blindly open, and click on any links, but I do research on the emails to see if I can find out where it came from, and what kind of threat it really is. It only contained a simple line of text with a link as seen below in the first screenshot. If you expand the link it points to the second screenshot which redirects to gxfox(dot)com which is flagged as a bad site by WOT, but Virustotal, Lookout, along with other anti-virus scans say it's a safe site.
I tried searching for more info, but nothing really came up, but I did see a preview of the site as a spam site for some raspberry ketone thing on a security preview site I use, so I decided to try to open it on my phone thinking what could really happen on an Android? I used my Nexus One running CM7.2 with both security exploits patched, and also Lookout with the premium package enabled. When I clicked on the link the browser opened, and it tried to redirect to the gxfox(dot)com, but instead the page just tried to load "official.androidsecuritybox.ru/securitypatch", and I only had a blank white page that never did load anything. The page never finished loading either as it was stuck on this address. I mean you know when a page finishes loading as you can click the refresh, or when it's loading you click the stop. Well I tried clicking the stop, but nothing happened, so I had to just end the browser via task manager.
Long story short I can't find any info on "official.androidsecuritybox.ru/" I did get results for some similar things that had "data" instead of "box" at the end, but no real info if this is a security feature of the Android system/browser, or from some other app/setting.
Does anyone know of this?
Never heard of it, but it probably isn't a good idea to go on the site if you think the email was sent because of a malicious program. Done a Google and I can't find anything either. Do a virus scan on your Android (AVG can do this, not sure about Lookout) and see if the site has installed anything dodgy onto your Nexus One.
Orange
OrangeFlash81 said:
Never heard of it, but it probably isn't a good idea to go on the site if you think the email was sent because of a malicious program. Done a Google and I can't find anything either. Do a virus scan on your Android (AVG can do this, not sure about Lookout) and see if the site has installed anything dodgy onto your Nexus One.
Orange
Click to expand...
Click to collapse
Nothing was installed. I did multiple scans with AV, and searched with file explorers to see if any folders have been changed. Nothing happened. I took it a step more, and tried to open the address in a regular browser on a PC that is safe guarded, and it wouldn't open there either. I used Chrome, and all that returned was the white blank page saying the address couldn't be reached. I'm really thinking it's the Android Security doing it's job by blocking what would have been a phishing/malware site, and then Chrome just didn't know what to do with the address because it's really not a website. I'm just one of those people who don't like to rest without knowing exactly what something is. :fingers-crossed:
Related
I just upgraded to Titanium Backup Pro and after exiting the program my Browser pops up with this page advertising HotMusic for the Android with a sexy female photo. I exit the browser, and immediately my phone starts downloading the above app. I then get the message that HotMusic application was stopped from loading as it wasn’t from the Android Market. I checked ASTRO File Manager and under downloads I find aMusic201011_3.apk sitting there (with the female thumbnail photo), so I delete it, and run a Lookout malware scan. I’ve searched online as well as on the boards and don’t find any mention of this application or the site. My questions are, is this malware, and has any one else had this problem? Also, if I update to a different ROM will I still have the protection of some unwanted software being able to sideload onto my phone.
Thanks
tahoeflyer said:
I just upgraded to Titanium Backup Pro and after exiting the program my Browser pops up with this page advertising HotMusic for the Android with a sexy female photo. I exit the browser, and immediately my phone starts downloading the above app. I then get the message that HotMusic application was stopped from loading as it wasn’t from the Android Market. I checked ASTRO File Manager and under downloads I find aMusic201011_3.apk sitting there (with the female thumbnail photo), so I delete it, and run a Lookout malware scan. I’ve searched online as well as on the boards and don’t find any mention of this application or the site. My questions are, is this malware, and has any one else had this problem? Also, if I update to a different ROM will I still have the protection of some unwanted software being able to sideload onto my phone.
Thanks
Click to expand...
Click to collapse
I don't have Titanium Pro, but are there ads in it? Possible you clicked one?
In my experience with computers (ie: people using IE calling me to fix their malware), these sort of things often intentionally don't manifest themselves until a bit after their initial infestation.. My guess is so it's harder to determine where they came from.
What other programs have you installed recently? Honestly I still am not that quick to believe that there is malware going on, rather some accidental click or selection, but..
I'm surprised as well, but have come across hijacked respectable websites in the past, so I feel anything is possible. I did not have the browser open when the event took place, nor was it running in the background. I find it hard to believe that the developers of the Titanium package intentionally placed this package on it.
Is this possibly a new malware package or vulnerability exploit of the Android system (or am I just the lucky one)?
Do you still have the "aMusic201011_3.apk" which was downloaded? Might make to easier to figure out
khaytsus said:
I don't have Titanium Pro, but are there ads in it? Possible you clicked one?
In my experience with computers (ie: people using IE calling me to fix their malware), these sort of things often intentionally don't manifest themselves until a bit after their initial infestation.. My guess is so it's harder to determine where they came from.
What other programs have you installed recently? Honestly I still am not that quick to believe that there is malware going on, rather some accidental click or selection, but..
Click to expand...
Click to collapse
Joel doesn't include ads in his app. It's all ad-free and purely run off donations, which I'm sure he receives a lot of.
But I agree with you that OP probably mis-tapped something and thats what caused all this.
Thanks, maybe it was a faulty thumb
Thank you for your responses. It's possible that my thumb hit an ad, it happened very quickly after paying for the pro/premium version. My first inclination was to stop the browser, and then delete the program, so unfortunately I did not keep a copy.
There has not been any further problems with the phone, so consider this post finished. Thanks
Hey there ,
my office computer got infected with some sort of adware evil thing ,
Once or twice a day , when browsing to a website (no matter which) I get an iFrame with an overlay saying : "sponsored by [url I'm browsing to] and then it redirects me to some kind of an full page ad for some sort of naughty online gaming (I forgot the name but next time it happens I'll update here).
Anyway , this is the iframe html :
HTML:
<div class="asgds_content"><div class="asgds_header"><button class="asgds_close">x</button><h4 class="asgds_title">Sponsored by google.com </h4></div><div class="asgds_body"><iframe src="https://extsgo.com/view/teasers?id=191753" style="height: 873px; width: 100%;"></iframe></div><div class="asgds_footer"><button class="asgds_close_text">Close</button></div></div>
searching google for extsgo.com/view/teasers gives me nothing...
using chrome 53.0.2785.143 m on Windows 8.1
Who can help me with removing this stupid thing?
Thanks a lot.
Full Screen Flash might be the culprit?
I've had the same problem. I noticed when I uninstalled Full Screen Flash that it redirected me to extsgo.com as well... given some of the reviews intermittently complaining of advertising redirects, I think it's a distinctly possible culprit. Do you have that extension installed?
For what it's worth, this happened on both my home and work machines and Chrome is the only thing really shared between them. Home has MalwareBytes and McAfee, work has Trend Micro. No malware hits on either end, so I'm quite certain that some Chrome extension or another is responsible.
i had full screen flash shut it off and it solved the problem
well ,
it must be something else , since I never heard about this chrome extension...
Would appreciate more ideas about this issue.
Thanks
Hey ,
I think I got the name of this adware , it's called adnow , any reliable removal tool / guide?
Thanks
Me too
I have managed to end up with this thing too. I've seen it injected into both a site I'm hosting locally and sites across the web (both in Chrome; not seeing it injected when I'm in Firefox). I did not notice it until recently, as I typically use EFF's Privacy Badger, which blocks the actual injection script from loading. I've seen it block requests to extsgo.com and st.adxxx.com, neither of which is related to the local build of the project I'm working on where I see it injected.
It's definitely something (presumably an extension) that is getting synced via Chrome sync as I've noticed it in a Windows 10 installation on one machine and within a Linux VM inside a Windows 7 host OS on a different machine. All software fully up to date.
I see nothing I'm not expecting in terms of extensions and I do not have the "Full screen Flash" extension. Windows Defender has not found anything on the Win 10 install, nor on the Windows 7 one.
Is it perhaps another extension that got hijacked? I know sometimes developers sell extensions and malware makers acquire them for the instantly-installed userbase. Everything in the Chrome Web Store is supposedly scanned, of course, so who knows.
Anyone have any other ideas?
Thanks!
~tw
---------- Post added at 02:13 PM ---------- Previous post was at 01:19 PM ----------
Insert jQuery (not including link; you'll know if you have it) appears to have been the culprit extension. The behaviour I was seeing is consistent with this description: gist.github.com/jimbo1qaz/bc73a2491f0c39b7f206359f089dd79c complete with the redirection to a shady fake magazine URL when I uninstalled Insert jQuery, the issues went away. So this is consistent with a rash of extensions getting updated with updates that include new malware. I originally intended to install that extension....several years ago. I've been using it occasionally ever since.
(My) case closed.
This just happened to me as well. Exactly once on my work computer, then once on my home computer a few hours later, different sites. Both chrome, but different accounts and mostly different extensions. I'll compare extension lists and post the common ones when I get back to my work computer tomorrow. But I don't have either of the mentioned extensions installed.
This thread was the only google result for the url.
Edit: googling the id of the modal div, "asgds_modal", leads to a reddit thread with a few people complaining. They pointed out two new extensions, "http headers" and "w3schools hider". I'm guessing my culprit is the http headers one, as it is on both my computers.
I figured it out.
Live HTTP Headers extension is the culprit. A couple of days ago I checked that it was giving a 404 error for the JS script it was requesting from an AWS server. I thought some one would buy it. And the same thing happened I guess. The chrome web store page is not working for that extension. Most probably because it is removed. But, you people should uninstall that from your chrome browsers.
ant96 said:
Live HTTP Headers extension is the culprit. A couple of days ago I checked that it was giving a 404 error for the JS script it was requesting from an AWS server. I thought some one would buy it. And the same thing happened I guess. The chrome web store page is not working for that extension. Most probably because it is removed. But, you people should uninstall that from your chrome browsers.
Click to expand...
Click to collapse
Thank you man, you're my hero.
Hi guys!
I really need your help here please
I seem to have encountered a similar problem as you but i don't have the header http extension you all talked about
it's happen to me only on chrome in different sites, i get this "sponsored by adnow" ads
and i'm not sure what to do, it's on the exact same place where outbrain or taboola show their ads, and its cover it.
i think but not sure that the div id is sc_tblock_319318 and from what i understand it's block the original ad(by outbrain in this case and then it recreate a new one
Is there anyone here who could help me please? really i tried almost every thing...
sorry if my english is not perfect
and thanks in advance!
I am unable to remove annoying pop coming from any web browser I tried to install and use on my new Xperia Premium XZ including Chrome and Firefox. It looks like my phone gets DNS hijacked and randomly few times a day it pops this message - see attached screenshots.
I tried to Google solution, none I found worked including clearing data and cache of these apps, completely reinstalling them.
I tried premium Adware Malwarebytes and it does not detect anything wrong with the phone.
I also activated premium version of AVG but full scan has not discovered any issues.
At this point I ran out of options.
I can't believe there is no clear explanation anywhere about this so called Four Virus neither reference about it with respect to Oreo 8.0.0.
Am I the only Oreo user which has this issue?
Reseting my phone to factory defaults is last thing I would want but could do. Just trying to see other options before executing such drastic solution.
Any ideas are very appreciated.
Hi there
You caught a simple flu, but u probably need Safe Mode to remove it. Follow instructions here => https://forums.androidcentral.com/a...30081-guide-malware-adware-popup-removal.html
Good luck, and keep us posted,
Van
This is well-known problem, widely described on the Net. There's nothing wrong with your phone. There's no malware on the phone itself, which is why the anti-malware tools do not find anything.
What you see is a result of a server-side problem. Either the web page you were trying to visit got hijacked, or an ad provider that displays ads on that page got hijacked, or some DNS entry got hijacked. They used some kind of server-side exploit to redirect your browser to the above fake page. It is ordinary scareware, trying to scare you into purchasing a piece of software you don't really need (and it is useless crap anyway). If you were visiting a legitimate web site at the time this popup appeared, the site owners are most likely already aware of the problem. They will fix it shortly and the problem will go away.
At this time, just to make sure noting is cached on our phone after they fix the issue, a good idea might be to find your browser app in the app list and as Android to clear app data.
I think I have a ton of virus on my phone .does anyone know what this means and how I can remove it.malwarebytes app scan results say 0.of 1 threat removed
I was browsing using opera and came across this pop up
And got scared so did a scan and saw this
I cant find anyway to remove these threats
.I've used 10 different antivirus apps and they all say my phone is clean.phone is super fast and feels great so not sure why it's all infected like malwarebytes says
Anyone?
If you want help, it's helpful to use an informative subject line so people can see what your post is about and decide if they want to click on it.
The safety way is factory reset your phone.
Just return the phone. You know you want to.
haircut123 said:
I think I have a ton of virus on my phone .does anyone know what this means and how I can remove it.malwarebytes app scan results say 0.of 1 threat removed
I was browsing using opera and came across this pop up
And got scared so did a scan and saw this
I cant find anyway to remove these threats
.I've used 10 different antivirus apps and they all say my phone is clean.phone is super fast and feels great so not sure why it's all infected like malwarebytes says
Click to expand...
Click to collapse
I think these are kind of ads, I always get ads like 5 viruses detected. Also check if you have installed any apk that doesn't show an icon in app manager, uninstall that.
Looks like the website is compromised not your phone.
I've got an A32 5G that functionally performs ok. it's had some slow loading pages recently and some YouTube videos buffering, which I attributed to the recent system updates as well as the move to 5g in my area. I still think these are the likely sources of my lower performance, but. . ... I went to grc.com and ran their Shields Up test the other day, probing all common ports. my results came back that I have a port 179 open about 95% of the time (meaning I've ran the test quite a few times since then, only a few of those times it showed stealth). appx. 10% of the time I ran the test, it showed port 1, and port 1&2 closed, but not stealthed. the other test results showed them to be stealthed.
prior to now, and when having my friends run the tests on their phones, my former and everyone else's current results were 100% stealthed.
my questions -
1. can a few of you with the same phone as me run the same tests and see what your results are. (it's at grc.com, then Shields Up, then Shields Up, then proceed, then All Service Ports)
2. short of resetting the phone, how do I find out the source or cause of this port being open? (I've done a lot so far, none of which has helped, so I won't bore anyone just yet)
3. is there a better section to post this in?
See if you can ID the app using it with a firewall.
If running on Pie or below Karma Firewall will detect apps accessing the internet.
If you can't ID and eliminate it, factory reset.
You are what you install and download, exercise caution.
This is what I get when I run that check:
the only apps on my phone are Firefox & Brave browsers, CX File Explorer, File Viewer, New Pipe, SMS Backup & Restore, and a few games from Yiotro.
never been on Facebook, nor any other social media
blackhawk said:
See if you can ID the app using it with a firewall.
If running on Pie or below Karma Firewall will detect apps accessing the internet.
If you can't ID and eliminate it, factory reset.
You are what you install and download, exercise caution.
This is what I get when I run that check:
View attachment 5648189
Click to expand...
Click to collapse
the test I was referring to was this one
and I'm on Android 12. the firewall approach is null with that?
mr_horsepower said:
the test I was referring to was this one
and I'm on Android 12. the firewall approach is null with that?
Click to expand...
Click to collapse
Lol, I scanned that exe with Virustotal and while most might trust it... I don't!
Android 12 will gut firewall apps not designed to run on it. Even 10 does this.
A big reason I still run on Pie; functionality for trusted apps.
Nuke it if there's any doubt. Change Google account password, check if its been breached.
Likely something you installed...
blackhawk said:
Lol, I scanned that exe with Virustotal and while most might trust it... I don't!
Android 12 will gut firewall apps not designed to run on it. Even 10 does this.
A big reason I still run on Pie; functionality for trusted apps.
Nuke it if there's any doubt. Change Google account password, check if its been breached.
Likely something you installed...
Click to expand...
Click to collapse
how do you keep your system from updating?
mine is set to only do it over wifi, and I never use wifi (literally never) and eventually it gives in I guess and downloads it over my data connection. I've got auto updates on the play store turned off and I've never had anything update without my choosing to, again, thru just the play store.
I'm fairly certain that Steve Gibson, the guy that runs the Security Now site and podcast is a 100% safe environment.
*I also realize my recommendations on what's safe and what's not mean nothing, especially given the thread I just started, lol.
mr_horsepower said:
how do you keep your system from updating?
mine is set to only do it over wifi, and I never use wifi (literally never) and eventually it gives in I guess and downloads it over my data connection. I've got auto updates on the play store turned off and I've never had anything update without my choosing to, again, thru just the play store.
I'm fairly certain that Steve Gibson, the guy that runs the Security Now site and podcast is a 100% safe environment.
*I also realize my recommendations on what's safe and what's not mean nothing, especially given the thread I just started, lol.
Click to expand...
Click to collapse
I use a package disabler to block OTA updates.
A nasty little app...
I think his site's probably ok, but caution is best when in doubt. My current load is over 2 yo and runs very well.
I've just spent the past 5 hours doing a full restore on my phone. I just ran the scan again and I got the same effing results. will someone please, for the love of all that is good in this world, pretty friggin please, run that scan and see if they get the same port open? please.
you don't even have to do the whole scan, which takes all of 30 seconds. just type 179 in the box and hit enter. it will open open to another page and you hit the 'probe this port' button. it's Steve Gibsons website. it's safe. he's one of the grandfathers of internet security.
Lol, doesn't sound that safe judging by your results. You should have loaded just that app and scanned. May be a false result.
No known rootkit can survive a factory reset on Android 9 and up. So either it's a normal result, glitch or you reloaded the malware... probably one of the games.
Install Karma Firewall (it may not install on 12), one by one block 3rd party apps and so on, then scan until you find it.
Or factory reset again and run the scan... first.
blackhawk said:
Lol, doesn't sound that safe judging by your results. You should have loaded just that app and scanned. May be a false result.
No known rootkit can survive a factory reset on Android 9 and up. So either it's a normal result, glitch or you reloaded the malware... probably one of the games.
Install Karma Firewall (it may not install on 12), one by one block 3rd party apps and so on, then scan until you find it.
Or factory reset again and run the scan... first.
Click to expand...
Click to collapse
didn't reload the games (they're zero permission games from an awesome source though). I did a reinstall of DDG browser, File Viewer, SMS Backup & Restore, and Textra. I went through all my permissions and deleted all the b.s. bloatware, fired up the browser and went and ran the test. same results. I've ran the test a bunch over the years, first time with that result ever a few days ago.
I'm going to order a new phone tomorrow. if I'm lucky, it'll be in in time for me to blow this thing up on the 4th.
*I also ran the test at a few other port scanners prior to the reset. one of 3 didn't show the port open, the others did. I haven't rechecked it at those places after the fact
*it doesn't sound like you're familiar with Steve Gibson or his work. it'd be worth poking around his website a little. also listening to or reading transcripts of his weekly podcast he's done for years. that website is as pure as the driven snow.
blackhawk said:
Lol, doesn't sound that safe judging by your results. You should have loaded just that app and scanned. May be a false result.
No known rootkit can survive a factory reset on Android 9 and up. So either it's a normal result, glitch or you reloaded the malware... probably one of the games.
Install Karma Firewall (it may not install on 12), one by one block 3rd party apps and so on, then scan until you find it.
Or factory reset again and run the scan... first.
Click to expand...
Click to collapse
and to clarify, it's not an app. you go there with your browser and click on a button. it's just a web page, it's just a button. you don't even need Javascript to be on at his website.
*and while I appreciate your offering up that .apk, I'm not in the habit of sideloading apps from a barely known source. that's a small example of what makes this problem I'm having so perplexing.
mr_horsepower said:
and to clarify, it's not an app. you go there with your browser and click on a button. it's just a web page, it's just a button. you don't even need Javascript to be on at his website.
*and while I appreciate your offering up that .apk, I'm not in the habit of sideloading apps from a barely known source. that's a small example of what makes this problem I'm having so perplexing.
Click to expand...
Click to collapse
Won't run in my browser. Tried disabling a few things that might have blocked it, no go.
My current setup hasn't had any malware issues, has been fast and stable for over 2 years so I'm not playing with it further than this for no good reason.
I don't have in depth knowledge of these protocols. Been a long while since I setup a router. Meh, although I'm curious about this... but it's your rabbit hole to chase down. It's a pretty deep hole.
Karma Firewall been updated.
NetGuard is fully functional on 12, root not needed. I haven't played with this yet.
Install a firewall and see if you can spot it...
if you went there, and proceeded like this, with or without Javascript on (my default everywhere is its off unless I decide to give sites that liberty), I can't see how in the world it's not running. I appreciate your time regardless.
A link be nice...
Here's would I got on my N10+/Pie:
blackhawk said:
A link be nice...
Here's would I got on my N10+/Pie:
View attachment 5648803
Click to expand...
Click to collapse
that's the unplug and pray test. I can't provide a link to anything (try anything you would be able to create a link from at a typical site and you'll see it doesn't work there) but the main page because of the way his site is set up. here's hopefully a better picture of what you are pressing, and what to choose instead.
*check your link, which doesn't go where you think it does, and he explains why not.