[TooCreative]

Strange article

    I unlocked my phone and two
    accidental clicks led me to
    agree to a dialog that my brain
    immediately registered as suspicious

What type of dialog can pop up on your Android screen after unlocking and install "malware"? What is "malware" here? It looks like they mean an app from the play store?

    The next day, I picked up my phone and
    when I launched Chrome, I immediately
    noticed it was displaying a spammy URL.

How can one app alter the behavior of another?

[sloshnmosh]

What I believe the author is saying is that he received a push notification to chrome from the malicious app.

Coincidentally, I just spent my Saturday evening pouring over malicious JavaScript hosted on Cloudfront that does extensive browser fingerprinting and if a match is made to an Android device a fake Captcha pops up in Chrome which actually enables push notifications and from there a full screen pop-up appears that vibrates the devices and claims the phone is infected with (N) viruses and the “repair now” button pulls up the Play Store app to install DFNDR antivirus/cleaner.

If you look at the reviews of that app you’ll see all the angry reviews of users having their browsers hijacked.

The app itself is just an advertising server wrapped around Avast’s detection engine and is funded by the Chinese Qihoo.

It harvests users social media data and charges the users almost $10 a month after a 3 day trial period.

Novice users are unable to delete the app if “advanced protection” is enabled because it becomes a device administrator and uses deceptive language to confuse the user trying to remove the app.

If the app gets installed it will not let you clear the storage of the app from within settings even if you had never opened the app and before you agree to any terms and conditions.

The fake virus warnings that lead to DFNDR have been going on every single day since 2013.

I’m putting together a webpage that will include the JavaScript and other details as we speak.

The Google Play Store is a dumpster fire full of scam apps and Scummy developers.

[varenc]

> fake Captcha pops up in Chrome which actually enables push notifications

Wow, this sounds like a classic clickjacking vulnerability. That’s still possible on modern[ish] Android? Definitely interested in your write up.

[Daho0n]

No, it is not.

[TooCreative]

    he received a push notification
    to chrome from the malicious app

What does that mean? How does an app send a "push notification" to Chrome?

[derivagral]

Not GP, but my interpretation: app sent a general push notification which, when tapped, opened a malicious URL in Chrome as the next step of this "funnel".

[ytch]

> How can one app alter the behavior of another?

In Defcon 2, author finds a log with intent:

{act=android.intent.action.VIEW

Android will handle The URI with default app. The malware sends HTTP url, so it will be opened by default browser.

[tjpnz]

Something similar happened to me a few years back after I accidentally tapped an ad in Chrome (an ad delivered by Google no less). While I didn't get infected the site did start displaying system like prompts (my phone was also vibrating at this point and playing the same sound I get when there's a natural disaster) saying my device was infected and that I should tap OK to download an apk.

I did several things after this:

- Reported the ad to Google (no followup from their side - naturally).

- Removed Chrome.

- Installed Firefox and uBlock Origin.

[aembleton]

How did you remove Chrome?

[literallycancer]

You can disable system apps so they don't show up even without root. If you have root you can also uninstall them. Just open a terminal, su and use pm uninstall to uninstall for your user or all users (you can reinstall the same way if you end up needing it later). No reason to use the provided Chrome when you can just use Bromite though.

[Schlaefer]

> What type of dialog can pop up on your Android screen after unlocking and install "malware"? What is "malware" here? It looks like they mean an app from the play store?

That would be the case if you enable sideloading, but that isn't mentioned in the article. Is it possible to install an app via popup without going through the store? This needs some clarification.

[jm_l]

They mention at the bottom of the article that they did enable side loading, that's how the app was installed.

[Schlaefer]

If that would be the case what is the point of the article? Of course Google Play Protect shouldn't interfere with an side-loaded app. One major reason for side-loading (after giving explicit consent and ignoring all the warnings associated) is to allow applications Google wouldn't approve.

[david_allison]

Google Play Protect also warned on unknown sideloaded apps (and requested an upload for a scan) when I tried it ~half a year ago. Documentation[0] implies this is still the case

> It checks your device for potentially harmful apps from other sources. These harmful apps are sometimes called malware.

> If you choose to install apps from unknown sources outside of the Google Play Store, turning on the “Improve harmful app detection” setting will allow Google Play Protect to send unknown apps to Google to protect you from harmful apps.

[0] https://support.google.com/googleplay/answer/2812853?hl=en

[llarsson]

Can't an app ask for a website to be opened, and then that would cause the standard browser to display said website and URL?

It does not sound to me like the Chrome app was infected, just told to open a page.

[UncleMeat]

Yes this is basic (and incredibly common) behavior. The alternative is often much worse (an embedded WebView in each app to do things like open TOS pages).