| What I believe the author is saying is that he received a push notification to chrome from the malicious app. Coincidentally, I just spent my Saturday evening pouring over malicious JavaScript hosted on Cloudfront that does extensive browser fingerprinting and if a match is made to an Android device a fake Captcha pops up in Chrome which actually enables push notifications and from there a full screen pop-up appears that vibrates the devices and claims the phone is infected with (N) viruses and the “repair now” button pulls up the Play Store app to install DFNDR antivirus/cleaner. If you look at the reviews of that app you’ll see all the angry reviews of users having their browsers hijacked. The app itself is just an advertising server wrapped around Avast’s detection engine and is funded by the Chinese Qihoo. It harvests users social media data and charges the users almost $10 a month after a 3 day trial period. Novice users are unable to delete the app if “advanced protection” is enabled because it becomes a device administrator and uses deceptive language to confuse the user trying to remove the app. If the app gets installed it will not let you clear the storage of the app from within settings even if you had never opened the app and before you agree to any terms and conditions. The fake virus warnings that lead to DFNDR have been going on every single day since 2013. I’m putting together a webpage that will include the JavaScript and other details as we speak. The Google Play Store is a dumpster fire full of scam apps and Scummy developers. |
Wow, this sounds like a classic clickjacking vulnerability. That’s still possible on modern[ish] Android? Definitely interested in your write up.