Finding and removing Android adware that opens Chrome tabs when unlocking the lockscreen

Question

I'm battling an adware on multiple Android devices which none of the Malware removal tools I tried (Kaspersky, Avast, and Norton IIRC) can find.

Behaviour

While the phone is locked, new Chrome tabs (not the default browser, Chrome specifically) are launched periodically, pointing at (don't visit!) http://vpg.dorputolano.com. This redirects you to various ugly ad-sites for gambling, betting, new phones, and what have you. It doesn't act, while the phone is unlocked.

Importantly, this behaviour has jumped devices: I first had the issue on my OnePlus 3. I was changing phones anyway at the time and I thought with a fresh install on my new phone I'd be golden. I used the OnePlus transfer app to transfer my stuff to my new OnePlus Nord, which in hindsight might not have been the best of ideas. Now after ~3 weeks of using the new phone, it started again. No apps have been installed in this period, so it seems to have a dormant period before it starts acting up.

What I have tried

Most obviously, switch to a brand new phone
Finding rogue processes via adb shell and ps -A
Trying to change /etc/hosts to at least not visit the bad site, but this needs root access
Neither of my devices were/are rooted

Device info

OnePlus Nord, Model AC2003
Oxygen OS 10.5.10.AC01BA
Carrier Wingo (read: Swisscom), not known for malicious behaviour
(The old phone was a OnePlus 3, up to date with the last update they shipped)

I'm hoping for

Identification of the malicious app and how to remove it
Further tips on pinning it down myself, maybe more adb tricks?
If all else fails, workarounds to mitigate the behaviour

Related: How to find out which app is trying to open spam websites? — Andrew T., Feb 03 '21 at 08:42

tannerli · Answer 1 · 2021-02-08T12:04:30.683

7

Using my Google Activity History, i spotted a few activity entries of my Barcode Scanner app which didn't belong there as I didn't use the app at the time.

Uninstalling the app resolved the problem. In my case, the com.qrcodescanner.barcodescanner] was the culprit. Edit: The app has been pulled from the store since. The most recent 1-star reviews confirm that the apps is an adware since the last update.

For completeness' sake, this might not be the dev's fault since the app Andrew pointed out (com.google.zxing.client.android (Play store)) suffers from the very same condition it seems, the reviews now all say it delivers ads. Edit: Apparently this is a false positive, as it unfortunately had an identical app name and got hit with negative reviews for no reason

Edit: ~~Maybe some barcode library further upstream got compromised?~~

In any case, caution on using either of the apps is advised.

Use zxing's Barcode Scanner for a better alternative

Credit to @andrewT. for pointing me to the solution

Update, 08. Feb 2021: There is now a writeup of the story at Malwarebytes Blog

edited Feb 08 '21 at 12:04

answered Jan 28 '21 at 15:27

tannerli

231
1
5

2

Thanks for mentioning the package name, now we know a little more about its update history. The reason I wanted to check the package name is that app names are not unique on Play Store, and only the package names are unique. Thus I'm afraid that one of the most popular and credible Barcode Scanner apps (open-source, no update since 2 years ago, and no ads) has also become a "victim" of review bombing due to this confusion (I'm personally still using it and no sign of malware). – Andrew T. Jan 28 '21 at 15:51
2

Also, scan result of the APK. FWIW, we found this approach with help of Malwarebytes Forum. However, someone there accused the wrong Barcode Scanner app due to having the same name, that's why I wanted to clear it up. – Andrew T. Jan 28 '21 at 16:06
The play store link is now a 404, so they probably removed it. – user253751 Jan 28 '21 at 22:49

Finding and removing Android adware that opens Chrome tabs when unlocking the lockscreen

1 Answers1

Linked