Sunday, September 23, 2018

malware - How to find out which app is trying to open spam websites?


I've recently bought a new Android smartphone. After setting it up and loading my contacts onto it I thought that would be it.


Now after some days, every time I unlock the phone it takes a few seconds before it opens the default browser and opens some spam website. I tried to see what was causing it. I removed any apps I didn't know I could trust, but the problem persisted. After trying to solve it for some time I gave up and reset the phone to factory default. Now after having it reset to the default it ran without issues for roughly a week before the problem reappeared.


I tried to uninstall some apps in order to see if they were to cause of it, but nothing changed after doing so. However I did notice that if I turn off the wifi it won't even try to open the browser (I haven't tried mobile data since I don't have a bundle). This makes me feel like it might be related to something on the network but that wouldn't explain why only that phone would have the issue when there are at least 6 android phones on that very same network.


I hope that there is someone who can help me find the cause of this issue and help me solve it.


TL;DR When unlocking my phone, it opens the browser and tries to open a spam website. But only does so while connected to the wifi.


Things I've tried so far:




  • Factory reset (only helped for a limited time)

  • Clearing the browser cache and all related data

  • Removing any app I don't know to be reliable

  • Attempting to find what triggers it (seems like some type of internet connection is required??)


The device is the Doogee Shoot 1. As for the browser, the default is set to be the Android browser, but if I change the default it would use Chrome just as well. It seems to really just use the browser that is set to default.



Answer



Based on the troubleshooting OP did following my advices, the culprit appeared to be a system app as a malware named System Locker with package name com.tihomobi.lockframe.syslocker. The issue appears to be a result of a system update, per some users of the device.


As usual with a system app, if you get to use the Disable option under Settings → Apps → System apps/All apps → the culprit, than by all means, do disable that app, force-stop it or reboot the Android. The issue should stand resolved until you factory reset the device.






Here's how I found out the culprit. The in-built Android tool dumpsys inter alia shows which app was called by which other app. The caller is referred to as Calling Package.


Provided that you have setup and successfully in the PC and Android device, do the following:



  1. keep the device connected to PC

  2. reboot the device or force-stop that default browser app

  3. let the malware do its job, that is, have the browser be launched automatically


  4. as soon as the browser is launched, do nothing with the device physically, but run the following adb command on PC:


    adb shell dumpsys activity activities



Here's the output from OP's device:



ACTIVITY MANAGER ACTIVITIES (dumpsys activity activities)
Display #0 (activities from top to bottom):
Stack #1:
Task id #2
* TaskRecord{8190ba1 #2 A=android.task.browser U=0 sz=1}
userId=0 effectiveUid=u0a64 mCallingUid=u0a26 mCallingPackage=com.tihomobi.lockframe.syslocker

affinity=android.task.browser
intent={act=android.intent.action.VIEW dat=http://im.apostback.com/click.php?c=362&key=9wl83884sg67y1acw3z56z90&s4=8%2FdNwcNuQFEjjaucho5IqA%3D%3D flg=0x10000000 pkg=com.android.browser cmp=com.android.browser/.BrowserActivity}
realActivity=com.android.browser/.BrowserActivity
...
...
Hist #0: ActivityRecord{66cd59b u0 com.android.browser/.BrowserActivity t2}
packageName=com.android.browser processName=com.android.browser
launchedFromUid=10026 launchedFromPackage=com.tihomobi.lockframe.syslocker userId=0
app=ProcessRecord{5ad1810 4337:com.android.browser/u0a64}
Intent { act=android.intent.action.VIEW dat=http://im.apostback.com/click.php?c=362&key=9wl83884sg67y1acw3z56z90&s4=8%2FdNwcNuQFEjjaucho5IqA%3D%3D flg=0x10000000 pkg=com.android.browser cmp=com.android.browser/.BrowserActivity }


In the output: :



  • com.android.browser is the package name of stock Android browser in your device

  • com.tihomobi.lockframe.syslocker is the package name of the malware app and is referred as calling package.


If you've found the malware, avoid next troubleshooting and skip to the heading Nuke the malware.





(In response to a duplicate posted here -- the culprit app was Farming Simulator 18)



In certain circumstances, aforesaid troubleshooting may not be able to help, such as when calling package name is the package name of the browser itself shown in dumpsys output. In that case, prefer . Setup logcat like this:



adb logcat -v long,descriptive | grep "dat=http" # you can grep anything from URL too. It is purely up to you.
adb logcat -v long,descriptive > logcat.txt # alternative; if grep is not installed in your OS. You need to search into that file now.

Now unlock the device and let the browser with that URL be launched automatically. Also, press Ctrl with C if you are saving the output into a file.


The output we're seeking would look akin to:



[ 11-27 16:03:22.592 3499: 6536 I/ActivityManager ]
START u0 {act=android.intent.action.VIEW dat=https://livemobilesearch.com/... flg=0x10000000 pkg=org.mozilla.firefox cmp=org.mozilla.firefox/.App}


from uid 10021
...

[ 11-27 16:03:22.647 3499:15238 I/ActivityManager ]
START u0 {act=android.intent.action.VIEW dat=https://livemobilesearch.com/... pkg=org.mozilla.firefox cmp=org.mozilla.firefox/org.mozilla.gecko.BrowserApp}

from uid 10331

See the two highlighted UIDs 10021 and 10331. One of them (they would be different in you case) is for the browser app launched, and one of them is malware app requesting that URL. So, how to find what is what?



If you've root access, simply do:



adb shell su -c 'ls -l /data/data/ | grep u0_a21'
adb shell su -c 'ls -l /data/data/ | grep u0_a331'

Output would be like:



drwx------ 5 u0_a21 u0_a21 4096 2018-01-01 10:31 com.android.chrome
drwx------ 5 u0_a331 u0_a331 4096 2018-01-01 10:31 com.tihomobi.lockframe.syslocker


If you don't have root access, do:


adb shell dumpsys package > packages_dump.txt

Now search for the line with your UIDs such as "userId=10021" and "userId=10331". The line above the line searched would give you the package name, and may look something like this:



Package [com.android.chrome] (172ca1a):
userId=10021
...
Package [com.tihomobi.lockframe.syslocker] (172ca1a):
userId=10331


The two package names are com.android.chrome (for Chrome browser -- certainly not a malware) and com.tihomobi.lockframe.syslocker. To know the app's name from package name, use my answer here.





Now that you know the culprit, you can disable it through GUI as stated above. If that is not possible, do:



adb shell pm disable-user PKG_NAME # disables the app
adb shell pm uninstall --user 0 PKG_NAME # removes the app for primary user
adb shell am force-stop PKG_NAME # only force-stops the app


Replace PKG_NAME with package name of the malware you noted in the troubleshooting above.


That should do the trick. Furthermore, you can also consider removing the malware app permanently for all users, but that requires root access though.


No comments:

Post a Comment

samsung galaxy s 2 - Cannot restore Kies backup after firmware upgrade

I backed up my Samsung Galaxy S2 on Kies before updating to Ice Cream Sandwich. After the upgrade I tried to restore, but the restore fails ...