SOLVED! How To Fix Android AppSquare.net / NovelCamp.net Malware Chrome Browser Hijack

Article Updated: 13 March 2019

Rogue App Found! Kaspersky Firefox browser special edition caught the culprit!

ScreenStream Mirroring Free app was triggering the browser hijack — in my case at least, there are probably many other infected apps out there! Be sure to watch out and report them at Google Play Store.

> App developer was notified – waiting for response.

>> Developer promptly responded to our report with reply that this was most definitely not intentional and that they are going to investigate this issue and fix it as soon as possible.

>>> App developer updated app and fixed the issue.

How To Report An App on Google Play Store?

  1. On App’s page click on 3-dots menu in the top right corner and choose Flag as inappropriate option.
  2. Pick Harmful to device or data option and enter brief summary of what you did.

Latest updates:

  • Avast does not fully help as initially believed
  • VirusTotal app for Android Mobile added to scanning tools list (didn’t help fixing this)
  • Team from Kaspersky Lab created special debugging app (unofficial for now) that acts like a browser in order to catch rogue app – UPDATE: Intent Catcher app didn’t help!
  • Team from Kaspersky Lab created special Firefox browser with all action logging capability – it is working!
  • With so many unrelated, completely different apps being reported (e.g. ScreenStream Mirroring, Opera Mini, Pi Music Player etc.), there must be a common denominator here, like an infected Ad Network SDK exploit, commonly used dev-kit component or something related.

The Journey Begins

Recently, literally out of the blue, my Android phone started acting very strange, all by it’s own free will occasionally starting Chrome browser app and automatically opening appsquare.net (go on click on it – our link just opens google search results – not actual malware page) website filled with advertisement. Searching the web, turns out it was related / connected to novelcamp.net malware.

Android Logo Pixel Effect

There was no apparent rule what triggered this behavior, was it some app, some random event, and it even occurred right after clean phone restarts couple of times. Google Play Store’s Play Protect service did not find anything suspicious on initial scan, and initial Google search didn’t help, either.

Anti-Virus Comic by TehnoBlog.org

Anti-Virus Comic by TehnoBlog.org

Only changes done recently were installed few very popular games from Play Store, couple of them removed in the meantime, and no 3rd party apps from unknown or independent publishing platforms were installed. Phone was clean and used mostly for work. No suspicious websites were ever visited on this device, so the chance of catching up something with implied risk was out of the question. Just a regular, ordinary use, really.

AppSquare.Net Android Malware

AppSquare.Net Android Malware

Is there an easy solution to fix this?

How To Fix AppSquare.net / NovelCamp.net Malware – Browser Hijack

I tested couple of free anti-malware apps from Play Store (all of them are ad-supported, but that’s OK) and here are my findings.

AVG AntiVirus for Android

We start our journey with a well-known AVG protection tool back from the days when desktop PCs powered by Windows operating system were extremely dominant home-computing platform, and mobile segment was dominated by various dumb and Nokia’s Symbian smart phones. Those were the days…

AVG Free For Android - Google PlayStore App Screenshot

AVG Free For Android – Google PlayStore App Screenshot

Unfortunately, at the time I was infected by this pest, latest AVG Free Edition version was not able to fix it. In fact, it still happened regardless of AVG app being installed and full scan performed.

Malwarebytes AntiMalware for Android

Our next trial was a solution from Malwarebytes – almost equally known protection app as above AVG, but, apparently, much less popular on Android according to official Google PlayStore stats, which also turned up on first page in Google Search results for NovelCamp infection.

Malwarebytes Free For Android - Google PlayStore App Screenshot

Malwarebytes Free For Android – Google PlayStore App Screenshot

After performing device scan, Malwarebytes tool reported usual check points e.g. unprotected WiFi network, enabled developer USB debugging mode that should be turned off, and one thing AVG was silent about: UpgradeSys system app with known vulnerabilities and attack vectors.

Android UpgradeSys App Info

Android UpgradeSys App Info

Well, I just briefly stopped the app, as it is not possible to uninstall it directly from the Apps without root access (check Malwarebyte’s website for instructions how to do this on non-rooted phones if you are interested), but later, with each phone reboot (restart) it was up and running again.

However, somehow I was still not convinced that this was the problem, and decided to move on to the next available app and hope it will fix the problem, which was still happening, btw!

Avast Android Mobile Security

One of my final hopes was to try Avast for Android. I used it occasionally on some of my PCs, particularly those used by relatives, as they frequently end-up with malware infections eventually. Avast just postpones that process a lot longer, if not entirely prevents it.

Avast Free AntiVirus For Android - Google PlayStore App Screenshot

Avast Free AntiVirus For Android – Google PlayStore App Screenshot

Anyway, once installed, Avast also offered an option to activate Advanced Web Shield continuous protection. I said – what the heck, nothing to lose here, so full browser monitoring was active. Yes, that probably invades your privacy, as Avast will scan all the visited URLs regularly in the background, but I had to catch the culprit and get rid of it.

Avast Advanced Web Shield Enable Steps

Avast Advanced Web Shield Enable Steps

Minor annoying thing is that Avast constantly displays message in your notification area “We’re always protecting you” or something along that line. At first, you might think this is some marketing crap or whatever, but if you visit Avast Settings later and wish to turn it off, you will learn that by disabling this notification you may jeopardize Avast continuous protection, as Android may kill the background app to preserve system resources and battery. Alternatively, you can replace it and select other optional appearances in form of a quick access and control toolbar / curtain widget.

After initial full scan and few issues ‘fixed’ in the Activity Log (there is no way to tell what they were, unfortunately), 3 days have passed and there was not a single occurrence of annoying random Chrome app launch with appsquare.net homepage opening. Hooray!

After 3 days of continuous running, as an experiment and proof test, I decided to uninstall / remove Avast (or avast!) completely and see if the pest was just quarantined or actually fixed.

7 days later, at the moment I am writing this, still nothing. There is nothing else I can do, except to draw a conclusion that it was – fixed.

ANDROID MALWARE BROWSER HIJACK RETURNS

UPDATE: Unfortunately, the issue returned. This time, instead of appsquare.net, the domains (websites) were new.qwer1234.xyz and game.ygmt.xyz. Obviously, generic domains (with subdomains) full of advertisements. Ads are also served by Google Ads and since all websites pass human stuff screening tests before actual approval to be able to serve ads by Google, this only means that this is a very carefully designed malware campaign.

Android Malware Browser Hijack Returns

Android Malware Browser Hijack Returns

Avast was installed again, with advanced shield and storage scanning turned-on. Remains to be seen what will happen next. However, it happened again even with Avast’s persistent advanced shield being active.

It seems that this malware is exploiting vulnerability in ad serving network to execute a scheduled browser hijacking event. Google warned about BatMobi Ad SDK in December, and already pulled several apps from Play Store since. At this moment no true solution exists, except to locate the apps which use unreliable ad networks and exploits.

VirusTotal for Android Mobile

VirusTotal is a famous free anti-malware / anti-virus file scanning online service now owned by Google (Alphabet Chronicle). Whenever you are suspicious about certain file you wish to download (or already downloaded) from internet, you can use URL or FILE upload tool to scan it.

VirusTotal Android Mobile

VirusTotal Android Mobile

VirusTotal runs virtual machines in the background with various malware detection tools and returns a score / detection message if anything is found. Be aware that sometimes there could be a false positive, which is usually manifested by high negative/positive ration from many tools. On the other hand, sometimes only a handful of tools can detect certain new form of attack, before others get updated, so you should be careful in all cases.

I downloaded mobile version of VirusTotal (app is officially listed on VirusTotal website), and scanned all installed apps. Tool found only one app with the problem, an ad-free Calculator. Because, this calculator is ad-free (it does not display any ads, and has in-app purchase upgrade), I doubt it is the one responsible, since I have it installed for at least a full year now.

I have removed this app. However, low detection ratio 8/58 can mean a false positive here.

VirusTotal Android Mobile - Detected Malware Infected App

VirusTotal Android Mobile – Detected Malware Infected App

If ad-serving network is compromised, it may not be detected easily and right away, if the exploit does not itself contain anything dangerous, and just executes on a scheduled / random basis and then removes all the traces as evidence. Waiting game is still ON.

KASPERSKY LAB – Browser Hijack Detection Apps

Team from Kaspersky Lab put considerable effort with special apps that can pose as a default browser and try to catch the application that triggers browser hijacking events.

Kaspersky Lab - Google Play Store Apps

Kaspersky Lab – Google Play Store Apps

Forum topic (in Russian):
https://forum.kaspersky.com/index.php?/topic/409072/

Intent Catcher App

UPDATE:
Intent Catcher app didn’t help! Popup happened again apparently bypassing browser selection dialog.

It might help if you set this app as default browser to open all supported links without android’s app selection / confirmation dialog — haven’t tried this because I switched to modified Firefox app in the meantime — read further section below.

Intent Catcher App – Demo Video:
https://box.kaspersky.com/f/ca86500e9654426385f0/

Kaspersky Lab - Android Browser Hijack Detection - Intent Catcher App Use

Kaspersky Lab – Android Browser Hijack Detection – Intent Catcher App Use

Quick Instructions:

  1. Download Intent Catcher .APK file
  2. Install .APK file (you must enable apps from unknown sources temporarily)
  3. Disable DEFAULT BROWSER option in your Chrome, Firefox or whatever app you use:
    Android Settings > Apps > APP NAME > Open by default > Clear All Defaults
  4. App will kick-in for all http links that are automatically triggered and you have to select JUST ONCE / This Time Only option (alternatively, you can set it as a default browser app right away, because recommended method didn’t work in my case and hijacked Chrome session was automatically started again bypassing Intent Catcher completely!)
  5. App will report to you which app did it
  6. Uninstall or disable reported app and wait for an update

Firefox Browser App – Special Activity Logging Build

UPDATE:
After Intent Catcher initial failure, Kaspersky Team’s second attempt was a special Firefox app browser build that logs all activities.

Quick Instructions:

  1. Download Custom Firefox .APK file from your phone
  2. Install .APK file (you must enable apps from unknown sources temporarily)
  3. Start Custom Firefox browser and set it as default temporarily until you catch infected app

    Android Settings > Apps > (custom) Firefox > Open by default > Open supported links and set Open in this app option

  4. App will kick-in for all http links that are automatically triggered
  5. You must manually grant WRITE ACCESS for logging activity:

    Android Settings > Apps > (custom) Firefox > Permissions and enable Storage permission

  6. The application will log all activity in /internal storage/moz_url_log.txt file
  7. Uninstall or disable reported suspicious app when appsquare/novelcamp page pops-up and wait for an update

UPDATE:
Kaspersky Firefox browser special edition app is working! It caught our infected app!

How intercepted hijack session looks:

Kaspersky - Firefox Special Logging Actions App Edition - Intercepting Browser Hijack Request

Kaspersky – Firefox Special Logging Actions App Edition – Intercepting Browser Hijack Request

Content of moz_url_log.txt:

Kaspersky - Firefox Special Logging Actions App Edition - Activity Log

Kaspersky – Firefox Special Logging Actions App Edition – Activity Log

WHAT HAVE I LEARNED FROM THIS SECURITY INCIDENT ?

I consider myself educated technology person, which does not mean that attribute can protect me from all the dangers that are lurking around the modern web.

And I can usually tell the difference between a fake advertisement and true / valid ad banner, malicious URLs (web links) and DOs and DONTs of internet usage. However, even to the best of us this kind of infections can sometimes happen.

Apparently, we are already living in an era when using your smart phones without some 3rd party protection is like walking almost completely naked on the street, despite effort from Google with Play Protect and multiple layers of app screening tests.

Disturbing fact is that neither Play Protect nor any available Anti-Malware / Anti-Virus apps discovered that something was wrong. Even with full browser protection and monitoring option active.

Just recent Play Store apps incidents (read more about this on links listed below), which revealed some extremely popular apps and games being infected with initially undetected malware until millions of users already installed and heavily used them, is alarming trend, to say at least.

You have to stay safe using all available means, of course, within some common sense boundaries and safety rules, because modern smart phones are not just phones, they are paying gateways and personal IDs.

Always remember that even the best state-of-the-art anti-virus and anti-malware software can only protect you from a known threats, and not new and unknown exploits and vulnerabilities. False sense of security is more dangerous than no security at all, figuratively speaking. Even account protections can be bypassed, as history has demonstrated on multiple occasions.

We thank Kaspersky Team for helping us solve this issue!

External Related Resources

https://forum.kaspersky.com/index.php?/topic/409072/

https://security.googleblog.com/2018/12/tackling-ads-abuse-in-apps-and-sdks.html

https://www.reddit.com/r/GalaxyS9/comments/ai98c0/novelcampnet_automatically_pops_up_in_android/

https://piunikaweb.com/2019/02/23/our-analysis-on-annoying-chrome-ad-popups-on-samsung-phones/

Comments


  1. comments

    2 Comments

    Add Your Comment
  2. 1. Tony

    Can I email you- having the exact same issues. Not very tech savy- getting a little lost once I downloaded Firefox. Thanks

  3. 2. TehnoBlog (In reply to Tony)

    Hi Tony, after you downloaded and installed Firefox app, you are already half-through. All you need to do now is make Firefox your default browser app.

    EASY WAY

    Open Firefox app that you just installed, look at the top right corner and see 3 vertical dots (drawer menu icon). Tap on it, and scroll all the way down near the end and click on option named Make default browser.

    MANUAL WAY

    Go to Android Settings, then Apps, and there you will have the list of all installed apps. Once you locate Firefox, just click on it to open info/options, and as instructed in the article, set it as default app for supported links. Then just wait for hijack event to happen.

    * * *

    In the meantime, if you use Gmail or some other email app, you can try opening any link in some emails, just to verify that Firefox is default browser and it is working. Alternatively, if you use WhatsApp, Viber or some other messenger app, you can send to you or some friend a simple link text, e.g. just type-in google.com and send a message. Then, click on that link and it should be opened by Firefox.

    If that’s not the case, you will be presented with a pop-up dialog to select an appropriate app for this action e.g. Chrome or Firefox, and you have to select Firefox and make it default (pick Always option). Don’t worry, later when you remove Firefox app, Chrome will be again your default browser, or you may continue with Firefox, that’s up to you, really.

    * * *

    After hijack event occurs, you need to locate Firefox’s app log file, and for that you need a File Manager or File Explorer app. You can use Google’s Files app for that, open Files app, tap on Browse button (look at the bottom in the middle of your screen) and select Internal Memory. Log file is usually in the root (main, top) folder of your internal phone memory / storage, as mentioned in the article.

    It is really simple, just follow it step by step.

Post A Comment

I have read and consent to Privacy Policy and Terms and Conditions