SOLVED! How To Fix Android AppSquare.net / NovelCamp.net Malware Chrome Browser Hijack

Article Updated: 14 July 2019

According to our source, this problem was caused by ElephantData SDK (dev toolkit which provides ads monetization, market intelligence and analytics). Many developers are, apparently, offered to use their SDK under lucrative conditions, but it seems to contain a malware, even in the latest available version (2.3.7). If this is true, both users and developers are in danger unless they remove the offending SDK or it gets fixed.

This is the only relevant page we discovered that potentially discusses security of their SDK implementation (Stack Overflow in Russian). And another good read for app developers.

We are not sure if they are aware of this or not, we will try and contact them for a comment and report back here with their response. Update: After 45 days we still haven’t received a response.

This seems to be a second major incident with Android OS and Google Play Store in recent months. Another one was with a company behind famous ES File Explorer app.


ScreenStream Mirroring Free app was triggering the browser hijack — in my case at least, there are probably many other infected apps out there! Be sure to watch out and report them at Google Play Store.

> Developer promptly responded to our report with reply that this was most definitely not intentional, updated their app and fixed the issue.

How To Report An App on Google Play Store?

  1. Run Google Play Store app on your device
  2. Find (use Search icon) and open the offending App’s page
  3. Click on 3-dots menu in the top right corner and choose Flag as inappropriate option
  4. Pick Harmful to device or data option and enter brief summary of what you discovered

Latest updates:

  • Avast does not fully help as initially believed
  • VirusTotal app for Android Mobile added to scanning tools list (didn’t help fixing this)
  • Team from Kaspersky Lab created special debugging app (unofficial for now) that acts like a browser in order to catch rogue app – UPDATE: Intent Catcher app didn’t help!
  • Team from Kaspersky Lab created special Firefox browser with all action logging capability – it is working!
  • With so many unrelated, completely different apps being reported (e.g. ScreenStream Mirroring, Opera Mini, Pi Music Player etc.), there must be a common denominator here, like an infected Ad Network SDK exploit, commonly used dev-kit component or something related.

The Journey Begins

Recently, literally out of the blue, my Android phone started acting very strange, all by it’s own free will occasionally starting Chrome browser app and automatically opening appsquare.net (go on click on it – our link just opens google search results – not actual malware page) website filled with advertisement. Searching the web, turns out it was related / connected to novelcamp.net malware.

Android Logo Pixel Effect

There was no apparent rule what triggered this behavior, was it some app, some random event, and it even occurred right after clean phone restarts couple of times. Google Play Store’s Play Protect service did not find anything suspicious on initial scan, and initial Google search didn’t help, either.

Anti-Virus Comic by TehnoBlog.org

Anti-Virus Comic by TehnoBlog.org

Only changes done recently were installed few very popular games from Play Store, couple of them removed in the meantime, and no 3rd party apps from unknown or independent publishing platforms were installed. Phone was clean and used mostly for work. No suspicious websites were ever visited on this device, so the chance of catching up something with implied risk was out of the question. Just a regular, ordinary use, really.

AppSquare.Net Android Malware

AppSquare.Net Android Malware

Is there an easy solution to fix this?

How To Fix AppSquare.net / NovelCamp.net Malware – Browser Hijack

I tested couple of free anti-malware apps from Play Store (all of them are ad-supported, but that’s OK) and here are my findings.

AVG AntiVirus for Android

We start our journey with a well-known AVG protection tool back from the days when desktop PCs powered by Windows operating system were extremely dominant home-computing platform, and mobile segment was dominated by various dumb and Nokia’s Symbian smart phones. Those were the days…

AVG Free For Android - Google PlayStore App Screenshot

AVG Free For Android – Google PlayStore App Screenshot

Unfortunately, at the time I was infected by this pest, latest AVG Free Edition version was not able to fix it. In fact, it still happened regardless of AVG app being installed and full scan performed.

Malwarebytes AntiMalware for Android

Our next trial was a solution from Malwarebytes – almost equally known protection app as above AVG, but, apparently, much less popular on Android according to official Google PlayStore stats, which also turned up on first page in Google Search results for NovelCamp infection.

Malwarebytes Free For Android - Google PlayStore App Screenshot

Malwarebytes Free For Android – Google PlayStore App Screenshot

After performing device scan, Malwarebytes tool reported usual check points e.g. unprotected WiFi network, enabled developer USB debugging mode that should be turned off, and one thing AVG was silent about: UpgradeSys system app with known vulnerabilities and attack vectors.

Android UpgradeSys App Info

Android UpgradeSys App Info

Well, I just briefly stopped the app, as it is not possible to uninstall it directly from the Apps without root access (check Malwarebyte’s website for instructions how to do this on non-rooted phones if you are interested), but later, with each phone reboot (restart) it was up and running again.

However, somehow I was still not convinced that this was the problem, and decided to move on to the next available app and hope it will fix the problem, which was still happening, btw!

Avast Android Mobile Security

One of my final hopes was to try Avast for Android. I used it occasionally on some of my PCs, particularly those used by relatives, as they frequently end-up with malware infections eventually. Avast just postpones that process a lot longer, if not entirely prevents it.

Avast Free AntiVirus For Android - Google PlayStore App Screenshot

Avast Free AntiVirus For Android – Google PlayStore App Screenshot

Anyway, once installed, Avast also offered an option to activate Advanced Web Shield continuous protection. I said – what the heck, nothing to lose here, so full browser monitoring was active. Yes, that probably invades your privacy, as Avast will scan all the visited URLs regularly in the background, but I had to catch the culprit and get rid of it.

Avast Advanced Web Shield Enable Steps

Avast Advanced Web Shield Enable Steps

Minor annoying thing is that Avast constantly displays message in your notification area “We’re always protecting you” or something along that line. At first, you might think this is some marketing crap or whatever, but if you visit Avast Settings later and wish to turn it off, you will learn that by disabling this notification you may jeopardize Avast continuous protection, as Android may kill the background app to preserve system resources and battery. Alternatively, you can replace it and select other optional appearances in form of a quick access and control toolbar / curtain widget.

After initial full scan and few issues ‘fixed’ in the Activity Log (there is no way to tell what they were, unfortunately), 3 days have passed and there was not a single occurrence of annoying random Chrome app launch with appsquare.net homepage opening. Hooray!

After 3 days of continuous running, as an experiment and proof test, I decided to uninstall / remove Avast (or avast!) completely and see if the pest was just quarantined or actually fixed.

7 days later, at the moment I am writing this, still nothing. There is nothing else I can do, except to draw a conclusion that it was – fixed.

ANDROID MALWARE BROWSER HIJACK RETURNS

UPDATE: Unfortunately, the issue returned. This time, instead of appsquare.net, the domains (websites) were new.qwer1234.xyz and game.ygmt.xyz. Obviously, generic domains (with subdomains) full of advertisements. Ads are also served by Google Ads and since all websites pass human stuff screening tests before actual approval to be able to serve ads by Google, this only means that this is a very carefully designed malware campaign.

Android Malware Browser Hijack Returns

Android Malware Browser Hijack Returns

Avast was installed again, with advanced shield and storage scanning turned-on. Remains to be seen what will happen next. However, it happened again even with Avast’s persistent advanced shield being active.

It seems that this malware is exploiting vulnerability in ad serving network to execute a scheduled browser hijacking event. Google warned about BatMobi Ad SDK in December, and already pulled several apps from Play Store since. At this moment no true solution exists, except to locate the apps which use unreliable ad networks and exploits.

VirusTotal for Android Mobile

VirusTotal is a famous free anti-malware / anti-virus file scanning online service now owned by Google (Alphabet Chronicle). Whenever you are suspicious about certain file you wish to download (or already downloaded) from internet, you can use URL or FILE upload tool to scan it.

VirusTotal Android Mobile

VirusTotal Android Mobile

VirusTotal runs virtual machines in the background with various malware detection tools and returns a score / detection message if anything is found. Be aware that sometimes there could be a false positive, which is usually manifested by high negative/positive ration from many tools. On the other hand, sometimes only a handful of tools can detect certain new form of attack, before others get updated, so you should be careful in all cases.

I downloaded mobile version of VirusTotal (app is officially listed on VirusTotal website), and scanned all installed apps. Tool found only one app with the problem, an ad-free Calculator. Because, this calculator is ad-free (it does not display any ads, and has in-app purchase upgrade), I doubt it is the one responsible, since I have it installed for at least a full year now.

I have removed this app. However, low detection ratio 8/58 can mean a false positive here.

VirusTotal Android Mobile - Detected Malware Infected App

VirusTotal Android Mobile – Detected Malware Infected App

If ad-serving network is compromised, it may not be detected easily and right away, if the exploit does not itself contain anything dangerous, and just executes on a scheduled / random basis and then removes all the traces as evidence. Waiting game is still ON.

KASPERSKY LAB – Browser Hijack Detection Apps

Team from Kaspersky Lab put considerable effort with special apps that can pose as a default browser and try to catch the application that triggers browser hijacking events.

Kaspersky Lab - Google Play Store Apps

Kaspersky Lab – Google Play Store Apps

Forum topic (in Russian):
https://forum.kaspersky.com/index.php?/topic/409072/

Intent Catcher App

UPDATE:
Intent Catcher app didn’t help! Popup happened again apparently bypassing browser selection dialog.

It might help if you set this app as default browser to open all supported links without android’s app selection / confirmation dialog — haven’t tried this because I switched to modified Firefox app in the meantime — read further section below.

Intent Catcher App – Demo Video:
https://box.kaspersky.com/f/ca86500e9654426385f0/

Kaspersky Lab - Android Browser Hijack Detection - Intent Catcher App Use

Kaspersky Lab – Android Browser Hijack Detection – Intent Catcher App Use

Quick Instructions:

  1. Download Intent Catcher .APK file
  2. Install .APK file (you must enable apps from unknown sources temporarily)
  3. Disable DEFAULT BROWSER option in your Chrome, Firefox or whatever app you use:
    Android Settings > Apps > APP NAME > Open by default > Clear All Defaults
  4. App will kick-in for all http links that are automatically triggered and you have to select JUST ONCE / This Time Only option (alternatively, you can set it as a default browser app right away, because recommended method didn’t work in my case and hijacked Chrome session was automatically started again bypassing Intent Catcher completely!)
  5. App will report to you which app did it
  6. Uninstall or disable reported app and wait for an update

Firefox Browser App – Special Activity Logging Build

UPDATE:
After Intent Catcher initial failure, Kaspersky Team’s second attempt was a special Firefox app browser build that logs all activities.

Quick Instructions:

  1. Download Custom Firefox .APK file from your phone
  2. Install .APK file (you must enable apps from unknown sources temporarily)
  3. Start Custom Firefox browser and set it as default temporarily until you catch infected app

    Android Settings > Apps > (custom) Firefox > Open by default > Open supported links and set Open in this app option

  4. App will kick-in for all http links that are automatically triggered
  5. You must manually grant WRITE ACCESS for logging activity:

    Android Settings > Apps > (custom) Firefox > Permissions and enable Storage permission

  6. The application will log all activity in /internal storage/moz_url_log.txt file
  7. Uninstall or disable reported suspicious app when appsquare/novelcamp page pops-up and wait for an update

UPDATE:
Kaspersky Firefox browser special edition app is working! It caught our infected app!

How intercepted hijack session looks:

Kaspersky - Firefox Special Logging Actions App Edition - Intercepting Browser Hijack Request

Kaspersky – Firefox Special Logging Actions App Edition – Intercepting Browser Hijack Request

Content of moz_url_log.txt:

Kaspersky - Firefox Special Logging Actions App Edition - Activity Log

Kaspersky – Firefox Special Logging Actions App Edition – Activity Log

WHAT HAVE I LEARNED FROM THIS SECURITY INCIDENT ?

I consider myself educated technology person, which does not mean that attribute can protect me from all the dangers that are lurking around the modern web.

And I can usually tell the difference between a fake advertisement and true / valid ad banner, malicious URLs (web links) and DOs and DONTs of internet usage. However, even to the best of us this kind of infections can sometimes happen.

Apparently, we are already living in an era when using your smart phones without some 3rd party protection is like walking almost completely naked on the street, despite effort from Google with Play Protect and multiple layers of app screening tests.

Disturbing fact is that neither Play Protect nor any available Anti-Malware / Anti-Virus apps discovered that something was wrong. Even with full browser protection and monitoring option active.

Just recent Play Store apps incidents (read more about this on links listed below), which revealed some extremely popular apps and games being infected with initially undetected malware until millions of users already installed and heavily used them, is alarming trend, to say at least.

You have to stay safe using all available means, of course, within some common sense boundaries and safety rules, because modern smart phones are not just phones, they are paying gateways and personal IDs.

Developers have a huge responsibility – now more than ever. Including 3rd party SDKs is a huge risk both for their and users security, particularly those from closed unknown sources and alike, under suspiciously beneficial conditions (when money is involved). Developers risk that their apps or accounts get banned/closed, and users get exposed to unwanted spam, data collection and even personal data leaks. The scariest part in all this is the fact that end users are completely unaware and out of control!

Always remember that even the best state-of-the-art anti-virus and anti-malware software can only protect you from a known threats, and not new and unknown exploits and vulnerabilities. False sense of security is more dangerous than no security at all, figuratively speaking. Even account protections can be bypassed, as history has demonstrated on multiple occasions.

We thank Kaspersky Team for helping us solve this issue!

External Related Resources

https://forum.kaspersky.com/index.php?/topic/409072/

https://security.googleblog.com/2018/12/tackling-ads-abuse-in-apps-and-sdks.html

https://www.reddit.com/r/GalaxyS9/comments/ai98c0/novelcampnet_automatically_pops_up_in_android/

https://piunikaweb.com/2019/02/23/our-analysis-on-annoying-chrome-ad-popups-on-samsung-phones/

Comments


  1. comments

    19 Comments

    Add Your Comment
  2. 1. Tony

    Can I email you- having the exact same issues. Not very tech savy- getting a little lost once I downloaded Firefox. Thanks

  3. 2. TehnoBlog (In reply to Tony)

    Hi Tony, after you downloaded and installed Firefox app, you are already half-through. All you need to do now is make Firefox your default browser app.

    EASY WAY

    Open Firefox app that you just installed, look at the top right corner and see 3 vertical dots (drawer menu icon). Tap on it, and scroll all the way down near the end and click on option named Make default browser.

    MANUAL WAY

    Go to Android Settings, then Apps, and there you will have the list of all installed apps. Once you locate Firefox, just click on it to open info/options, and as instructed in the article, set it as default app for supported links. Then just wait for hijack event to happen.

    * * *

    In the meantime, if you use Gmail or some other email app, you can try opening any link in some emails, just to verify that Firefox is default browser and it is working. Alternatively, if you use WhatsApp, Viber or some other messenger app, you can send to you or some friend a simple link text, e.g. just type-in google.com and send a message. Then, click on that link and it should be opened by Firefox.

    If that’s not the case, you will be presented with a pop-up dialog to select an appropriate app for this action e.g. Chrome or Firefox, and you have to select Firefox and make it default (pick Always option). Don’t worry, later when you remove Firefox app, Chrome will be again your default browser, or you may continue with Firefox, that’s up to you, really.

    * * *

    After hijack event occurs, you need to locate Firefox’s app log file, and for that you need a File Manager or File Explorer app. You can use Google’s Files app for that, open Files app, tap on Browse button (look at the bottom in the middle of your screen) and select Internal Memory. Log file is usually in the root (main, top) folder of your internal phone memory / storage, as mentioned in the article.

    It is really simple, just follow it step by step.

  4. 3. Juan from Colombia

    Hi everyone!
    Thanks for your support.

    I have the same problem with YMGT Games pop up Adware , in this case … The malicious app is com.impactobtl.friendstrackerfree.com an app that i use to see how delete me in Facebook xD but now I deleted it.

    Thanks for all.

  5. 4. Laura

    Had the same problem, caught the log file on Files app. Now I’m not sure if I’m doing this right:

    I opened the file, my phone asked with what app. I chose docs. The text on the doc is following: com.guruinfomedia.gps.speedometer : http: // c.nicedll.com/scene/ (utm portion redacted)

    So basically looks like guruinfomedias speedometer app was the culprit? I deleted it, and now have to see if it was the real reason. Text above was written a week ago.

    Apparently I hadn’t posted this comment. Deleting Speedometer solved the problem for me.
    Is it possible to inform Play Store about the malware?

  6. 5. TehnoBlog (In reply to Laura)

    Hi Laura, that URL seems to open advertisement page, so the app looks like definitely infected. You can report any app in Play Store as described in the beginning of this article. Thanks!

  7. 6. Guest

    I have followed all the steps but there is only one problem. I cannot change the supported links option. I can see it in open by default but I can’t select it. I’m not sure how to explain, wish I could attach a screenshot. I changed Firefox as my default browser, it works as default for some apps. But for some I have to select the always option. The ymgt ad popped up but on Chrome instead of Firefox. Please help!

  8. 7. TehnoBlog (In reply to Guest)

    Go to Android Settings > Apps > Chrome and locate Open by default option, click on it and then click CLEAR DEFAULTS button. This procedure might vary between different Android versions, but this is the gist of it.

  9. 8. AZ

    I’ve installed Firefox and make it as default browser (disabled Chrome). What’s next? What else do I need to install?

  10. 9. TehnoBlog (In reply to AZ)

    Nothing, simply wait until another popup occurs and when prompted choose Firefox to open that url / link. Firefox will automatically log the information in the log file as explained in the article.

    Then you have to manually open that log file with a text editor (or use File Manager to locate and open it) and see which application triggered the browser.

    Please note that application id reported is in reverse domain format, so you have to figure it out what is the app’s Market name/title. It usually contains a known word, but in some cases it only holds parent company title.

  11. 10. Guest

    great it helped
    thanks

  12. 11. Guest

    Ever since I installed the modified Firefox my browser stopped getting hijacked. I initially thought that maybe the application that was causing this might have been updated in the meantime and that maybe the developer removed the library that was causing it from his application. I uninstalled Firefox and then the problem started to manifest again. Is it possible that they are now checking if you have either Firefox installed as the default browser (I don’t know if they can also check it’s version) to see if they trigger the browser hijack in order to make it harder to detect the package of the app that’s causing this?

  13. 12. TehnoBlog (In reply to Guest)

    Not sure, maybe. Have you checked modified Firefox’s log file?

  14. 13. Guest (In reply to TehnoBlog)

    It didn’t create a log because not triggered it.

  15. 14. TehnoBlog (In reply to Guest)

    Well, I am not sure, really. Install it back and then wait, given the ‘randomness’ of event, sometimes you may need to wait 7-10 days, before it happens again. At one point, as I described in the article, I also thought it went away, but it occurred again after 7 days or so. Just be patient and if you catch it, please report it here. Thanks!

  16. 15. Guest (In reply to TehnoBlog)

    I have identified the application that was hijacking my browser. Thanks for help.

  17. 16. TehnoBlog (In reply to Guest)

    Great! Now just make sure to contact app developer, since their app is in danger of being permanently banned in the Play Store.

  18. 17. Guest (In reply to TehnoBlog)

    I had a chat with the developer. He is using ElephantData SDK in his app.

  19. 18. nick (In reply to Guest)

    what is the name of this app?

  20. 19. TehnoBlog (In reply to nick)

    It may be interesting to know particular title, however, given the time and scope of their operations, one can only assume that there are at least several hundreds, if not thousands, apps infected.

Post A Comment

I have read and consent to Privacy Policy and Terms and Conditions