Article Updated: 14 July 2019
According to our source, this problem was caused by ElephantData SDK (dev toolkit which provides ads monetization, market intelligence and analytics). Many developers are, apparently, offered to use their SDK under lucrative conditions, but it seems to contain a malware, even in the latest available version (2.3.7). If this is true, both users and developers are in danger unless they remove the offending SDK or it gets fixed.
This is the only relevant page we discovered that potentially discusses security of their SDK implementation (Stack Overflow in Russian). And another good read for app developers.
We are not sure if they are aware of this or not, we will try and contact them for a comment and report back here with their response. Update: After 45 days we still haven’t received a response.
This seems to be a second major incident with Android OS and Google Play Store in recent months. Another one was with a company behind famous ES File Explorer app.
ScreenStream Mirroring Free app was triggering the browser hijack — in my case at least, there are probably many other infected apps out there! Be sure to watch out and report them at Google Play Store.
> Developer promptly responded to our report with reply that this was most definitely not intentional, updated their app and fixed the issue.
How To Report An App on Google Play Store?
- Run Google Play Store app on your device
- Find (use Search icon) and open the offending App’s page
- Click on 3-dots menu in the top right corner and choose Flag as inappropriate option
- Pick Harmful to device or data option and enter brief summary of what you discovered
Latest updates:
- Avast does not fully help as initially believed
- VirusTotal app for Android Mobile added to scanning tools list (didn’t help fixing this)
- Team from Kaspersky Lab created special debugging app (unofficial for now) that acts like a browser in order to catch rogue app – UPDATE: Intent Catcher app didn’t help!
- Team from Kaspersky Lab created special Firefox browser with all action logging capability – it is working!
- With so many unrelated, completely different apps being reported (e.g. ScreenStream Mirroring, Opera Mini, Pi Music Player etc.), there must be a common denominator here, like an infected Ad Network SDK exploit, commonly used dev-kit component or something related.
The Journey Begins
Recently, literally out of the blue, my Android phone started acting very strange, all by it’s own free will occasionally starting Chrome browser app and automatically opening appsquare.net (go on click on it – our link just opens google search results – not actual malware page) website filled with advertisement. Searching the web, turns out it was related / connected to novelcamp.net malware.
There was no apparent rule what triggered this behavior, was it some app, some random event, and it even occurred right after clean phone restarts couple of times. Google Play Store’s Play Protect service did not find anything suspicious on initial scan, and initial Google search didn’t help, either.
Only changes done recently were installed few very popular games from Play Store, couple of them removed in the meantime, and no 3rd party apps from unknown or independent publishing platforms were installed. Phone was clean and used mostly for work. No suspicious websites were ever visited on this device, so the chance of catching up something with implied risk was out of the question. Just a regular, ordinary use, really.
Is there an easy solution to fix this?
How To Fix AppSquare.net / NovelCamp.net Malware – Browser Hijack
I tested couple of free anti-malware apps from Play Store (all of them are ad-supported, but that’s OK) and here are my findings.
AVG AntiVirus for Android
We start our journey with a well-known AVG protection tool back from the days when desktop PCs powered by Windows operating system were extremely dominant home-computing platform, and mobile segment was dominated by various dumb and Nokia’s Symbian smart phones. Those were the days…
Unfortunately, at the time I was infected by this pest, latest AVG Free Edition version was not able to fix it. In fact, it still happened regardless of AVG app being installed and full scan performed.
Malwarebytes AntiMalware for Android
Our next trial was a solution from Malwarebytes – almost equally known protection app as above AVG, but, apparently, much less popular on Android according to official Google PlayStore stats, which also turned up on first page in Google Search results for NovelCamp infection.
After performing device scan, Malwarebytes tool reported usual check points e.g. unprotected WiFi network, enabled developer USB debugging mode that should be turned off, and one thing AVG was silent about: UpgradeSys system app with known vulnerabilities and attack vectors.
Well, I just briefly stopped the app, as it is not possible to uninstall it directly from the Apps without root access (check Malwarebyte’s website for instructions how to do this on non-rooted phones if you are interested), but later, with each phone reboot (restart) it was up and running again.
However, somehow I was still not convinced that this was the problem, and decided to move on to the next available app and hope it will fix the problem, which was still happening, btw!
Avast Android Mobile Security
One of my final hopes was to try Avast for Android. I used it occasionally on some of my PCs, particularly those used by relatives, as they frequently end-up with malware infections eventually. Avast just postpones that process a lot longer, if not entirely prevents it.
Anyway, once installed, Avast also offered an option to activate Advanced Web Shield continuous protection. I said – what the heck, nothing to lose here, so full browser monitoring was active. Yes, that probably invades your privacy, as Avast will scan all the visited URLs regularly in the background, but I had to catch the culprit and get rid of it.
Minor annoying thing is that Avast constantly displays message in your notification area “We’re always protecting you” or something along that line. At first, you might think this is some marketing crap or whatever, but if you visit Avast Settings later and wish to turn it off, you will learn that by disabling this notification you may jeopardize Avast continuous protection, as Android may kill the background app to preserve system resources and battery. Alternatively, you can replace it and select other optional appearances in form of a quick access and control toolbar / curtain widget.
After initial full scan and few issues ‘fixed’ in the Activity Log (there is no way to tell what they were, unfortunately), 3 days have passed and there was not a single occurrence of annoying random Chrome app launch with appsquare.net homepage opening. Hooray!
After 3 days of continuous running, as an experiment and proof test, I decided to uninstall / remove Avast (or avast!) completely and see if the pest was just quarantined or actually fixed.
7 days later, at the moment I am writing this, still nothing. There is nothing else I can do, except to draw a conclusion that it was – fixed.
ANDROID MALWARE BROWSER HIJACK RETURNS
UPDATE: Unfortunately, the issue returned. This time, instead of appsquare.net, the domains (websites) were new.qwer1234.xyz and game.ygmt.xyz. Obviously, generic domains (with subdomains) full of advertisements. Ads are also served by Google Ads and since all websites pass human stuff screening tests before actual approval to be able to serve ads by Google, this only means that this is a very carefully designed malware campaign.
Avast was installed again, with advanced shield and storage scanning turned-on. Remains to be seen what will happen next. However, it happened again even with Avast’s persistent advanced shield being active.
It seems that this malware is exploiting vulnerability in ad serving network to execute a scheduled browser hijacking event. Google warned about BatMobi Ad SDK in December, and already pulled several apps from Play Store since. At this moment no true solution exists, except to locate the apps which use unreliable ad networks and exploits.
VirusTotal for Android Mobile
VirusTotal is a famous free anti-malware / anti-virus file scanning online service now owned by Google (Alphabet Chronicle). Whenever you are suspicious about certain file you wish to download (or already downloaded) from internet, you can use URL or FILE upload tool to scan it.
VirusTotal runs virtual machines in the background with various malware detection tools and returns a score / detection message if anything is found. Be aware that sometimes there could be a false positive, which is usually manifested by high negative/positive ration from many tools. On the other hand, sometimes only a handful of tools can detect certain new form of attack, before others get updated, so you should be careful in all cases.
I downloaded mobile version of VirusTotal (app is officially listed on VirusTotal website), and scanned all installed apps. Tool found only one app with the problem, an ad-free Calculator. Because, this calculator is ad-free (it does not display any ads, and has in-app purchase upgrade), I doubt it is the one responsible, since I have it installed for at least a full year now.
I have removed this app. However, low detection ratio 8/58 can mean a false positive here.
If ad-serving network is compromised, it may not be detected easily and right away, if the exploit does not itself contain anything dangerous, and just executes on a scheduled / random basis and then removes all the traces as evidence. Waiting game is still ON.
KASPERSKY LAB – Browser Hijack Detection Apps
Team from Kaspersky Lab put considerable effort with special apps that can pose as a default browser and try to catch the application that triggers browser hijacking events.
Forum topic (in Russian):
https://forum.kaspersky.com/index.php?/topic/409072/
Intent Catcher App
UPDATE:
Intent Catcher app didn’t help! Popup happened again apparently bypassing browser selection dialog.
It might help if you set this app as default browser to open all supported links without android’s app selection / confirmation dialog — haven’t tried this because I switched to modified Firefox app in the meantime — read further section below.
Intent Catcher App – Demo Video:
https://box.kaspersky.com/f/ca86500e9654426385f0/
Quick Instructions:
- Download Intent Catcher .APK file
- Install .APK file (you must enable apps from unknown sources temporarily)
- Disable DEFAULT BROWSER option in your Chrome, Firefox or whatever app you use:
Android Settings > Apps > APP NAME > Open by default > Clear All Defaults - App will kick-in for all http links that are automatically triggered and you have to select JUST ONCE / This Time Only option (alternatively, you can set it as a default browser app right away, because recommended method didn’t work in my case and hijacked Chrome session was automatically started again bypassing Intent Catcher completely!)
- App will report to you which app did it
- Uninstall or disable reported app and wait for an update
Firefox Browser App – Special Activity Logging Build
UPDATE:
After Intent Catcher initial failure, Kaspersky Team’s second attempt was a special Firefox app browser build that logs all activities.
Quick Instructions:
- Download Custom Firefox .APK file from your phone
- Install .APK file (you must enable apps from unknown sources temporarily)
- Start Custom Firefox browser and set it as default temporarily until you catch infected app
Android Settings > Apps > (custom) Firefox > Open by default > Open supported links and set Open in this app option
- App will kick-in for all http links that are automatically triggered
- You must manually grant WRITE ACCESS for logging activity:
Android Settings > Apps > (custom) Firefox > Permissions and enable Storage permission
- The application will log all activity in /internal storage/moz_url_log.txt file
- Uninstall or disable reported suspicious app when appsquare/novelcamp page pops-up and wait for an update
UPDATE:
Kaspersky Firefox browser special edition app is working! It caught our infected app!
How intercepted hijack session looks:
Content of moz_url_log.txt:
WHAT HAVE I LEARNED FROM THIS SECURITY INCIDENT ?
I consider myself educated technology person, which does not mean that attribute can protect me from all the dangers that are lurking around the modern web.
And I can usually tell the difference between a fake advertisement and true / valid ad banner, malicious URLs (web links) and DOs and DONTs of internet usage. However, even to the best of us this kind of infections can sometimes happen.
Apparently, we are already living in an era when using your smart phones without some 3rd party protection is like walking almost completely naked on the street, despite effort from Google with Play Protect and multiple layers of app screening tests.
Disturbing fact is that neither Play Protect nor any available Anti-Malware / Anti-Virus apps discovered that something was wrong. Even with full browser protection and monitoring option active.
Just recent Play Store apps incidents (read more about this on links listed below), which revealed some extremely popular apps and games being infected with initially undetected malware until millions of users already installed and heavily used them, is alarming trend, to say at least.
You have to stay safe using all available means, of course, within some common sense boundaries and safety rules, because modern smart phones are not just phones, they are paying gateways and personal IDs.
Developers have a huge responsibility – now more than ever. Including 3rd party SDKs is a huge risk both for their and users security, particularly those from closed unknown sources and alike, under suspiciously beneficial conditions (when money is involved). Developers risk that their apps or accounts get banned/closed, and users get exposed to unwanted spam, data collection and even personal data leaks. The scariest part in all this is the fact that end users are completely unaware and out of control!
Always remember that even the best state-of-the-art anti-virus and anti-malware software can only protect you from a known threats, and not new and unknown exploits and vulnerabilities. False sense of security is more dangerous than no security at all, figuratively speaking. Even account protections can be bypassed, as history has demonstrated on multiple occasions.
We thank Kaspersky Team for helping us solve this issue!
External Related Resources
https://security.googleblog.com/2018/12/tackling-ads-abuse-in-apps-and-sdks.html
https://www.reddit.com/r/GalaxyS9/comments/ai98c0/novelcampnet_automatically_pops_up_in_android/
https://piunikaweb.com/2019/02/23/our-analysis-on-annoying-chrome-ad-popups-on-samsung-phones/