Help Android Chrome Redirection Virus/Malware/Adware

[Dalby]

I can definitely confirm that all the redirection on my mobile phone (while connected to my home WiFi) and on my PC were cause by a hijack of my modem DNS settings. Whether the settings happened after I bought the modem (a week ago) or were there in the original settings, I don't know. Anyway, putting my ISP's DNS settings in the modem and clearing data and cache on my phone and PC's browsers have cleared up the problem.

 

[illusiondweller]

This is not a problem with google ads nor has anything to do with your phone or any other device that you use. The issue is that the router has been attacked and the DNS has been changed.

Log on to your router and change the router settings to set the DNS settings to 'Obtain from ISP' or an equivalent option based on your router model. Alternately get the correct DNS value for your internet provider and enter those values for the DNS.

Regards,
Radnus

I didn't find this answer to be helpful at all. My router settings are fine.

I'm having a problem w/some kind of redirect malware on Chrome. One that seems to keep coming up is greatrewards dot mobi.

The only thing that helps in my case is closing Chrome, going to App Info and clearing all the data, and reopening Chrome.

 

[exhesham]

This sounds like dns poisoning in the ISP company. Awkward. The website with ads refers to an address which it spoofed in the ISP. The fake IP redirected you to the malicious site. So the best way to handle this or to open a ticket to your ISP.
Such redirection is cross site and this by dually should be banned on chrome. Maybe the Android version doesn't support that. Correct me if I'm wrong

 

[kchenx]

Hi all. After seeing some new activity here I wanted to jump on and share a few things I've learned from my battles with the redirect on my phone. Looks like the redirect can be caused by a number of different things, so pay attention to how is affecting you. If it's hitting both your phone Chrome and PC Chrome, then check your router's settings. If it was affecting your Chrome on both, AND happening to you say at work, then check your Google Sync. For me it was happening on WiFi wherever and not on WiFi, so I knew it wasn't a router issue. It also wasn't affecting my PC at all. Ultimately it was an app that must've been hacked. I simply uninstalled all apps I could and only reinstalled any I actually needed. So far so good. Hope that helps.

 

[missfidy]

I have malware too on my S7. When I open links to read articles (usually Facebook) it opens the attached and makes my phone vibrate.
I've installed security scans and shields but nothing can find it.

Is a factory reset my only option?

 

[missfidy]

https://imgur.com/gallery/Dd0U9

 

[C3Pdr0id]

I'm currently fighting this.
It happens on wifi at work & at home & also when only using data with wifi off.
Soo annoying, a popup ad (full page) even popped up while driving, obscuring waze..

 

[CoolRaoul]

I'm currently fighting this.
It happens on wifi at work & at home & also when only using data with wifi off.

Used to face this issue at home too. Having switched to OpenDNS free account (called Family Shield) which provides basic but pretty effective domain based filtering, has completely solved my problem (at least in this context: home WiFi, I didn't faced that issue at work or when using mobile data connection)
My modem router DHCP server was set up do distribute my internet provider DNS servers addresses to my home devices. After having set it up with OpenDNS servers ones, no more annoying ad popups on Android devices.

 

[CMaxo]

First, one major thing which is needed from most devices is for the manufacturers to update the OS to Android 6.
Anything below has a huge big open lack of security that can be overtaken by even an amateur who know a bit about how to make a sub-app. Anything previous to Android 6 doesn't have ANY security regarding sub-apps. If an apps is installed from an other app, no anti-virus or even notice are given about the said sub-apps until things are already too late.

This is the issues with Android as an OS. Unlike the iOS or Windows OS, it runs on a pretty straight line where permissions rules above all... even the security. So you install an App like a game from Play Store. That App got in-app ads and we all know it's a source of revenues for games developers on that device. The players or users of that App accept that the app can access X or Y function. Guess what? Through that X or Y function, as long as it doesn't requires actual functions from the OS, everything can move in. In other words, the App can freely act as a patching system to fully add anything onto the device. Worse of all, even the developers who put the game out for free with ads doesn't even know about it... because what they do to add in-game ads is using a special API given by the ads handler... and that ads handler build up a databank that contains LOTS of ads. What does that ads handler have as a security measure for the ads? A basic anti-virus system.

Basically, ads are by nature redirection links so they aren't as much "checked" on any file would be on your own device. Those only check the initial links content... if the link content includes an API that load something "random" like another ads which, for it, can load something bad... there's no security against that at all even for Ads handlers such as Google Ads.

For example, many games developers makes use of the Play Games API in Android. That allow the game to makes use of the app that goes by the same name which allows the developers to access easy-to-add-in functions like accessing a remove server for ads, login-information (such as guild/clan or friends list) or access to social media systems.
What they don't know is that the Play Games API also includes by default anything related to ads and even a function that allow anonymous patching of files. It's a full access library. Once it's on the tablet or phone, anything like a browser's ads or another App can actually access the Play Games API function as long as it's in. The access to those function is available to the public!

This is why updating the Android OS to 6 should be mandatory for all manufacturers. The main reason is that the OS related App permission in 6 has been completely remodeled from scratch. Instead of managing applications through the usual permission system that can easily be "exploited", Android 6.0 (and later) uses a sandbox system that only allow specific stuff to come out of the App... and you can turn off anything you don't wish it to do.

It's still not perfect, but it allows you to actually "break" the adware functions by isolating it by blinding it. So, for example, one of my devices which is stuck at Android 5.5 has this usual adware called "VideoPlayer" which reinstall itself whenever Play Games is being used by an App/game. I love the games related to this issue and even contacted the devs teams behind those as to warn them and they can't do anything about it because it's an security issue with Play Game and not really their app. That adware does 2 things : It overtake all browsers (Chrome, Firefox, Adblock's Chrome, etc.), force a really ugly homepage that supposedly is Google's (with a stretched logo) but with lots of ads around the search bar and also add a permanent Ads pop-up rectangle on the lower right of the screen that display Play Stone's adds by Google. (This ads pop-up is not a in-browser but over-browser screen so its hides many things in the lower screen. It will be keep on the screen even if the browser is reduced as long as the browser's app is running in the background.)

Removing that adware is easy... but it's as easy to get it again... Just play the games that uses in-game ads from Google Ads + Play Games and it will bring it back. On my phone, which has been upgraded to 6, I don't need to remove the Adware... instead, I turn all its permission to OFF (which isn't available in anything older). The adware is still there, but it's stuck inside a sandbox... whenever I run the same game + play game, as it already exist, it doesn't get reinstalled with it default overtaking features.

Imagine a world where whenever you "kill" a criminal, it comes back to life in its headquarters. Any version prior to Android 6 would allow that criminal to roam free as long as it doesn't attack anything... and when it does it get shot to death instantly and simply respawn back in its headquarters. What they did with Android 6 is instead of shooting it to death, they box it up in a indestructible prison cell (like all the apps). Some apps are allowed a call, some the internet... but the users are prisons directors and managers and they can turn off any "services" to any "cellmates". Adware are now stuck with no phone call, access to internet nor even additional memory space at the push of a couple of buttons.
(In comparison, anything older than Android 6 are like highways where AV are checkpoints. Game apps are like big trucks which doesn't get checked fully inside. They open the back door, look at the stuff from outside and allow the truck to move into the "device-city" with a pat in the back and a big smile on its user's face.)

As I said, it's not perfect as, for example, it requires the adware to be on the device to be able to "modify" its permissions so any heavy dangerous adware that instantly break something... those are still dangerous threats that's what AV are updated for most of the time. Still, it's better than anything prior.

 

[TheLastMinister]

This is not a problem with google ads nor has anything to do with your phone or any other device that you use. The issue is that the router has been attacked and the DNS has been changed.

Log on to your router and change the router settings to set the DNS settings to 'Obtain from ISP' or an equivalent option based on your router model. Alternately get the correct DNS value for your internet provider and enter those values for the DNS.

Regards,
Radnus

... HOW is this the "best answer"??? The original problem is something redirecting you from one page to another. Either I REALLY don't understand IT (possible; I do physics-y math and coding), or this is addressing a similar but different problem.

 

[CMaxo]

... HOW is this the "best answer"??? The original problem is something redirecting you from one page to another. Either I REALLY don't understand IT (possible; I do physics-y math and coding), or this is addressing a similar but different problem.

Well, for some, it is a part of the source of the problem.
Consider this : Today's attacks or virus/trojan makers know that it's only a matter of time before any active Antivirus companies find a way to detect their stuff when it's on a HDD. Then, how can their *censored* overcome that difficult wall? Simply by attacking, first, the least protected device connected... and that's the router firmware.

Even better for them, most android devices requires a wireless connection to that device (router) to access Internet. It's like the ideal virus/trojan's cup holder since antivirus on mobile/tablet doesn't really scan visited website "before" loading them up like it does on regular computers. (Otherwise, it would requires too much battery usage and no clients would be satisfied that their battery last half of it original charged time because of the antivirus being more active.)

It's not a direct process, but more like this:
1) An Ads databank is infiltrated with a bad Ads which include a hidden API.
2) When the ads runs in the Android device, it download and read the hidden API.
3) The hidden API communicate with the router from within the network, which doesn't have any kind of firewall. (The router firewall that protect it only act on data loaded from the web, not from the devices.)
4) This API function install a new firmware update into the router that includes specific calls whenever the "current" device connects to it. Its calls can includes anything from installing an adware from a specific web address to redirection from specific webpages. (For example, it can easily take a "sample" of your current browsers' homepage address string and put a redirection toward a malicious website.)

It's quite easy to guess "why" someone would do something like this and that explain why it goes the extra miles to ensure it's effectively working on as many devices as possible : Money.

A regular virus or Trojan that "lock" something up or break the device doesn't produce anything other than hatred and whenever someone is found out doing it, it always ends up with legal action being taken against them. Even more, it doesn't generate any kind of revenues unless the attack is aimed toward specific individuals and funded by some third party. (You know... cyber-war and stuff. Still, "paid" virus/trojan doesn't concerns 99.999% of the stuff around on the net.)

This kind of system isn't as illegal as it comes within another a system that every users agree to which include a part saying "We're not responsible of any damage, change or effect our application may create on your device." (When you install an app (game or not) from Google Play, you agree to this each time... even if some of those game uses a unsecured Ads API downloaded from the web to fund themselves.)
Instead of making people suffer with broken or locked devices, they make uses of the users' browsers by forcing them to display legal real ads to the users' screen. Remember that anytime someone "load" an ads, it add +1 to the counter of that ads frame and the one who registered this active Ads frame (guess who) gets money out of it. (It's usually around 0.80$US per 1000 views where the ads are sold at 1$/1000 views while the "ads hosting" keeps 20%)
This is why those redirected page are filled to the grim with an ads from every kind of PPI (Pay-Per-Impression (or Views)) based companies.
If 1000 people has this redirection, each time they all open their browser, this give 80 cents to the guy or woman who created that hidden API stuck into the ads that can be displayed in any Apps that makes uses of in-app ads.

 

[mace_11]

I found a solution for removing adware or malware from Chrome
I disabled Chrome, which maked it factory reset and reseted all data. Before installing it again or enableing it go to "back up and reset" section on in settings. I am using a Nexus 6p so I don't know if it is the same name on all phones. In there, there is an option that to use the backup data when reinstalling an app. Uncheck that option and reinstall or enbale Chrome. This will avoid using any saved data that contains the malware or adware.

 

[dr_sn0w]

IT IS NOT DNS on the wifi signal or router. I have premium (paid for) ESET mobile security and nothing is found on FULL (not just smart) nightly scans. Ironically, eset support referred me to this pg. Adguard doesn't work for Chrome. OPEN DNS was a great suggestion, I was going to suggest it until I saw that somebody else already had. It is free, google it if you want. However, it blocks some websites that you MIGHT want to visit. Just sayin. Overkill, of sorts. Unchecking allow 3rd party cookies, well I tried that a minute ago and will see if it helps at all.

On my previous router, you could manually add domains that you don't want to allow connections to. It is an incredibly great feature. Unfortunately my current router doesn't seem to have that option. I guess that modification of an android OS file similar to that of "hosts" on a Windows PC would do the trick. Does anybody know the name/location of such a file? We would just have to compile a list of domain names for blocking here. Sounds like onclickads.net should be at the top of the list. It would start to hurt them financially if enough people did it, but so what... screw them for messing with OUR phones. Maybe they will shut down permanently. Ha yeah right, too many non-tech people that just live with the problem. Also please consider clicking best answer below to CHANGE the best answer away from the home DNS router having been attacked nonsense. Good luck and thanks for the support.

LIST: Onclickads.net
propellerads.com

 

[dr_sn0w]

Interesting info from WOT (Web of Trust).

 

[beowulf7]

Hi,

I had an issue crop up where whenever I would try to access a link or do a search in Google Chrome on my Samsung Galaxy S4 on Android, I would get redirected to a Malware/Adware type site.

Always starting with slimspot dot com, then redirecting to a pop up saying I've won an award or I have a dangerous virus that needs removing etc.

Anyway, there would be no way to go back and access the original site I was looking at or be able to use Chrome to search for anything because I'd constantly get redirected to this Malware and the only option was to close down Chrome and try again only to get same thing happen again etc etc basically rendering Chrome unusable.

I tried clearing cache/data in Chrome, restoring Chrome to factory default version etc. No luck...

Searched google relentlessly for a fix to no avail.

Tried every legitimate anti virus, anti malware/anti spyware program around, none could detect a problem.

Tried Firefox and that worked fine so I knew it was a problem with the Chrome browser specifically.

So then I figured it out and thought I would post solution on here for other poor suckers who go through the same thing and can't find a fix.

I almost couldn't be bothered but I want to try to be helpful

Anyway, connected phone to computer, went to Android folder, then data, searched for Chrome. One folder came up, I shift deleted it.

Voila. Simple as that, problem solved.

Hope this helps someone.

I used to have an S4, but now I have a Droid Turbo 2. I use Chrome on the DT2 and certain websites get hijacked as discussed in this thread, where it says I could be selected to receive an award by answering some basic questions. It's obviously a spam website.

As mentioned in the post I quoted, if I search for:
Computer\XT1585\Internal storage\Android\data\com.android.chrome

I see 2 folders: cache and files. Should I delete both folders via my PC? It's only certain websites that get hijacked, not all, and I haven't tried other browsers. I see it via Wi-Fi and 4G, so I know it's not a home router issue. TIA.

 

[ibyteabit]

Hi,

I had an issue crop up where whenever I would try to access a link or do a search in Google Chrome on my Samsung Galaxy S4 on Android, I would get redirected to a Malware/Adware type site.

Always starting with slimspot dot com, then redirecting to a pop up saying I've won an award or I have a dangerous virus that needs removing etc.

Anyway, there would be no way to go back and access the original site I was looking at or be able to use Chrome to search for anything because I'd constantly get redirected to this Malware and the only option was to close down Chrome and try again only to get same thing happen again etc etc basically rendering Chrome unusable.

I tried clearing cache/data in Chrome, restoring Chrome to factory default version etc. No luck...

Searched google relentlessly for a fix to no avail.

Tried every legitimate anti virus, anti malware/anti spyware program around, none could detect a problem.

Tried Firefox and that worked fine so I knew it was a problem with the Chrome browser specifically.

So then I figured it out and thought I would post solution on here for other poor suckers who go through the same thing and can't find a fix.

I almost couldn't be bothered but I want to try to be helpful

Anyway, connected phone to computer, went to Android folder, then data, searched for Chrome. One folder came up, I shift deleted it.

Voila. Simple as that, problem solved.

Hope this helps someone.

I had the same issue. I disabled Chrome and changed my default search engine to duckduckgo. I've not had one issue since.

 

[ibyteabit]

I had this issue starting in January. It's definitely Chrome/Google. I installed a new browser, changed my search engine to duckduckgo and disabled chrome. All fake notifications ceased.

 

[beowulf7]

Hi guys my solution is if u people installed any cleaner cache app ...first uninstalled it than in google chrome go to setting and site setting than all sites if this site present there (a.zdbb.net , imrworldwide) kickout by tap it and delete ..wow work like a charm

Thanks for the tip.

My Motorola Droid Turbo 2 was recently updated from Android ver 6.0.1 to 7.0, but I am still occasionally seeing this issue. I'll try your tip the next time.

 

[Deleted User]

Wow more than 2 years that this issue has been reported and it is still not fixed!

Here my experience.
1.) I bought a Cubot Rainbo phone (Marshmallow) on Amazon. After some time I and several other users found out that this phone has preinstalled maleware, including the Chrome Redirecting virus but also System UI manipulation (ad-popups, redirects in google play store). The Chrome Redirecting virus was only there, not in Opera!
2.) Today i returned the Cubot to Amazon and bought a Wiko Sunny (also Android 6 Marshmallow) in a local store
3.) I inserted only my SIM card, no SD card
4.) I set up the phone with my google account...
5.) I only installed whats app
6.) First time i did a google search on the search bar and opened a result that that was using google ads.... TADA ! Malicious App opened (you won a iphone, blablabla)

And its NO DNS issue because i have NO redirects on my iPhone, my private laptop and my company laptop! I also did a factory reset of my router and changed admin pasword immediatley from default one.

So there are only these options
- Somehow my SIM card might have been infected by the malware that was on the Cubot phone...
- Or it is related to my Google Account
- Or it's Whats App

Those are the only links between my old and my new phone. The redirecting was always multiple via multiple websites, so the "Malicious Ad Network" theory seemed to be the valid one.

For me the Android platform seems so unbelievable insecure and Google doesnt seem to care. It so sad that they have a monopole on affordable Smartphones. I wish Windows Phone would have had more success.

 

[BaelRathLian]

I have a SGS5 and get a "virus alert your phone is heavily infected" message when I goto some sites through the phone's browser. What's the deal on that? I thought android phones were tougher to mess with than an average PC.

 

[David TL]

Hi there, same issue here. It has to do something with our Google account, so as it doesn't happen to me with other browsers such as the built-in MIUI internet browser. It happens in Google Chrome beta as well.
When I reset all my account data the problem goes away for some time, but it seems that certain websites, apparently clean, make the problem come back. I think it happens when I surf the sites I visit the most.

The thing is that the redirection is to a certain IP address where the Amazon ad is shown (can't remember other brands in the ad), and cannot go backwards as it seems it hijacks my browsing history. I have to type in the search bar in order to go back to the website I was when the hijack occurs.

I'm from Spain and it happens both when I'm on 4G or wifi at home.

Tried running some adware and Antivirus apps with no luck.

I came to think that it has to be some Javascript code injected in the HTML of those websites, but it's not their fault because I'm sure it's caused by something hiding in my Google profile, and that's why it dissappears for a while until I go back to those sites, and then it's when the exploit comes "alive" again and this problem comes back again.

I'm afraid it's something allowed or at least not being fought by Google... years pass by and no clear answer is found on the net...

 

[David TL]

Forgot to say that it happens when I use the incognito mode too, and that's why I realized that the problem has to be in the android chrome browser

 

[rapoza]

This is not a problem with google ads nor has anything to do with your phone or any other device that you use. The issue is that the router has been attacked and the DNS has been changed.

Log on to your router and change the router settings to set the DNS settings to 'Obtain from ISP' or an equivalent option based on your router model. Alternately get the correct DNS value for your internet provider and enter those values for the DNS.

Regards,
Radnus

Not true for me, happens to me on every wifi and without wifi

 

[A bochur]

If I'm understanding correctly, you are talking about cases when you're on a website, and suddenly it redirects you to a page that says, 'YOU HAVE WON A MILLION DOLLARS' etc.

Recently chrome has fixed the issue, and will detect such ads. For more info see:

http://www.androidpolice.com/2017/11/08/heres-protect-rogue-redirect-ads-right-now-chrome/

 

[dontpanicbobby]

That works! I was so annoyed by an extremely sketchy looking win $1000 dollar from Amazon redirect. Once I used the procedure Android Police recommended I got a redirect blocked message in instead of just a pop-up was blocked and then being redirected. I'm using an LG G6 BTW so I'd say this is an Android/Google device fix not limited to a particular model.