Help Market/notification of new app -Malware?

[kg6epf]

I've had my phone for a year and nothing like this has ever happened to me before.

I just had a pop up in the notification bar about a new app. Not an update to one I already have, but the Market logo saying there is a new app to download.
Curious, I take a look and it opens me into the Android Market to download "Mobo Task Killer Pro" (no I don't use any task killers and not trying to start up that debate again). So I start to wonder if this was some new official Google thing (it's not) and I look into it a bit deeper. I didn't download but looking into it I find it curiously has all these positive reviews which I find odd due to the ongoing Task Killer debate, but that's not what this post is about. Taking a look at the permissions I see lots of stuff that I'd question, like why it would need access to be able to create network sockets and bluetooth connections.

I'm wondering how this app download was pushed to my phone? I wasn't using my phone at all and it had been sitting idle all morning. Seems sort of reminiscent of the "Airpush" ads debacle but in any case I'm not thrilled with an app download being pushed to my phone. Worse than that, I hate to think that someone is trying to push out malware. Maybe I'm just paranoid, but either way, I don't like it.

Below is the list of permissions it wants.

NETWORK COMMUNICATION
FULL INTERNET ACCESS
Allows an application to create network sockets.
CREATE BLUETOOTH CONNECTIONS
Allows an application to view configuration of the local Bluetooth device, and to make and accept connections with paired devices.
YOUR PERSONAL INFORMATION
READ SENSITIVE LOG DATA
Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.
STORAGE
MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD CONTENTS
Allows an application to write to the USB storage. Allows an application to write to the SD card.
SYSTEM TOOLS
BLUETOOTH ADMINISTRATION
Allows an application to configure the local Bluetooth device, and to discover and pair with remote devices.
WRITE SYNC SETTINGS
Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.
CHANGE WI-FI STATE
Allows an application to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks.
MODIFY GLOBAL SYSTEM SETTINGS
Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration.

 

[GandalfTehGray]

I would report that to Google.

 

[G.Ri]

I got the same notification. There's a thread on xda too.

...oh wait. Can't post links yet. Just Google this, it's the thread id:
"xda 1314702"

It's "New App pop-up from the market?"

I'd love to know what's causing this.

 

[titan2005]

Probably the AirPush Service. It's built into some apps and push advertisments to your status bar. There's an app which can detect AirPush but sometimes it will miss an app or two. Search for AirPush detector.
Check recent install apps, maybe go to the market and read reviews. If it's an app causing it peoples will leave comments about it.

 

[scary alien]

I got the same notification. There's a thread on xda too.

...oh wait. Can't post links yet. Just Google this, it's the thread id:
"xda 1314702"

It's "New App pop-up from the market?"

I'd love to know what's causing this.

Welcome to the AndroidForums, G.Ri .

I was curious about this (not affected by it thank goodness), but I Googled your search term and wanted to post this link for you guys:

New App pop-up from the market? - xda-developers

Cheers!

 

[kg6epf]

The first thing I tried was the Airpush detector since it seemed similar to their tactics. Airpush detector shows negative.

The other threads are trying to narrow down a possible culprit and lots of talk about it being Angry Birds, but I don't even have that installed (once upon a time yes, but SBF'd many times since).

The only apps in common at this point seem to be:

titanium backup (I have Pro so I'd be shocked if that was it)
Adobe flash player 11
Soundhound
Facebook

Soundhound would be my best guess.

Nice to see that there are some other folks working on figuring this out. Until it does, please be wary of pushed app notifications.

 

[scary alien]

titanium backup (I have Pro so I'd be shocked if that was it)
Adobe flash player 11
Soundhound
Facebook

Soundhound would be my best guess.

Nice to see that there are some other folks working on figuring this out. Until it does, please be wary of pushed app notifications.

Yeah, I've got TiBu (Pro) and Adobe Flash, of course, but not the others (I'm guessing I have Facebook but have never launched it).

 

[kg6epf]

No luck in tracking down the source yet. XDA folks seem to be looking into it and got a response, but it still doesn't say how it's happening.

Hi,
Thanks for your feedback and sorry for any inconvenience caused.
We are cooperating with a 3rd party promotion platform which agrees to advertise our app. We are sorry that their method of promoting our app make you uncomfortable and we have already told them to stop adopting this advertising method.
If you do have further more questions or suggestions, please feel free to contact us.
Looking forward to your reply!
--
Best regards,
Task Killer Team

 

[G.Ri]

Just popped in from xda to give you guys what little info we have. Looks like you're on top of it though. That's a quote from my email up there. Waiting on a reply from the Mobo team, and I'll be sure to fill you all in if I get more info. I don't really know where else to look for clues about this. Soundhound is getting a lot of fingers pointed at it. I have infinity (paid version) though, so I'd be extremely disappointed in them if that's who pushed it.

EDIT: Looking through this thread and xda, I realized that the only app that everyone effected has in common is Flash 11. And I seriously doubt that has anything to do with it. Dead end?

 

[jerofld]

Here's something to ask:

Do all of you that have this problem have "Unknown Sources" checked in your Applications settings? A lot of you are also rooted, because Titanium Backup is mentioned a lot.

How much web browsing do you do? Do the websites offer to install the Android app of that webpage for you?

A webpage may be backdooring an app onto your Android, and you may not be any wiser because it's being installed through a browser. I know these things generally alert us. But with SuperUser being borked the last week or so and if the OS wasn't preventing outside apps from installing...it could have been the perfect storm. And I doubt Lookout is designed to look at /system too hard.

So, if you're rooted, I'd suggest you get an app like Autostarts (or a free equivilant) and see what apps are loading on boot. Because I am willing to bet that this has creeped into your /system/app folder. If you're not rooted, I'd recommend you download https://market.android.com/details?id=com.joeykrim.rootcheck and see if something back door'd a root exploit onto you without your knowledge. If you are rooted when you shouldn't be, back up what you need and factory reset. If you're already rooted, try using the autostarts or whatever and report what it is to Google.

 

[Ricochet]

So, I received a green star notification for a "Free Macbook Pro" for the first time, this morning.

Here's the underlying URL (copyed into my PC's browser):
http://ad.leadboltapps.net/clk?pf=2&ad_id=32645&section_id=863051297&dev=fI-oSjrAlyeJ2ijuBs6oDOgh7XONpI9p1Qvr-jJV5Z2jHF8LaH0d398oBBuF3hia9qB3Q5al89_mV-bFhlj6EXnzmtlrLYOdeEi8_C35mfZJE_Dnn37iJ2EPSmea09Mx pVNB5l63blf5QhatrU84NUROKLUkcwiUlNa1KjS4O80~

Which produced this link (blocked by work's firewall as a "Malware site"):
http://click.jve.net/ez/cksekqpkinkzx/&subid1=191140&subid2=10_106018820_5dbeaa97-b015-4764-a207-02e35dc164dc&subid3=10027681

Maybe this'll be helpful to the xda guys.


Unfortunately, my phone updated about 6 apps last night and since the New-&-Improved Market no longer displays My Apps chronologically (in order of updates), I don't know which one is the culprit. (Anyone know how to pull this info out?)

I also installed the free 'OfficeSuite Pro' from Amazon, yesterday.

When I get home, I'll grab the Airpush detector & Autostarts.

 

[deemedic]

happened to me and thanks to this thread and the air-push detector I found the app that caused it and uninstalled it.

Hopefully this is the end of it.