1. Download our Official Android App: Forums for Android!

Support Market/notification of new app -Malware?

Discussion in 'Android Devices' started by kg6epf, Oct 23, 2011.

  1. kg6epf

    kg6epf Well-Known Member
    Thread Starter
    Rank:
    None
    Points:
    53
    Posts:
    199
    Joined:
    Nov 7, 2009

    Nov 7, 2009
    199
    99
    53
    So Cal
    I've had my phone for a year and nothing like this has ever happened to me before.

    I just had a pop up in the notification bar about a new app. Not an update to one I already have, but the Market logo saying there is a new app to download.
    Curious, I take a look and it opens me into the Android Market to download "Mobo Task Killer Pro" (no I don't use any task killers and not trying to start up that debate again). So I start to wonder if this was some new official Google thing (it's not) and I look into it a bit deeper. I didn't download but looking into it I find it curiously has all these positive reviews which I find odd due to the ongoing Task Killer debate, but that's not what this post is about. Taking a look at the permissions I see lots of stuff that I'd question, like why it would need access to be able to create network sockets and bluetooth connections.

    I'm wondering how this app download was pushed to my phone? I wasn't using my phone at all and it had been sitting idle all morning. Seems sort of reminiscent of the "Airpush" ads debacle but in any case I'm not thrilled with an app download being pushed to my phone. Worse than that, I hate to think that someone is trying to push out malware. Maybe I'm just paranoid, but either way, I don't like it.

    Below is the list of permissions it wants.

    NETWORK COMMUNICATION
    FULL INTERNET ACCESS
    Allows an application to create network sockets.
    CREATE BLUETOOTH CONNECTIONS
    Allows an application to view configuration of the local Bluetooth device, and to make and accept connections with paired devices.
    YOUR PERSONAL INFORMATION
    READ SENSITIVE LOG DATA
    Allows an application to read from the system's various log files. This allows it to discover general information about what you are doing with the device, potentially including personal or private information.
    STORAGE
    MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD CONTENTS
    Allows an application to write to the USB storage. Allows an application to write to the SD card.
    SYSTEM TOOLS
    BLUETOOTH ADMINISTRATION
    Allows an application to configure the local Bluetooth device, and to discover and pair with remote devices.
    WRITE SYNC SETTINGS
    Allows an application to modify the sync settings, such as whether sync is enabled for Contacts.
    CHANGE WI-FI STATE
    Allows an application to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks.
    MODIFY GLOBAL SYSTEM SETTINGS
    Allows an application to modify the system's settings data. Malicious applications can corrupt your system's configuration.
     

    Advertisement

  2. GandalfTehGray

    GandalfTehGray Android Expert
    Rank:
    None
    Points:
    78
    Posts:
    846
    Joined:
    Dec 19, 2010

    Dec 19, 2010
    846
    84
    78
    Texas
    I would report that to Google.
     
  3. G.Ri

    G.Ri Lurker
    Rank:
    None
    Points:
    6
    Posts:
    3
    Joined:
    Apr 30, 2011

    Apr 30, 2011
    3
    3
    6
    I got the same notification. There's a thread on xda too.

    ...oh wait. Can't post links yet. Just Google this, it's the thread id:
    "xda 1314702"

    It's "New App pop-up from the market?"

    I'd love to know what's causing this.
     
  4. titan2005

    titan2005 Member
    Rank:
    None
    Points:
    18
    Posts:
    70
    Joined:
    Oct 29, 2010

    Oct 29, 2010
    70
    10
    18
    Probably the AirPush Service. It's built into some apps and push advertisments to your status bar. There's an app which can detect AirPush but sometimes it will miss an app or two. Search for AirPush detector.
    Check recent install apps, maybe go to the market and read reviews. If it's an app causing it peoples will leave comments about it.
     
    deemedic likes this.
  5. scary alien

    scary alien not really so scary
    Moderator
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,227
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,227
    23,369
    2,138
    Male
    space alien ;)
    Indy
    Welcome to the AndroidForums, G.Ri :).

    I was curious about this (not affected by it thank goodness), but I Googled your search term and wanted to post this link for you guys:

    New App pop-up from the market? - xda-developers

    Cheers!
     
    G.Ri likes this.
  6. kg6epf

    kg6epf Well-Known Member
    Thread Starter
    Rank:
    None
    Points:
    53
    Posts:
    199
    Joined:
    Nov 7, 2009

    Nov 7, 2009
    199
    99
    53
    So Cal
    The first thing I tried was the Airpush detector since it seemed similar to their tactics. Airpush detector shows negative.

    The other threads are trying to narrow down a possible culprit and lots of talk about it being Angry Birds, but I don't even have that installed (once upon a time yes, but SBF'd many times since).

    The only apps in common at this point seem to be:

    titanium backup (I have Pro so I'd be shocked if that was it)
    Adobe flash player 11
    Soundhound
    Facebook

    Soundhound would be my best guess.

    Nice to see that there are some other folks working on figuring this out. Until it does, please be wary of pushed app notifications.
     
  7. scary alien

    scary alien not really so scary
    Moderator
    Rank:
     #9
    Points:
    2,138
    Posts:
    22,227
    Joined:
    Mar 5, 2010

    Mar 5, 2010
    22,227
    23,369
    2,138
    Male
    space alien ;)
    Indy
    Yeah, I've got TiBu (Pro) and Adobe Flash, of course, but not the others (I'm guessing I have Facebook but have never launched it).
     
  8. kg6epf

    kg6epf Well-Known Member
    Thread Starter
    Rank:
    None
    Points:
    53
    Posts:
    199
    Joined:
    Nov 7, 2009

    Nov 7, 2009
    199
    99
    53
    So Cal
    No luck in tracking down the source yet. XDA folks seem to be looking into it and got a response, but it still doesn't say how it's happening.

     
  9. G.Ri

    G.Ri Lurker
    Rank:
    None
    Points:
    6
    Posts:
    3
    Joined:
    Apr 30, 2011

    Apr 30, 2011
    3
    3
    6
    Just popped in from xda to give you guys what little info we have. Looks like you're on top of it though. That's a quote from my email up there. Waiting on a reply from the Mobo team, and I'll be sure to fill you all in if I get more info. I don't really know where else to look for clues about this. Soundhound is getting a lot of fingers pointed at it. I have infinity (paid version) though, so I'd be extremely disappointed in them if that's who pushed it.

    EDIT: Looking through this thread and xda, I realized that the only app that everyone effected has in common is Flash 11. And I seriously doubt that has anything to do with it. Dead end?
     
    kg6epf and Android Al like this.
  10. jerofld

    jerofld Fixing stuff is not easy
    Rank:
    None
    Points:
    313
    Posts:
    7,687
    Joined:
    May 10, 2011

    May 10, 2011
    7,687
    4,269
    313
    Male
    I fix stuff
    Over there <points>
    Here's something to ask:

    Do all of you that have this problem have "Unknown Sources" checked in your Applications settings? A lot of you are also rooted, because Titanium Backup is mentioned a lot.

    How much web browsing do you do? Do the websites offer to install the Android app of that webpage for you?

    A webpage may be backdooring an app onto your Android, and you may not be any wiser because it's being installed through a browser. I know these things generally alert us. But with SuperUser being borked the last week or so and if the OS wasn't preventing outside apps from installing...it could have been the perfect storm. And I doubt Lookout is designed to look at /system too hard.

    So, if you're rooted, I'd suggest you get an app like Autostarts (or a free equivilant) and see what apps are loading on boot. Because I am willing to bet that this has creeped into your /system/app folder. If you're not rooted, I'd recommend you download https://market.android.com/details?id=com.joeykrim.rootcheck and see if something back door'd a root exploit onto you without your knowledge. If you are rooted when you shouldn't be, back up what you need and factory reset. If you're already rooted, try using the autostarts or whatever and report what it is to Google.
     
  11. Ricochet

    Ricochet Member
    Rank:
    None
    Points:
    16
    Posts:
    40
    Joined:
    Jan 5, 2010

    Jan 5, 2010
    40
    4
    16
    So, I received a green star notification for a "Free Macbook Pro" for the first time, this morning.

    Here's the underlying URL (copyed into my PC's browser):
    http://ad.leadboltapps.net/clk?pf=2&ad_id=32645&section_id=863051297&dev=fI-oSjrAlyeJ2ijuBs6oDOgh7XONpI9p1Qvr-jJV5Z2jHF8LaH0d398oBBuF3hia9qB3Q5al89_mV-bFhlj6EXnzmtlrLYOdeEi8_C35mfZJE_Dnn37iJ2EPSmea09Mx pVNB5l63blf5QhatrU84NUROKLUkcwiUlNa1KjS4O80~

    Which produced this link (blocked by work's firewall as a "Malware site"):
    http://click.jve.net/ez/cksekqpkinkzx/&subid1=191140&subid2=10_106018820_5dbeaa97-b015-4764-a207-02e35dc164dc&subid3=10027681

    Maybe this'll be helpful to the xda guys. :thinking:


    Unfortunately, my phone updated about 6 apps last night and since the New-&-Improved Market no longer displays My Apps chronologically (in order of updates), I don't know which one is the culprit. (Anyone know how to pull this info out?)

    I also installed the free 'OfficeSuite Pro' from Amazon, yesterday.

    When I get home, I'll grab the Airpush detector & Autostarts. :mad:
     
  12. deemedic

    deemedic Member
    Rank:
    None
    Points:
    36
    Posts:
    39
    Joined:
    Aug 3, 2010

    happened to me and thanks to this thread and the air-push detector I found the app that caused it and uninstalled it.

    Hopefully this is the end of it.
     

Share This Page

Loading...