Built-in browser hijacked, what do I do?

[PaulGor]

Built-in browser hijacked

Hi

I did use search - found this "...hijacked the default internet browser" recent post but it did not help (even using suggested there anti-malware app).

Problem: when I open default browser, it goes not to empty page (it's how I setup Home) but to gotoamazing.com. If I open new tab - same thing.

Yes, Chrome is fine but it takes too much memory...

Please, help! I am just an end user, so no "root", regular Android 4.4.2 tablet.

 

[B. Diddy]

Re: Built-in browser hijacked

Welcome to Android Central! Which phone? Go to Settings>Apps>All, select the browser, and Clear Cache/Clear Data, then Force Stop. Now see if the problem persists.

 

[PaulGor]

Re: Built-in browser hijacked

It's Android tablet.

I've just tried the steps - nope, did not help
:-(

 

[B. Diddy]

Re: Built-in browser hijacked

Which exact brand and model is it? Android is just the term for the OS.

Also, try booting into Safe Mode, which temporarily disables all 3rd party apps. On most Android devices, while powered on, press and hold Power until the Power Off menu appears. Press and hold the Power Off selection until the Safe Mode prompt appears. Tap OK.

If the problem disappears in Safe Mode, then something you installed is causing the problem. You may have to uninstall apps one by one until the problem disappears.

 

[PaulGor]

Re: Built-in browser hijacked

Which exact brand and model is it? Android is just the term for the OS.

It's a 7" tablet by TooSell - but malware/browsers/etc belong to OS only, right? Same thing as malware in a browser under Windows does not depend on a brand, being it Dell or Lenovo...

Also, try booting into Safe Mode, which temporarily disables all 3rd party apps. On most Android devices, while powered on, press and hold Power until the Power Off menu appears. Press and hold the Power Off selection until the Safe Mode prompt appears. Tap OK.
If the problem disappears in Safe Mode, then something you installed is causing the problem. You may have to uninstall apps one by one until the problem disappears.

Let me try. Nope, same thing - as far as I've read, the malware was brought by some 3rd part application but even though I uninstalled it later, the malware still exist in browser...

:-(

 

[B. Diddy]

Re: Built-in browser hijacked

The reason I asked for the brand and model was to see if I could suggest wiping the system cache partition, which can help with various problems, and doesn't erase any personal data. However, with those off-brand devices, it can be hard to find out how to boot into Recovery Mode to wipe the cache, since the procedure differs among devices.

At this point, you can either use another browser (try Opera Mini or UC Browser Mini if you're looking for something lightweight), or do a factory reset. If you choose the latter, then before the reset, go to Settings>Backup & Reset, and uncheck Automatically Restore. After you do the reset, and after the Setup Wizard is complete, go immediately to Google Play Store, and stop any app from automatically installing. Now see if the stock browser still directs you to that site.

 

[PaulGor]

Re: Built-in browser hijacked

... do a factory reset. ..., then before the reset, go to Settings>Backup & Reset, and uncheck Automatically Restore. After you do the reset, and after the Setup Wizard is complete, go immediately to Google Play Store, and stop any app from automatically installing. Now see if the stock browser still directs you to that site.

Yes, I would like to do so (nothing really important I have there - it's my first tablet, I just played with it).

As for the last step -
"go immediately to Google Play Store, and stop any app from automatically installing" -

how would I see such apps that are trying auto-install? Front page will show me?

 

[B. Diddy]

Re: Built-in browser hijacked

No, swipe in from the left and go to My Apps.

 

[robotc]

Hi
I had the same problem when using the android browser with a new tab redirecting to gotoamazing every time i looked at a new URL.
I found another post on the web where a similar hijack problem was solved by connecting the tablet to a computer and looking at the android files and then deleting the problem one.
When I looked at the files on my tablet there was one labelled XBKP, which is the prefix on the web address when the tablet was redirected to gotoamazing
Deleting this file solved the problem. I hope this helps
Robert

 

[PaulGor]

dup

 

[PaulGor]

"Deleting this file solved the problem."

I was not able to find that file - do you remember it's full name and/or a directory where it was located?

P.S. I have no files under Android/data/com.android.browser

:-(

 

[B. Diddy]

I found another post on the web where a similar hijack problem was solved by connecting the tablet to a computer and looking at the android files and then deleting the problem one.

Welcome to Android Central! Could you possibly share that link with us?

 

[robotc]

Hi
I think I have given the wrong information. The problem came back after I deleted the XBKP file.

I have investigated further and had some success

I downloaded Malwarebytes Mobile and scanned the tablet. It found 6 trojans

/data/app/com.android.netsetting-2.apk
/data/app/com.android.patch-1.apk
/mnt/sdcard/XBKP/AdSdk_avazu_1.0.8.apk
/mnt/sdcard/XBKP/AdSkdk_browser_patch_1.06.apk
/system/app/GoogleProvider.apk
/system/priv-app/XBPK.apk

Malwarebytes removed the first four on the list but could not remove the last two.These are files for the apps MTK Music Provider and rstech_knile

It appears that this has fixed the problem with the browser for now.

I found a reference to the app rstech-knile which appears to be installed by the factory and allows the installation of malware.
forums.whirlpool.net.au/archive/2299803
Scroll down to Post from Ralph77 on 1 March 2015

I have disabled rstech_knile so hopefully the problem will not return

Robert

 

[robotc]

Hi
I wanted to give an update on the problems with my tablet.
Disabling the rstek-knile app has permanently stopped the browser redirection to gotoamazing.com
There is still a problem with downloads of a LOT of adware. I believe this is caused by MTKMusicProvider. I can force stop this app but the disable button is greyed out. When the tablet is rebooted the app starts up again and a stream of adware is loaded. MalwareBytes picks this up but it is really annoying to deal with.
Is there any way to permanently disable the app or is the tablet heading to the rubbish bin?
Robert

 

[Zeeboo]

Hi, I had exactly the same problem. My tablet is Goclever Quantum 1010M running KitKat. Displayed the self-advertising and Internet applications home page was set to cool123.net, no cleaning did not give results. After some time the home has changed for the gotoamazing.com. The tablet popping up advertising programs that after uninstalling popping up again. I managed to uninstall BroService of success - not reappeared, but Linervice installing, after each reboot. So I decided to make ROOT the tablet. I deleted the data in the folder /data/data/com.android.browser and advertising disappeared.
After scanning program Mbam was found one suspect program: /system/app/GoogleProvider.apk as an application MTKMusicProvider - I removed it. Then I removed the file /system/priv-app/XBPK.apk listed as rs_9103_v30 application. There was still a problem with Linervice 4.0 - /data/app/com.google.eVideo1Service-1.apk was still installed after the restart. I began to search the applications in /system/app for false name. As suspected, I found GooglePlayService.apk whose listed name is CrashService.
In the folder /data/data/com.mediatek.Crash Service found entries in the .xml files showing that the application tries to download files from the internet just com.google.ePlay1Service-1.apk and com.google.eVideo1Service-1.apk known as BroService and Linervice.
note: Deleting files must be done with WiFi disabled .

good luck with removal

 

[SourceSkyBoxer]

Hello dear
Pff old date but it is important to delete hacking apps from /System/Apps/
I have got stupid hacking apps

Solution:
You need to download Kingo Root

Need important apps:
Link2SD and DU Cleaner and DU Speed Booster , DU Battery Saver and Task Manager ( If you are using Kata or Asian mobile companies... )

1. Kingo Root own click
Wait if it says "Your device is rooted"

Than you download Link2sd and choose System than find dangerous hackjet apps and press long and "uninstall"

I hope you have not problem to uninstall with stupid hacking apps.
Thanks!

 

[Creations Maxo]

I would like to thank you as Cleaning cache + Force Stop did the trick for me.

I noticed that some really popular websites which has an ads zone managed by Google Ads currently has ads that do some really nasty things.
Those ads do the things in the following order :
1) At first, it change the homepage and new-tab page of your browser and set it to a specific page that includes multiples links like a Custom Google search bar.
2) That page includes many ads box. (Yeah... the scammer who created those website actually makes money out of your visits)
3) Some of those ads box install some adware/minor malwares even just by loading them (through the browser).
4) Those adware/minor malwares will put ads over your browser windows. (lower right corner most of the time.)
5) Clicking on those ads (which looks like Play Store's ads) install even more crap into your browser. The bad thing is that the "X" of those ads is the size of about 6x6 pixels so it's extremely easy to press the ads instead of the closing button. Also, closing the ads doesn't work for long as it will come back 3 sec later.

As bad as it might sound, there's no anti-virus that can protect you from this process. BitDefender, Avast and Malwarebytes doesn't seem to detect anything as it all goes through as some kind of system updates and not as "new apps".

The first time it happened to me, I had to format my Android tablet because things went really too far.
The second time it happened to me, I was a bit more ready. First, I always kept an eye to the apps installed in the device... even make a list. Whenever something new is added without me doing anything, I remove it. In the case of the ads in the corner, it's often called "VideoPlayer" which is actually an old adware that existed since 2008. Originally, it's known as "Ads by VideoPlayer", but it's only "VideoPlayer" for the Android. Then you got to close the browsers (quit the apps) in the "Running Aps", clean their cache and even then Force Stop them (from the "All Apps"). When you will start the default browser, it will request to log into your account as if you just started the device for the first time. Then all trace of the previous temper will be gone.

You will have to repeat the whole process whenever something unusual happens such as the change of your homepage.

 

[HimDroid]

If you have come here with redirect issues, try B. Diddy's simple instructions first. Worked for me. Must be some kind of hook that rides in on the browser cache. But going to Settings>Apps>All, selecting the browser, and selecting Clear Cache/Clear Data then Force Stop worked like a charm. Thanks B. Diddy!