Worm or adbot hiding on my S5

[AZgl1500]

Somewhere about 2 weeks ago, my phone started getting a bunch of weird popups that can't be ignored that overlay the app I want to use.

I installed AppBrain Ad Detector and let it scan looking for the culprit. Ran a virus scan with Clean Master and Bluebox Security. None of the three of these has detected a virus; something that I was pretty sure did not exist on the phone anyway.

What I have is a worm that is hiding from the normal virus detectors. It is stealthy, moves and changes.... I thought it was AdMob adverts for a while, but I am now sure it is not. I just now started doing Screenshots of everyone of them that show up so I can analyze this mess.

I just this minute installed: Ad-Network Scanner & Detector
and let it run, it came up with just about zilch. A screenshot is attached for that.

This bad critter is like the stuff that gets hidden on a PC in a root partition that can't normally be accessed.

Any suggestions as to what program to use to kill this nasty critter?

I can always just format the phone and use Kies 3.0 to restore it back to where it was 3 months ago..... but lordy, I have done a lot of tuning up since then and didn't want to do that. I will though if I have to.

 

[thatguy97]

Do you visit any shady sites

Posted via Nexus 7 2013 or Galaxy S5

 

[AZgl1500]

I forgot to mention that I tried to make a phone call today.

A popup advert claiming some kind of intrusion overlaid the phone dialer. Nothing would get rid of that advert. I had to power the phone off.

I just now installed MalwareBytes and it also reports no infections. MalwareBytes has been my tool of choice for the PC world and it didn't detect this critter?

 

[AZgl1500]

Do you visit any shady sites

Posted via Nexus 7 2013 or Galaxy S5

NO!

the only thing I do that might be of concern is to follow links on newspaper stories.
I have CNN, BBC News, USA Today, Fox News, two local TV news stations apps, and one from WSBTV in Atlanta, GA.

I also subscribe to a lot of Technical Electronics Newsletters that have never been a problem on my desktop PC. Been reading those for years and years and never a worm or virus from them.

I do not play online games, I do not go anywhere except to the forums like this one and my motorcycle forum that I moderate.

I thought for a while that it was "Go SMS Pro" getting super pushy about me constantly refusing to upgrade to the Premium version for about $20 bucks. Won't do that, so I uninstalled Go SMS Pro and installed Textra... that may have been a blessing in disguise, I like Textra.

 

[Resendetra]

Somewhere about 2 weeks ago, my phone started getting a bunch of weird popups that can't be ignored that overlay the app I want to use.

I installed AppBrain Ad Detector and let it scan looking for the culprit. Ran a virus scan with Clean Master and Bluebox Security. None of the three of these has detected a virus; something that I was pretty sure did not exist on the phone anyway.

What I have is a worm that is hiding from the normal virus detectors. It is stealthy, moves and changes.... I thought it was AdMob adverts for a while, but I am now sure it is not. I just now started doing Screenshots of everyone of them that show up so I can analyze this mess.

I just this minute installed: Ad-Network Scanner & Detector
and let it run, it came up with just about zilch. A screenshot is attached for that.

This bad critter is like the stuff that gets hidden on a PC in a root partition that can't normally be accessed.

Any suggestions as to what program to use to kill this nasty critter?

I can always just format the phone and use Kies 3.0 to restore it back to where it was 3 months ago..... but lordy, I have done a lot of tuning up since then and didn't want to do that. I will though if I have to.

Oh no, that sounds awful and extremely annoying. Have you tried using AVG? Also, have you downloaded any apps recently?

Sent from my Galaxy S5 Active using Tapatalk

 

[mrsmumbles]

Oh no, that sounds awful and extremely annoying. Have you tried using AVG? Also, have you downloaded any apps recently?

Sent from my Galaxy S5 Active using Tapatalk

I agree with this. When I had a similar problem I had recently downloaded a couple of free apps and as soon as I uninstalled them the problem cleared up.

 

[AZgl1500]

Okay, decided that Go SMS Pro must have a campaign going on AFTER you reach a certain amount of usuage?

Anyway, I uninstalled that app and installed Textra which is decidely simple, fast, and all I have need of. Blessing in disguise.

Last night after "going to bed" but the bed bugs kept me awake ;rofl;, I installed Ad Block to see what happens..... granted, only looking at about 7 or 8 hours since that happened, but so far.... no more adverts or virus warnings or "broken hardware warnings"....

time to get my tailbone out the door, I have to be at work in 15 minutes........ cya later and let ya know how it goes, going to keep the phone busy all day and see what transpires.

 

[AZgl1500]

Well, I used the phone a lot today right up until the noon hour. Not once did an advert show up.


I was just beginning to think that it was all from "Go SMS Pro" and with Ad Block now installed, the worst was behind me.

Then I needed to call SWMBO and ask her what she wanted brought home for lunch. I did a long press on the digit '3' to auto-dial her and this screenshot appeared.

The Home key would not get rid of it, the Clear key would not get rid of it, The Recent Apps button would not get around it. The only thing that would work "short of accepting it" was to press the 'X' in the top left corner that says "skip this ad".

On previous occasions that 'X' did NOT skip the ad, it would invoke the default browser and take me to a 'buy it now' "Warning, you are infected, you must buy this or you data is at risk".

Yeah right, like I am going to hand over my credit info to some Russian/Chinese jerk who then wants to run and deplete my bank account? (sorry guys, you earned this one from history. Just today in the news is Russian news of bilking Chase and JPMorgan banks out of their monies) No Way. That is when I power the phone off, and if it won't power off (sometimes it won't) then I pull the battery.

This is a typical hijacking attempt used in a huge quantity of emails, and bad webpages just waiting for the innocent to buy in to their attempts to get your money.

At the moment, I am not ready to reformat the phone and restore it with a good known version I have saved with Kies 3.0

The phone works great, it is fast, battery life is great. If it weren't for this hijacking attempt, it would be a good candidate to make a new "known good" backup.

Here is the screenshot, anyone know what caused this, and if so, were you able to get rid of it?

I am on an education trip here and I refuse to allow this s.o.b. hijacker to take over my phone.

.

 

[bbmjack]

OP you must factory reset your phone no other chance

Posted via the Android Central App

 

[punk999]

In the past month or so, similar thing had happened to me, but only on my nexus and then on my mi3. It would show the mobile genie ad or your device is infected virus. I'm not sure what caused it.

 

[bbmjack]

Tell what the app name for T in the green square ?

Posted via the Android Central App

 

[1Coopgt]

So do you still think it's a bad Idea to have Norton Anti Virus on the phone . You gave me a lot of crap about it . Norton warns you about apps that behave badly . Maybe you should try it .

 

[AZgl1500]

Tell what the app name for T in the green square ?

Posted via the Android Central App

That is the Textra icon in the Notification bar. I had a text message arrive from my daugher, I was expecting it and was delaying replying to it until after I talked to her mother to get a "lunch order".

I like that I can touch the icon and go directly to the txt msg while the screen is locked, or can do it while in another app and then return to the lock screen, or the app in use. Which ever happens to be the case. As I mentioned earlier in this thread, so far, I am liking Textra. It satisfies my basic txt needs.

 

[AZgl1500]

So do you still think it's a bad Idea to have Norton Anti Virus on the phone . You gave me a lot of crap about it . Norton warns you about apps that behave badly . Maybe you should try it .

I have a lot of doubts that Norton AV would have caught this. I am still anti-Norton, there is a lot of bad water under the bridge with Norton and me.

But..... just to "check it out" I will allow Norton to inspect the phone. Just now I opened up "Settings" to reactivate Norton, the following screenshot appeared.
Just to see what follows, I clicked on the OK button and the second screenshot appeared.

"REMOVE VIRUS NOW" uh huh, whatcha wanta bet $$$ is their next request...


Before I do anything like that, I am going to make another Kies backup label Horneyworm :rofl:

 

[1Coopgt]

I have a lot of doubts that Norton AV would have caught this. I am still anti-Norton, there is a lot of bad water under the bridge with Norton and me.

But..... just to "check it out" I will allow Norton to inspect the phone. Just now I opened up "Settings" to reactivate Norton, the following screenshot appeared.
Just to see what follows, I clicked on the OK button and the second screenshot appeared.

"REMOVE VIRUS NOW" uh huh, whatcha wanta bet $$$ is their next request...


Before I do anything like that, I am going to make another Kies backup label Horneyworm :rofl:

Well that's not good . I'd say if you can get to it wipe the phone . Try Android device Manage on your computer .

 

[bbmjack]

Well that's not good . I'd say if you can get to it wipe the phone . Try Android device Manage on your computer .

+1 for this
Someone hacked into your device so you better wipe it online

Posted via the Android Central App

 

[AZgl1500]

+1 for this
Someone hacked into your device so you better wipe it online

Posted via the Android Central App

This I have a real hard time believing.
In order for someone to "hack into" my phone, it would have to be online and available for them to play with.

Now that is going to be a real tough nut to crack, because when I lock the screen, I turn OFF the internet totally. I use MacroDroid to do that for me so I don't have to use a manual switcher widget for that purpose.

Likewise, when the screen is unlocked, MacroDroid turns on Data and WiFi.... it is only on for as long as I take to look at my emails, read the news, talk on the phone.

that done, I lock the screen and no more internet.

As I type this, I turned ON Verizon's Norton AV app and it is scanning the phone. So far, it has scanned 199,000+ files and come up with zilch.


I have done one other thing since my last post.
I installed Ad Block Plus from this link:
https://adblockplus.org/en/android-install

It has only been a half hour or so, but no hornyworms appeared yet. ;rofl;

 

[bbmjack]

This I have a real hard time believing.
In order for someone to "hack into" my phone, it would have to be online and available for them to play with.

Now that is going to be a real tough nut to crack, because when I lock the screen, I turn OFF the internet totally. I use MacroDroid to do that for me so I don't have to use a manual switcher widget for that purpose.

Likewise, when the screen is unlocked, MacroDroid turns on Data and WiFi.... it is only on for as long as I take to look at my emails, read the news, talk on the phone.

that done, I lock the screen and no more internet.

As I type this, I turned ON Verizon's McAfee AV app and it is scanning the phone. So far, it has scanned 134,000+ files and come up with zilch.


I have done one other thing since my last post.
I installed Ad Block Plus from this link:
https://adblockplus.org/en/android-install

It has only been a half hour or so, but no hornyworms appeared yet. ;rofl;

Obviously hacking is needing you to be online

Posted via the Android Central App

 

[1Coopgt]

I don't think someone has hacked his phone . I'm thinking he has possibly downloaded a malicious app. or visited a hacked website that has side loaded something onto his phone (ok hacked).

OP Log in to Android device Manage . Then when you are ready fire up your phone so it get it's data connection and then push the button .

 

[AZgl1500]

Yes, the hackers need us to be online, and they really enjoy folks who frequent the porn websites. I've no interest in such things thank you, so that is not a worry.

At 74-1/2 I don't need frilly pictures with lace or lack there of to keep me interested in life. I have 6 acres of grass to mow, weedeaters to trim with, dogs that like to go walking. A motorcycle that likes to go "varoom!" and which I will be climbing on in the morning for a 4 day trip to the Arkansas mountains up in Eureka Springs, AR. Lots of my friends will be there and we plan to have BBQ on the grill, lots of gabbing going on of course, and all the things you can do when you meet up with folks you haven't seen in a couple years.

I love my m/c because it gives me the freedom that I used to feel when I flew my own airplane out in the western part of the US of A.... I miss that airplane, it was lots of fun but affording it was a whole nuther story and it had to go. But, I owned it for almost 8 years and it kept me sane for a long time. I joined an airplane club and flew another 20 years and then just gave it up.....

Motorcycles have been in my life since I was 12 years old, and it don't look like they will go away unless my legs get too weak to get on one.... I've got friends that are 84 and 91 who are still riding their motorcycles to our annual get togethers.... yep, it is the wind in your hair (helmet of course) and m/c jacket and m/c pants and boots. I'm not much of one for abrasions on my hide.....

so far, I just learned that Joan Rivers has been rushed to Mount Sinai hospital "not breathing". Found that on Fox News just now and no Hornyworm to bother me there.

Looked at emails, nothing worthwhile there.

So far, Clean Master, MalwareBytes, BlueBox Security and Verizon's Protection app "Norton in disguise" all say there are NO viruses on my phone.

Ad Block Plus has stopped the villian from bothering me..... I will keep updating for a couple days.. This topic I am sure will be of benefit to others who will see it.