• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Possible Malicious Fake Update URL

  • Thread starter Thread starter Android Question
  • Start date Start date
A

Android Question

Guest
Moderator's have taken over this post::)
Be on the lookout for a fake update coming from a fake url. It's undetermined what it does, but I doubt it's good. Notice it is using using an "l" in place of the "i" in android. That makes me think there is an attempt to load malware onto your devices underr the guise of installing an update.

Phandroid Article based on this thread. They are waiting for feedback from Google.
http://phandroid.com/2014/12/01/google-chrome-malware-psa/

nTEOI0Q.png

Another screenshot, thanks
screenshot_2014-12-01-14-24-36-png.78040
 
Last edited by a moderator:
Anything like this? I was on web and suddenly this popped up.. link redacted by moderatorer
 
Last edited by a moderator:
I just got the exact same popup in chrome on my nexus 3. System.androldupdate blah blah blah. Google doesn't come back with any hits apart from this forum page, 'help!'. I haven't clicked the link but it takes over chrome randomly, though not while I'm on this page...

Anybody else get it and found a way to protect themselves from it?
 
Same thing today with my galaxy s5. Chrome browser sometimes redirects to the system.androldupdate.com page. The page promps a system message telling the user their browser is out of memory. The page itself is a titled system ui kernel upgrade, clicking anywhere on the page links you to a download on solidclix.go2cloud.org. Solidclix is shown to host malicious files. Guys plx don't download this junk.

My 2 questions are how have these guys hijacked my browser, the only new app I've added is avast, is it possible the avast app was compromised? and, how many people are being affected by this? Ok, that was 3 questions.

P.S. It seems to only happen when I click on a search result from google.
 
I'm experiencing (since last night) the same popup in the Chrome Browser app on my Samsung Galaxy S3. It directs the active tab to a page on link redacted by moderatorer and throws up a small popup window saying "Your Samsung Galaxy S3 is out of Memory! Fix Up!"

Most recent direct was to this url: link redacted by moderatorer
Haven't found anything about it. I'm assuming it's malware, but I have no idea how to remove it.
 
Last edited by a moderator:
I got the same pop up this morning. Only App I updated recently was ES File Explorer. Looks like it hit me when I was looking at a CNBC Article. Not finding anything on it on Google ? Except this thread. I didnt load it. But my phone has crashed twice. I Virus Scanned it with Clean Master. But it found nothing. Samsung S4
 
I've removed the links in this thread. I noticed that it was a mispelled link using an "l" in place of the "i" in android. That makes me think there is an attempt to load malware onto your devices underr the guise of installing an update.
 
Yes Unforgiven, I think that much is evident. Here is another forum thread discussing it:

http://forums.androidcentral.com/as...er-i-open-various-internet-links-i-e-tmz.html

The most recent post is quoted below:

Well, I helped myself there !
I went to my app settings, then chrome. I clicked on delete app's data.
Then I clicked on uninstall updates to factory reset chrome.
I rebooted my phone.

Problem... solved!
Going to try on wife's phone and I'll report back.
 
The question is how is it spreading ? I have a super clean Non Rooted S4. And looking at my History was it launched from an ad in nbcnews And yes. Its obvious Malware with that Mispelling "androld" I caught it instantly. It crashed my phone even though I didnt load it. Huge Bug Report generated. 600 Pages. Rebooted and scanned. So far so good. I feel for the people who dont know better and load it.
 
Yeah, thats a good question. My wife didn't visit any weird sites, and never installs apps. She thinks it was from something on ABC.com - sounds like an ad network has been compromised.
 
I had it pop up during middle of a gif load from imgur. Follow through with this bait-ware leads to Zero Launcher on Google Play. The whois for the domain doesn't lead to anything otherthan it was only registered a couple weeks ago. I've since have reported Zero Launcher on play store.
 
Outbrain, Doubleclick, Adblade, are all advertising sources used on ABC.com... could be any of them, however as far as I can tell NBCNews only uses Doubleclick (google ad services). Might actually be coming from Google's ad division itself :/ Just a layman's guess.
 
Samsung Galaxy S4, 4.4.2 Unrooted, browsing with Chrome. Same problem.

I experienced it on Cracked.com. I haven't installed anything myself since last week, and I have auto-update apps turned off in Google Play. This only started occurring today, 2014-12-01.

From this, as a complete noob, I'd second jessejericho's guess that some ad network is compromised. OR, this is something we installed a long time ago and it was queued to attack on Dec. 1st. Has anyone experienced this on a completely vanilla device? Other browsers? Etc.
 

Attachments

  • Screenshot_2014-12-01-14-24-36.png
    Screenshot_2014-12-01-14-24-36.png
    233.4 KB · Views: 1,211
Thanks for the discussion, guys! I think it's really important to keep the discussion going with any new information, reports and ANYTHING that might give us another morsel of an idea of what's going on. I've written about the story on Phandroid (http://phandroid.com/2014/12/01/google-chrome-malware-psa/) and hope to hear back from Google about a potential comment in due time. Let's hope it won't take long to resolve this!
 
OP updated with the link to the Phandroid article based primarily on this thread. BTW, thanks to the posters with screenshots. I reposted them in the OP.
 
Several of the posts mention Chrome. Has anyone observed this when using a different browser?

Just trying to pin down the variables.
 
Not brave enough to test Update, but for science, here's a screenshot of what you're redirected to when you hit Cancel. It opens ZERO Launcher in the Playstore, as someone already said.

Also, here's info on the site from Whois.com

Domain Name: ANDROLDUPDATE.COM
Registrar: NAME.COM, INC.
Whois Server: whois.name.com
Referral URL: http://www.name.com
Name Server: CHARLES.NS.CLOUDFLARE.COM
Name Server: VIDA.NS.CLOUDFLARE.COM
Status: clientTransferProhibited
Updated Date: 20-nov-2014
Creation Date: 20-nov-2014
Expiration Date: 20-nov-2015

Note that going to the website by itself returns a "The page you are looking for cannot be found" message. It's a specific version of the url, starting with system instead of www, and ending with /11-13/zero/us/ although the last two being country code, I was able to use ca instead of us as well. I'm hoping all of this will help someone more knowledgable than I am!
 

Attachments

  • Screenshot_2014-12-01-18-38-39.png
    Screenshot_2014-12-01-18-38-39.png
    965.9 KB · Views: 380
The domain pings back to 104.28.4.84 which is hosted by Cloudflare.com Interesting that they tout their security. Maybe someone should contact them and they can pull the site?

Being a retired web hosting company owner myself, I can offer a tip;
It would be best if security from this site contacts the head of server security at Cloudflare.com via phone. Give them all of the information about this that can be gathered. Once they have the info they'll go into the account and run a deep security check. If they find something (which I'm sure they will) they'll close the account.
 
Back
Top Bottom