Mystery Android download

[Osem]

The wife's been getting pop up adverts on her lock screen for a while and we've been trying to work out what's responsible. She recalls clicking on a Facebook suggestion some weeks ago and a gambling advert appearing on her screen. This then kept happening on her lock screen until I removed a couple of apps and the full page ads stopped. She then started getting smaller adverts almost like large notifications in white text in a black box for various apps like emoji keyboards which seem to direct her to apps on Google Playstore. Sometimes these adverts disappear after a few seconds and sometimes they remain after she's swiped to unlock her phone.

On checking her Lookout AV history, I found a download called 'com.android.share.back' listed about 2 weeks ago. I looked in manage apps and can't find this listed anywhere so I'm wondering if this is the cause of these latest annoying adverts or whether they're to do with Google Playstore. We'd like to stop them but can't find a way to do it so can anyone assist please?

TIA as always.

[chris9991]

Don't know if this is related, but it does suggest getting an app to look for rootkits

https://www.theguardian.com/technolo...ces-checkpoint

[Osem]

Yes I came across that article a few days ago. She has an AV which cleared the download as safe but of course that may have nothing to do with the problem. I'm only concerned because we can't find it listed anywhere.

I'll look into your suggestion anyway. Cheers.

This is one reason why we never do banking, shopping or even email on our phones.

[adzii_nufc]

It won't be listed in apps. It'll be in the file system. Check downloads folder for dodgy files.com.android.share.back sounds more like a Bluetooth or NFC related folder. However this software would be prebundled with the OS

Rogue downloads can happen easily. They're usually from ads and simply download but don't install without permission.

Use a file manager and search for com.android.share.back

She may have accepted a T&C box from a dirty app allowing them to hammer the device with ads via Push notification.

These ads have absolutely nothing to do with Google either in any form.

Without seeing the entire file list I can't precisely guide you into what to strip away. A bit of intuition may keep you clear though via checking files in folders that indicate the app it came from before stripping them.

The dodgy awful T&C spam bomber is known as AirPush.
So download AirPush detector, it also strips away other known ad pushers.

[Osem]

Hi I looked in file manager and couldn't see much in phone storage/download except a lot of files which are in an unsupported file format and just appear as a very long list of seemingly random letters and numbers with a blue '?' on a file icon adjacent to them.

Interestingly in phone storage I also found a folder called GoAdSdk containing 2 further folders called 'advert' and 'config'. I clicked on 'advert', got 'cachefile' and 'cacheimage' in each of which are listed a number of unknown files some simply numbered between 4-6 digits but with further files listed below titled BaseResponseBean followed by the individual file numbers. So listed under 'cachefile' for example we have a file named 107508 and further down the list we have a file named BaseResponseBean-107508 and so on.

I also found a GOSMS folder even though the wife doesn't have Gosms on her phone.

I heard that Go apps can cause some of these dodgy adverts but have no idea if this is true.

Shortly after this, when we swiped to unlock the phone again and have another look, a small advert once again appeared directing her to a playstore app.

Searching for 'com.android.share.back' in file manager yielded nothing by the way. Also, touching/holding the adverts doesn't show us where they're coming from as we've been led to believe it should on Android 5.1.

[adzii_nufc]

GoAdSDK and GoSMS are the likely cause. Its a startup ad pusher linked to another app.

I.e the trojan app, could be anything. Even stuff from play store that isn't an editors choice. Crap reviews etc. Basically stuff that slipped through. Could be a third party app.

You're free to delete GoAdSDK and GoSMS in its entirety and reboot.
GoSMS is an app, even when uninstalled, sloppy packages sometimes leave folders from long gone apps so that's safe to go.

There's a chance you eliminated the main app, as you put, the bigger ads buggered off and all that's left are the remnants.

If the above doesn't work and GoADSDK just appears somewhere else then the app is still about and you can either go on an uninstalling rampage or format the device. You can also view each apps individual permissions in settings and clicking an app and modifying permissions.

If its the latter, make sure Google sync and photos/media are set to on. Means you'll get all contacts and media back. As for apps. The play store keeps your entire purchase and download history. Also give AirPush detector a run before formatting. Might save hassle.

You're not wrong either. Any app with GO in front of it. I.e Golauncher, GoSMS needs to be shot. Ad pushers. If I'm right, GOSMS is linked to the SDK. So both have to go.

I'd just put com.android.share off to something phone related. Likely NFC

[richard s]

You can also get Malewarebytes for android... download and scan phone.

https://play.google.com/store/apps/d...es.antimalware

or ad app detector

https://play.google.com/store/apps/d...nkeys.detector

[Osem]

Cheers, will have a go and report back tomorrow.

[Osem]

Ok well I deleted the files, loaded Malwarebytes and did a scan which showed nothing. I then downloaded Airpush Detector but when I tried to run it I got a message saying we don't need this app we can just tap on the offending adverts to find out where they're coming from (which we've been unable to do). The phone is Android 5.1 by the way.

[adzii_nufc]

Its hold and select app info as you've said in a previous post. However it won't work unless the ad shows a notification in the bar.

The rogue app is launching its adware at startup each time. Could manually Google each app for its reputation and people reporting similar issues.

That and a factory reset is about all I can think about without dumping the entire phone layout and details all over.

I'd start by binning cosmetic launcher apps. GoLauncher etc. Anything along those lines that affect App icons and Home screen layouts. Even apps that work as intended can still come bundled with Ads and Push Ads.

I'm curious what apps were uninstalled that helped the larger ads on their way to the bin. This could identify possible remnants they leave.

Appstore > my apps and games > all. A list of all that's ever been installed and everything still on there.

Can't guarantee anything but manually check all app permissions in settings>apps.

[richard s]

Also the phone should have been set not to allow third party apps if not already done so.

[Osem]

Quote:

Originally Posted by adzii_nufc

Its hold and select app info as you've said in a previous post. However it won't work unless the ad shows a notification in the bar.

The rogue app is launching its adware at startup each time. Could manually Google each app for its reputation and people reporting similar issues.

That and a factory reset is about all I can think about without dumping the entire phone layout and details all over.

I'd start by binning cosmetic launcher apps. GoLauncher etc. Anything along those lines that affect App icons and Home screen layouts. Even apps that work as intended can still come bundled with Ads and Push Ads.

I'm curious what apps were uninstalled that helped the larger ads on their way to the bin. This could identify possible remnants they leave.

Appstore > my apps and games > all. A list of all that's ever been installed and everything still on there.

Can't guarantee anything but manually check all app permissions in settings>apps.

Cheers will get back to you.

[Osem]

Right well we bit the bullet and saved her date then reset the phone. A bit of a pain setting it all back up they way she wants it (ongoing) but so far no sign of any adverts appearing. I've suggested she doesn't reload all the apps she had before in one go but to do it in stages then if the ads reappear we have a better idea which app is responsible. I've a feeling this was all linked in some way to an ad which popped up and she clicked on when she was using the Facebook app some weeks ago but we'll see.

Thanks for the help guys.

[hedgie]

Its good to see great advice and you getting things fixed

I know it is a right pain when these things happen, I had one that constantly popped up and said I had a critical battery problem. The help is out there, but fixing these thing always takes way more time than it should.

[adzii_nufc]

Smartphone Era, you'll see more Adware than viruses thus the harder detection from the lacking Android AV's

Naturally the reason is easy, infect phone, they click ads accidentally when they pop up randomly on the device = Profit. That's why people are so keen to do it. Can imagine how many people don smartphones now opposed to a desktop.

Desktops again are becoming a relatively 'fanboy' device, I have one because I love gaming but the more average users are using Android running tablets and IOS devices. So, you get my mother, whom owns a Smartphone running Android, who has absolutely no idea about the device or the OS, just that it 'plays' apps and she can use Facebook. She is the target for the ads.. as are millions of others.

If the infected App sits in a quarantined like state for days/weeks then suddenly triggers it's even harder to catch out without manually inspecting all apps as you've probably downloaded even more apps since then. They're getting smarter. Infected app installed > Ads pop up > Unistalled - Doesn't cut it anymore. Likely to see App installed > Dormant for X amount of days > You install more apps > Ads pop up > Faf on trying to locate the source.

Even legitimate apps do dodgy stuff to get a click from you. E.G, how many times have you went to click something only to have it move place on the screen? typically an ad cross or a menu that's moved and you've clicked the ad instead. That's deliberate now, it used to be random lag spikes on occasion when loading pages or apps but now developers have purposely done it.