Solving Unwanted Chrome Popups on an Android Phone

[av_textblock size=” font_color=” color=” av-medium-font-size=” av-small-font-size=” av-mini-font-size=” id=” custom_class=” av_uid=’av-k8hv1qx8′ admin_preview_bg=”]
Recently my wife’s Android phone began opening Chrome and later DuckDuckGo with ads and offensive content on its own. Particularly after the phone was sleeping and required entry of the password or PIN to get back in.

We tried everything that was suggested on the web, including:

  • Uninstalling and reinstalling Chrome
  • Going into Apps and emptying cache and deleting data for Chrome
  • Removing recently used apps after triggering the malware

None of this worked.

Having been technical in my working life ( I am now retired ) I went to the next level and found a way to route out the devil and get rid of the virus/malware.  I know nothing about Android development, so I think that anyone with some technical skill could do what I did.

The steps I took:

  • Install Android Studio on your computer
  • Connect your phone to your computer
  • Ensure that Developer Tools are enabled on your phone (Google it to find out how to do that on your phone)
  • Enable USB Debugging on your phone under ‘Developer Tools’
  • Make sure ADB is running in Android Studio.  You can verify under Tools-Troubleshoot Device Connections
  • Learn how to run logcat in Android Studio
  • Run logcat – you can reduce the output by creating a filter that looks for the tag ‘START’. Use priority Verbose.
  • Wait for the phone to display the malware
  • Look for a statement like this in the log

2020-04-01 09:58:49.101 ? I/ActivityManager: START u0 {act=android.intent.action.VIEW dat=http://bintds.com/… flg=0x10000000 pkg=com.android.chrome} from uid 10157

The URL might be different and the UID also will be different but the rest generally the same. Of course the time needs to be when the malware appeared.  There may be lots of legitimate calls to chrome elseware in the log.

  • Now consider ‘from uid 10157’
  • That tells us who is calling the system to start Chrome
  • 10157 identifies the package that is doing the call…this is the bad boy
  • Find out the package with this command on the command line (run ‘terminal’ in Android Studio)

adb shell cmd package list packages –uid UID

Once you have the package name, you can usually figure out the app.  In my case it was:

com.navigatore.gratuito.gratis.italiano.android.voce.mappe.gps.offline.navigatore

If you find similar events in your system, what I have done may work for you.  I image it could be any package, I have listed the package that was found on my wife’s phone. I have no idea now it got infected with malware, but I uninstalled it and the problem went away.

Happy hunting!
[/av_textblock]

Leave a Comment

Your email address will not be published. Required fields are marked *