Advice? - Going Forward after a Malvertising Hit

  • 10 April 2017
  • 5 replies

Userlevel 2
First I apologize if this isn't the right forum.  I looked around and this seemed to be the best fit I could find.
I'm looking for advice from knowledgeable and experienced individuals on going forward after a Malvertising hit?
First the background information, I'm running a Verizon Samsung Note 3 with the stock firmware that is currently up to date as far as I'm aware the last update was about a month ago.  I'm running Webroot SecureAnywhere Mobile on the system and it is also up to date.  I was using the stock browser and was looking at older video game consoles on GameStop's website when I got hit by a Malvertising ad.
Not once during this whole process did Webroot register any hits or block anything.  First a typical fake virus ad popped up then nearly immediately another page popped up that appeared to be in maybe Russian?  Then the system began to download a file all in a matter of seconds.  I hadn't even had time to click on anything.  I know better than to click on anything to do with those types of things.  I usually terminate processes like that from the task manager.  Anyway the system downloaded an APK file to the downloads folder that was called "clean.apk".
I immediately rebooted the device.  While rebooting the Samsung screen ominously showed the words "Custom" and an unlocked pad lock symbol.  I have never seen this before and this is a stock firmware non-rooted device.  When the device started I put it into Airplane Mode then using the folder browser I deleted the "clean.apk" file.  I looked through the installed apps, running apps, etc. and could find no instances of any suspicious processes that I could tell.
I tried to run the SecureAnywhere virus scan off-line, but since it is cloud based that didn't work.  I had to take the device out of Airplane Mode to be able to run the scan.  I ran multiple consecutive scans all came back clean.  I put the device back into Airplane Mode and rebooted the device again and this time the stock Samsung boot screen appeared and the ominous "Custom" and unlocked pad lock were gone.
I looked through all of the Application Manager, and didn't see anything that looked out of place, but then again I'm not an expert and probably wouldn't know the difference.
And here I am now with my phone powered on, but in Airplane Mode, wondering what I should do next?  Google didn't turn up any helpful results too many unrelated hits.

Best answer by Baldrick 10 April 2017, 12:49

View original

5 replies

Userlevel 7
Hi seven_7_vii_th
Welcome to the Community Forums.
You have indeed posted in the approrpiate place in the Community...;)
Based on what you describe I would recommend that you Open a Support Ticket to advise the Support Team of the issue (you can link this thread in the ticket so that you do not have to regurgitate the detail already provided). Hopefully they can investigate & advise as to what the best option is for you going forward.
Regards, Baldrick
Userlevel 2
Thanks for the quick reply Baldrick.  It was nice to be able to get the day started with a reply ready and waiting for me though I didn't get a chance to respond back until now.
I'll follow your advice and submit a support ticket.
I also talked with some of my colleagues about what happened.  One thing that they brought up that I didn't initially think about checking was the ability to install APKs from unofficial sources being turned off which of course it was.
It is a shame that I didn't collect the APK as a sample for Webroot to investigate, but I wanted to get the thing off the system ASAP and wasn't too sure what kinds of activities might trigger it if it hadn't already been activated.
I ended up leaving the phone powered off all day, it is hard to say whether it was "killer" or if it was just killing me.
I'm also gearing up for the prospect of resetting the device.  I haven't done a factory reset in the entire time that I have owned it.  It might not hurt to get it done anyways and clear out some of the junk that has accumulated over the years.
Thanks again.
Userlevel 7
Hi seven_7_vii_th
You are most welcome. Do let us know what the result is of the support ticket; such information is always useful to us going forward in case there are other members who come hgere with the same or a similar issue. ;)
In terms of 3rd party sources; we would say here, in the Community, just do not download from them as they can be the source of a number of 'undesirables' which you don't want on your device. Stick to official is much safer.
You may well be advised to reset the device; I have done that a number of times and whilst a pain it you say...a chance to "clear out some of the junk that has accumulated over the years".
All the best, Baldrick
Userlevel 2
Well, my support ticket with Webroot is now closed after a few messages back and forth on the issue.
My personal take on the official verdict is inconclusive due to lack of information.
They said since I didn't open/run the APK file that I should be fine.
A few other comments that were made that I noted was that:  Webroot will only block malicious pages if you are using the Webroot secure web browser.  They recommended I download and use it going forward in the future.
I asked specifically about the "Custom" boot screen that appeared after the first reboot.  They said that this is and has historically been a common issue with Samsung devices citing a number of web references.
Unfortunately without a sample of the file that I deleted there isn't much more insight that they can provide on the issue.
For future reference things I probably would have done different, at the time I considered the file to be too risky to attempt to archive as a sample.  I might be more inclined to try to get a sample copy before deleting.  Also, I probably would have put the device into Airplane Mode first before rebooting.  Other than that I think for the most part I'm satisfied with the rest of the decisions I made at the time.
Going forward, I'll probably go ahead and backup my important data and then perform a factory reset on the device.  It is probably a little overkill considering the situation.  Beyond that maybe reset a few passwords just incase.  The only way I can think of that one could possibly cover the situation any better would be to buy a new device which really would be overkill.  It would get rather expensive to buy a new device after every Malvertising hit these days.  I don't believe the rate of exposure to these types of risks are going to get any better any time soon.
Once again thanks for all of the help and the quick responses.  As Baldrick said before hopefully this information will be useful for someone else in the same situation.
Userlevel 7
Hi seven_7_vii_th
Thanks very much for taking the trouble to feedback on this. It certainly is most helpful indeed and will certainly stand members in good stead as a source of useful information about this issue.
Regards, Baldrick