this site has been hacked

twobjshelbys · #1 (**permalink**) 12-16-2016, 09:26 AM

Quote:

Originally Posted by moore_rb

Guys-

For many of you, this issue is due to some security vulnerabilities in Android. The exploiters are using a built in popup feature in Chrome to display all these "warning" pages which aren't legitimate warnings at all - they want you to click their links, so that they can install even more malware onto your phone.

I use Firefox on my phone. No such directory on my phone.

moore_rb · #2 (**permalink**) 12-16-2016, 10:34 AM

Quote:

Originally Posted by twobjshelbys

I use Firefox on my phone. No such directory on my phone.

The hack is in the native Android browser (which all the other 3rd party browsers actually use to interact with your phone's OS)- I only tested it with Chrome, and removing the goAdSDK folder helped. It must put its scripts in a different location with Firefox.

try closing all apps on your phone, then open your native Android browser (the one with the Globe icon). If the bogus warning pages instantly appear (or if it opens a Play Store window to some bogus ad blocker) before your home page loads, then you are still infected - at which point you can open the settings in the native browser, and clear the cache and all temporary data (this shouldn't impact your firefox cache at all) Then, set your native browser's homepage to a safe destination with a public certificate (https://google.com for example), and restart your phone one more time.

after this 2nd restart - open your phone's native browser again, and try to navigate to club cobra from the native browser... click some links, and see if the issue is cleared up. If it is, then go try club cobra from Firefox, too...

cycleguy55 · #3 (**permalink**) 12-16-2016, 11:11 AM

Quote:

Originally Posted by moore_rb

The hack is in the native Android browser (which all the other 3rd party browsers actually use to interact with your phone's OS)- I only tested it with Chrome, and removing the goAdSDK folder helped. It must put its scripts in a different location with Firefox.

My native browser is Chrome and, again, no goAdSDK folder on my phone.

BTW, I just checked again and I'm no longer getting pop-ups or re-directs.

cycleguy55 · #4 (**permalink**) 12-16-2016, 10:59 AM

Quote:

Originally Posted by twobjshelbys

I use Firefox on my phone. No such directory on my phone.

Ditto, no GOADSDK folder on my phone. That's clearly not the common thread.

Looking my mobile browser history, it appears to originate with a re-direct to serve.popads.net, then the advertisement, warning, etc. pops up. The domain registration for popads.net ( Whois popads.net ) is in Costa Rica and looks like a one-man or small shop (TOMKSOFT S.A.) owned by TOMASZ KLEKOT.

I have reported abuse by popads.net to abuse@enom.com, the "Registrar Abuse Contact Email". The policies posted on the registrar's Web site ( eNom - domain name, web site hosting, email, registration ) look good - but action is quite another matter. We'll have to wait and see if anything changes.

DanEC · #5 (**permalink**) 12-17-2016, 05:22 AM

Interestingly I have a NOOK with internet capability and when I opened it to the Cobra Forum site last night and clicked on a post, the infected notice popped up. Lovely.