1

I am randomly getting redirected to a page that looks very suspicious, especially the URL that sends the base64 encoded payload. It usually happens when I click a news link, usually a local news site. So I thought the news site was possibly compromised. Recently though, it happened when I clicked on an article on msn.com. So now I think may phone my be the problem. It is a Samsung Galaxy S5, fully updated.

I only copied the URL once, so I am not sure if it changes, but here is the one I captured (DON'T GO TO THIS):

data:text/html;base64,PCFET0NUWVBFIGh0bWw+PGh0bWw+PGhlYWQ+PG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgdXNlci1zY2FsYWJsZT1mYWxzZSwgaW5pdGlhbC1zY2FsZT0xLjAsIG1heGltdW0tc2NhbGU9MS4wIj48L2hlYWQ+PGJvZHk+PGRpdiBpZD0iaWZybSIgc3R5bGU9InBhZGRpbmc6MDsgbWFyZ2luOjA7Ij48aWZyYW1lIHNyYz0iaHR0cHM6Ly9zMy5hbWF6b25hd3MuY29tL3d3dy5hb3RxNGpncXk5bjcxLmluZm8vVVMvd3Bld2VrazMzMDNsa2Vra2sxMWtrLmh0bWwiIHN0eWxlPSJ0b3A6MDsgbGVmdDowOyB3aWR0aDoxMDAlOyBoZWlnaHQ6MTAwJTsgcG9zaXRpb246IGFic29sdXRlOyBib3JkZXI6MCIgc2Nyb2xsaW5nPSJ5ZXMiIGFsbG93RnVsbFNjcmVlbj0ieWVzIj48L2lmcmFtZT48L2Rpdj48L2JvZHk+PC9odG1sPg==

I also captured 3 screenshots of the page:

  1. The initial popup
  2. The page behind the popup
  3. The page behind the popup, scrolled down

The above mentioned screenshots.

The last screenshot is updated in real time with fake posts.

Does anyone know what this is or how to get rid of it?

Anders
  • 65,052
  • 24
  • 180
  • 218
rys
  • 123
  • 1
  • 2
  • 4
  • If the page opens even without you manually typing the URL, check your list of installed apps, and see if you find anything suspicious there. Also, is your phone rooted? – pri Sep 12 '16 at 13:52
  • If it happends on multiple sites independently, it is either your phone being infected with malware, or it being injected over the network. So the natural follow up question is: Does it happend on different networks? And does it happend on HTTPS sites as well? – Anders Sep 12 '16 at 13:53
  • @PriyankGupta it is not rooted. I'll check my apps. – rys Sep 12 '16 at 14:01
  • @Anders I am not sure on different networks, I think I have been on my home network every time. I am also not sure on HTTPS. I'll do more investigation next time it happens and update my question when I have more info. – rys Sep 12 '16 at 14:01
  • the data: URI allows the actual data (text/html in this case) to be specified in the URL itself - the _PCFET0NUW..._ stuff is the base64 encoded HTML web page that is popping up. So you're not getting redirected somewhere... I think you will find that this popup is not dangerous in and of itself, but I recommend not clicking on anything but using 'back' or closing the tab. – gowenfawr Sep 12 '16 at 14:02
  • @gowenfawr yes I always try to click back, which closes that popup. Then it disables back so I must close the tab. – rys Sep 12 '16 at 14:07
  • is happening on a free wifi hotspot? – dandavis Sep 12 '16 at 19:37
  • No home network. – rys Sep 13 '16 at 01:23
  • This is extremely widespread at the moment. I and several people I know have seen this *exact* message on our phones. See [this Android.SE](https://android.stackexchange.com/questions/156053/why-does-chrome-on-android-launch-tabs-or-redirect-existing-tabs-to-spammy-ads) thread for many other anecdotes of the same message. – Logical Fallacy Sep 18 '16 at 01:04
  • Thanks @MechanicalSpecies. Curious when someone actually identifies the problem. From the link you provided, may be a malicious ad being served? – rys Sep 20 '16 at 03:59

2 Answers2

1

I had the same thing happen. Yes this is an attempt to infect your system with malware. It may have been delivered via text message, skype message, or infected website. What you need to do is go into your Chrome app data cache and clear all data from Chrome app. This resolved the issue for me. I am guessing this is some sort of javascript that gets cached in Chrome data storage.

Fly
  • 11
  • 1
  • Interesting, I have recently cleared my cache. I wonder if some website I frequent is the root issue and it keeps getting recached. EDIT: Oops you said data as well, I don't think I have cleared the data recently. Maybe that is it. – rys Sep 12 '16 at 15:17
  • Cashed JavaScript causing this? That does not sound right to me. How woould that work? – Anders Sep 13 '16 at 11:48
0

What is this?

Something somewhere is injecting things in your HTTP traffic. The URL in question is a data URL, meaning that the browser reads all the content of the page from the URL.

The content of yours is this HTML (whitespace inserted by me):

<!DOCTYPE html>
<html>
  <head>
    <meta name="viewport" content="width=device-width, user-scalable=false, initial-scale=1.0, maximum-scale=1.0">
  </head>
  <body>
    <div id="ifrm" style="padding:0; margin:0;">
      <iframe src="https://s3.amazonaws.com/www.aotq4jgqy9n71.info/US/wpewekk3303lkekkk11kk.html" style="top:0; left:0; width:100%; height:100%; position: absolute; border:0" scrolling="yes" allowFullScreen="yes">
      </iframe>
    </div>
  </body>
</html>

That is basically an iframe covering the whole page displaying this page:

https://s3.amazonaws.com/www.aotq4jgqy9n71.info/US/wpewekk3303lkekkk11kk.html

I don't know what that site is for and I don't feel like visiting it, but it is usually phishing, ads, more malware or some kind of scam.

Basically, someone is injecting into your web traffic to try to make money off you.

What caused it?

I can see two options here:

  1. Malware on your phone inserting it.
  2. Someone on the network (between you and the webpages you visit) inserting it. In practice, if you are on your home network, this means your router.

So how do you pinpoint which one it is?

  • If this happends on many different networks (e.g. also when you use 4G, the Wi-Fi in the coffee shop, etc) it is probably your phone.
  • If this happends on multiple devices (e.g. also your laptop) it is probably your router.
  • If this happends even when you visit sites using HTTPS it is probably your phone.

How do you get rid of it?

If it is your phone, there is nothing to do other than "nuke from orbit". That means wiping the phone and doing a complete factory reset.

If it is your network, I would do a factory reset on the router (there is usually a button for that somewhere). And then remember to reconfigure the router with sound security policies.

Anders
  • 65,052
  • 24
  • 180
  • 218