Beware of malicious Android notifications

As a fan of free and open-source software, I love the freedom and openness of Android. There was a time when so-called experts at leading tech magazines would scoff at it and mock its limited selection of apps compared to Apple’s App Store. Those days are long gone and the Apple App Store pales in comparison when it comes to the sheer number and variety of apps in the Google Play Store.

According to recent data, there are just under 2 million apps in Apple’s App Store compared to almost 3 million in Google’s Play Store. That extensive app selection makes it almost impossible to manage the Play Store and often malicious, nuisance and useless apps have a way of sneaking into the Playstore. Time and time again we have come across screaming headlines of an app with millions of installs, has malware but was or is available to install from the Playstore.

How this happens?

One favourite trick I have seen in recent weeks is to use malicious notifications. A lot of websites these days come with what is known as push technology. For example, this site allows you to subscribe so you can receive push notifications. When you subscribe the site can send you all sorts of notifications.

A legitimate site like Techzim would never abuse this privilege. You will only receive notifications that are relevant and important. For example when new content is published. Typically these notifications are sent out only once. You do not keep receiving the same notification over and over again.

Malicious sites are now abusing this weakness. First, as you go about your business on the internet you will stumble across such a site perhaps it comes in the form of a pop-up ad as happened to my wife. The ad is made in such a way as to lure you in. For example, you have a chance to win an iPhone. In order for you to receive the price, the site tells you, you have to enable notifications.

Once you have enabled notifications the site now has permission to send you notifications. In most cases, they don’t abuse this privilege right away. They make sure they get as many people as they can to enable notifications. Once they have a big enough pool of victims they start to send notifications like the one above. Those notifications are from two separate domain names but they are all from the same malicious actor.

If you tap on either of them the following happens:

• 

• 

• 

First, you will be taken to a site that you originally enabled notifications for. The site keeps of all the potential victims passing through. The attackers probably keep track of this analytical data so they can optimise future attacks and bait campaigns. Then you will be taken to the malware landing site where full-screen notifications try to both lure and scare you to click install.

Now here is the fun part, It doesn’t really matter which one of those buttons you tap on. If you tap on Install you will be taken to the Play Store where you have to install the app in the screenshot. If you click on Cancel you will again be taken to the same app. That’s hardly surprising, you cannot expect these people who have abused your trust and lied to you to suddenly honour your wishes.

Thankfully, all these people can do is to lead you to the water, they cannot install the app unless you click the install button in the Play Store itself. You should not install this app on your phone. At best it’s a useless app that does nothing your system cannot do on its own, at worst it contains malware that will do harm to your phone.

How to protect yourself

Ideally, you should avoid visiting “dodgy” sites. Most of these ads are found on piracy sites like PirateBay. These sites often cannot show legitimate ads from companies like Adsense and therefore resort to questionable ad exchanges which are often riddled with malvertisers. These often trick you into visiting even more dodgy sites that trick you into enabling notifications.

Like abstinence, avoidance is not always possible. If you are already receiving these notifications you should revoke notification permissions for the site in question. To do so follow these steps:

• On your Android phone or tablet, open the Chrome app.
• Go to the website you don’t want to receive notifications from.
• To the right of the address bar, tap More More and then Info Information.
• Tap Permissions and then Notifications.
• If you don’t find the setting for a specific website, it can’t send you notifications.
• Select Allow or Block.

If this doesn’t work just block notifications for all sites using the following steps:

1. On your Android phone or tablet, open the Chrome app.
2. To the right of the address bar, tap More   Settings.
3. Tap Site Settings  Notifications.
4. At the top, turn the setting on or off.

If this still doesn’t work or you just want to start over you can wipe all stored data in Chrome from the app settings menu on your phone.