Native Browser Malware/Virus

It seems that the default native browser on my Xperia 10 phone has either a malware or virus. I say that because the browser has been opening up on its own and new tabs of websites that I never visited have been appearing. Thus, my phone’s battery has been draining quickly. How do I remove the malware or virus from my browser or wherever? By the way, I have the latest version of Salifish OS.

Can you try going to the settings of the browser in the privacy section and using the clear button?

I have exactly the same issue since two days ago. I leave the phone overnight with a full charge and overnight three or four browser tabs have opened by themselves and the battery is nearly dead. In my case the tabs are all the same website … https://game.cyeep.com/ which is basically a gaming website full of game and other adverts and pretty much nothing else. I have never visited this website (I’m not into phone games) and the browser wasn’t left open overnight either. There is obviously some rogue process running in the background that is accessing the browser app and loading it up. However I’m not skilled enough to identify it or get rid of it. A phone re-boot does not cure the problem either, so some malware code had got embedded somehow, not just a process. I am also on 4.0.1.48. Its very annoying, especially the battery drain!

System Monitor shows CPU usage running at about 88% all the time, even overnight when the phone is idle and also shows battery drain at about 10% per hour in this state, so it is not surprising its almost dead in the morning. I haven’t installed any new apps recently either. I had the idea of stopping Aliendalvik this morning and, again with the phone still idle, CPU usage has dropped to 24%, but that still seems high for an ‘idle’ phone - maybe that’s just the drain of the System Monitor app itself. Restarting Aliendalvik and the CPU usage goes up to 38% - but not 88%, so maybe it is a rogue android process - but then I don’t understand why a phone re-boot wouldn’t have sorted this … I’ll see if the browser tabs come back of their own accord after this…

OK, CPU usage has just rocketed upwards again to 90% 5 minutes after restarting Aliendalvik … so maybe I (we have) an android virus here. Using all that CPU I can’t help wondering what it is doing or what it is sending to where :frowning: I’ve never had a virus or malware on any phone I’ve ever owned (and there have been a lot or various OS’s) - It would be ironic if my first infection was on a Sailfish phone :frowning:

I cleared the information under the privacy tab in the native browser, but that did not solve the problem in question.

Maybe your other “infections” were “asymptomatic” :wink:
But more seriously, if you have CLI access, check the output of systemctl and systemctl-user to check for dodgy services. Also check ps -fea (or your favourite variant) for dodgy programs that are running.
Have you tried restarting your phone and not accessing your browser? Does the same thing happen?
Have you installed anything that is not from the Jolla Store? If yes, what did you install?

I would also tend to say it’s an Android Malware opening browser tabs. I would clearly search for running Android background processes, Crest, a task manager makes Android processes very visible, as they appear als not-hidden foreground processes all the time.

1 Like

:- :rofl: :rofl: :rofl: But I’ve been vaccinated!

Anyway, I can do (I did) what you suggested but I wouldn’t recognize a dodgy process even if it said “Hey, I’m a dodgy process”. We’re getting to the limits of my technical ability here I’m afraid. I used Crest as was also suggested here, but the percentages for CPU are all rubbish (like 9616%, 2308%, etc and if you sort in CPU usage order the percentage numbers don’t even go in order - so I can’t tell from this app the high usage processes. I did try “ps -ef | grep com” (left over knowledge from my unix/linux days) on the basis that most android processes were “com.something.something” but that only gave me the apps I have used for a while and would be running in the background for notifications, cloud sync, etc - facebook, linkedin, evernote, etc - and I’ve had all these apps for months and months. Nothing installed from Jolla store recently or openrepos. Only android app I installes was Toodledo (a cloud based task manager) but that wouldn’t run so I deleted it again … could be that I suppose. Rebooted the phone earlier, and without accessing the browser - its just popped up again, this time with a slightly different gaming site. I guess my next step is to shutdown Aliendalvik overnight and see what happens I suppose. But even if I do identify that there is malware code installed, how do I get rid of it other than a complete wipe and re-install?? I definitely don’t want to go through all that again … It takes hours and hours and never works first time :expressionless:

@Steve_Everett, not running Android is a good idea to isolate the fault - you will have to prevent it from booting at start up, reboot and then check again. If you do have malware, it will probably take longer to get rid of it than to reflash - YMMV. You could share your process list/systemd services here to see if anybody knows better.

Sounds like missing decimal period - does it make sense if you imagine a “.” two digits from the right?

1 Like

No, sadly. actually the percentages are like 9765.0% and 2318.0% - I just didn’t bother in my message with the decimal point. Even if I shifted the point two digits left it still doesn’t make sense since sorting the process list by CPU utilisation should still show the ‘integer’ value of the number always increasing as you go down the list from 0% to 100%, but it doesn’t. All the values are mixed up so I think Crest is yet another app that is now sadly broken.
What worries me is that @caloma has exactly the same problem - and it seems pretty unlikely that two SFOS users, probably in different parts of the world, have done the same thing to cause this issue. I’m just hoping its not more widespread and more fundamental to the OS or the Android support layer. I’ll leave android off overnight tonight to see what happens …

Actually, I’ve experienced a somewhat related issue.
I’m running SF OS 4.0.1.48 on an Xperia XA2.

It started roughly one week ago. In the morning, battery level was unexpectely low and an open browser window was trying to sell dietry pills (or other completely unwanted stuff) to me :face_with_raised_eyebrow:
I had been installing several apps during some time before that. I thought some of these might try to show its ads this way. Some apps I was testing: “FairEmail”, “Nine Email&Calendar”, “APKPure”.

But wait: Can an android app open websites on Sailfish native browser without asking for permission?
Even if that was possible: An android app must also be given specific rights to act in background (like when no app is running during night), right?

Last night I set the phone to airplane mode. This morning there was no open browser window. I try again with active internet connection this night… we’ll see. Then I start unstinstalling apps until it’s gone :wink:
Maybe that helps.

When Android emulation is too good. :wink:

but the percentages for CPU are all rubbish (like 9616%, 2308%, etc

I have the same problem with Crest since either 4.x or since the Crest fork.

It also no longer shows Android processes except for com.jolla.home.

I don’t have mad battery burn though.

You can surely just wipe the Dalvik partition. You would need to back up what data you can. I think the process is to uninstall all Android apps and then uninstall Dalvik but there are many people here who understand this all way better than me.

I checked out https://game.cyeep.com/ in Opera for Windows and it didn’t complain about anything. It has cryptomining protection and I think some malware protection built-in.

Ok, So this is interesting … I also have APKPure. I’ve had it for months and its never done anything like this before … but it did just update itself to the latest version …

So, I stopped AlienDalvik about 9 hours ago, disabled the start on boot option and re-booted. Battery drain, as shown by system monitor, was back down to normal and idle CPU was at about 12% - no browser windows opened at all. Started Aliendalvik again and … first think that happened was that APKPure started up and came to the foreground and then a native browser window opened selling ‘meds’ (pills to us Brits!).
Interestingly in SFOS Settings/Apps for APKPure the ‘Allow background services to start on bootup’ was not enabled - so how did it load itself???
Now deleted APKPure, so we’ll see if any native browser windows show up overnight…

This is a damn good question … Do Android Apps under SFOS Aliendalvik get to do anything they want?

1 Like

No, but of course they can open Links. that’s an Android feature.
Maybe remove “native” from the title and include APKPure in title: My suggestion: Remove APKPure, use FDroid & get Aurora Store from there. It’s a FOSS frontend to the official Play Store.

2 Likes

Ah, ‘pills’ vs. ‘meds’ is an british vs. american English thing. :grinning: I didn’t know that :+1: I’m actually from Germany and the word in German is ‘Pillen’ or ‘Tabletten’.

I also wonder how APKPure gets to run without this permission. Maybe there is an additional permission set somewhere which makes it autostart another way…
In my opinion, apps should of course be able to run the standard browser to open links - however doing so without me accepting it could be a security flaw. Maybe there is an ‘always ask’-like setting for this hidden somewhere…

Anyway (even though I had no browser window opening overnight this time) I will uninstall APKPure (hoping it will be gone for good) and do as @oroesler suggested (using Aurora instead).

1 Like

I’ve also seen Skype start without this permission. Maybe this is a bug?

1 Like

Ok, so with APKPure deleted, but Aliendalvik running, no browser windows opened overnight (prior to this the browser would open on its own and by the end of the night three tabs would have been opened) - so it does seem that APKPure is the culprit. Battery drain overnight was usual and CPU utilisation was around 10% average overnight. Problem solved, I think.

Agreed, as apps on IOS can too - but only when there is an action by the user (e.g. ‘view in external browser’ type button). In this case SFOS settings/apps/apkpure ‘Allow background services to start on bootup’ was disabled, settings/android had been set to disable android on startup, android had been stopped, the phone had been rebooted (with no android running) and then, some 9 hours later aliendalvik was restarted and APKPure immediately loaded itself, followed by a browser window loading advertising meds. Both these things happened without any user intervention whatsoever. This surely cannot be what is supposed to happen? What if this were my child’s phone, or a work phone, and some rogue android app loads a porn site in the native browser, or perhaps a site with javascript code that did some damage? Is that possible on SFOS with Aliendalvik? Seems like a big security flaw to me…

I will do this next as you recommend. Thx.