OFFICIAL SECURITY BLOG

Android Pop-ups Warn of Infection

December 13, 2013 | BY

We’ve recently encountered quite a few pop-ups saying our Android device is infected. These sites aren’t ones we’d expect to see malware on, so the pop-ups peaked our interest.

When encountering one of these pop-ups you will see a dialog with a message indicating you have a virus.

After pressing ‘OK’ on the first dialog, you’ll be redirected to mobile.alert.secure-intl.com, which displays a second pop-up saying you are infected with a Trojan.

The supposed Trojan is MobileOS/TapSnake, with the dialog instructing you to press ‘OK’ for removal.

Of course we want to remove, pressing ‘Remove Virus’, on yet another warning screen, will start a fake scan. When the “scan” completes, a full screen warning displays with more information about the supposed threat.

This slideshow requires JavaScript.

Hmm, looks like Tapsnake can steal passwords and credit card information. Discovered in 2010, Tapsnake is real Android malware capable of spying on your location.

Along with the additional information about Tapsnake, the warning screen gives us an option to install a “Free Antivirus Security Android app.”

The app being pushed to install and save us is Android Armor, an antivirus app with some bad press regarding shady detection methods.

We installed Android Armor, ran a scan, and of course no infections, as expected since the phone was basically stock, not even the supposed Tapsnake malware.

We ran a ‘Quick Scan’; doing a deep or SD card scan with Android Armor requests credit card information—even a deep or SD card scan would find nothing as there’s no malware on the phone.

This slideshow requires JavaScript.

There’s a lot of red flags with these pop-ups and Android Armor. In this case, we didn’t encounter a truly malicious app, but shady advertising practices.

This is another example of misleading advertisements where they win and you lose; the company gets you to install their app and you get a false sense of security.

We’re accustomed to seeing these practices with malware, but this isn’t standard practice for legitimate software. This could be a case of an overzealous advertiser who gets paid each time the app is installed.

We’ve reached out to Android Armor to see if they are aware of the practices and have not heard back.

Please use caution when encountering these types of pop-ups, whether it be on a PC or mobile device.

On a PC, nine times out of 10 it’s malware, often really bad stuff. On a mobile device it can go either way, my advice, just don’t install any app delivered via pop-up, spam, or phishing link. If an app seems interesting, don’t install at that time, search it out and find a reputable place to install—providing you find it’s legitimate.

In cases like this where a website is using scripts to display advertising content you can disable Java Script in your browser, however doing so could disable some components of websites you normally visit.

We’ll continue looking into this advertising strategy and any apps involved; safe surfing.


  • Pingback: Android Virus Detected, publicidad engañosa con Pop-ups

  • Pingback: Android Virus Detected, publicidad engañosa con Pop-ups | Arrobadev

  • Gary Walter

    about 8th down on a Google search, but gave the best answer by far. It’s what I suspected!

  • Pingback: The Rise of Android Scarevertising | Malwarebytes Unpacked

  • dragonwolf1775 .

    I knew that pop up was stupid… i have avast! Antivirus and it always says it is malicious. But mine never has said Tapsnake, mine has said i went to an adult oriented website and caught their fake virus. WTF. Its calles Hornyworm anyone ever heard of that? Cause i havent… but you Malwarebytes keepmy computer clean so i trust ya c:

    Still it sucks. Avast tries to block the Url but its never been sucessful, its just annoying anymore and i canr get rid of it

  • autorep

    I found this page because my android phone got this same red warning screen with the green android logo on it telling me my phone was infected with some worm or something and to “click now” to remove it. I think a local entertainment site got their website hijacked and the new administrators are using their site to infect or try and sell their removal tool. Although I didn’t go any further than the initial “You are infected” screen, I am noticing horrible performance from my Note 3 III phone now. Even with all active screens closed, I can watch the battery life percentage % bar change a percent just by staring at the screen before even blinking. Last night, I unplugged my phone, slept for 7 hours, woke up to see how much juice was used and it was down to 83% battery life. There were many days of using my phone all day and still having 75-80% battery life, so I don’t know what has happened to my phone just by visiting that site and getting that warning screen.

    I have since looked for some removal tools, anti-virus, malware, adware scans or removal tools, both searching the web and searching google play store and on the web. I had downloaded Malwarebytes Antivirus from the play store and performed a scan, but it isn’t catching anything to remove or clean.

    If anyone has any suggestions, please let me know. I had everything on my phone pretty well optimized for good battery life, now I need to figure out what to do to fix the problem or remove what is draining my phone’s battery so quickly. I may have to figure out how to save my photos and contacts and see about reverting / resetting my phone back to original settings or something.

  • Jerrett L

    I gotom his message a couple days ago, just before clocking in at work.

  • Ben Eustis

    I get that too. It’s so annoying…

  • Pingback: Mobile advertisers use malware tricks to get installs | Malwarebytes Unpacked