OFFICIAL SECURITY BLOG

Android Pop-ups Warn of Infection

December 13, 2013 | BY

We’ve recently encountered quite a few pop-ups saying our Android device is infected. These sites aren’t ones we’d expect to see malware on, so the pop-ups peaked our interest.

When encountering one of these pop-ups you will see a dialog with a message indicating you have a virus.

After pressing ‘OK’ on the first dialog, you’ll be redirected to mobile.alert.secure-intl.com, which displays a second pop-up saying you are infected with a Trojan.

The supposed Trojan is MobileOS/TapSnake, with the dialog instructing you to press ‘OK’ for removal.

Of course we want to remove, pressing ‘Remove Virus’, on yet another warning screen, will start a fake scan. When the “scan” completes, a full screen warning displays with more information about the supposed threat.

This slideshow requires JavaScript.

Hmm, looks like Tapsnake can steal passwords and credit card information. Discovered in 2010, Tapsnake is real Android malware capable of spying on your location.

Along with the additional information about Tapsnake, the warning screen gives us an option to install a “Free Antivirus Security Android app.”

The app being pushed to install and save us is Android Armor, an antivirus app with some bad press regarding shady detection methods.

We installed Android Armor, ran a scan, and of course no infections, as expected since the phone was basically stock, not even the supposed Tapsnake malware.

We ran a ‘Quick Scan’; doing a deep or SD card scan with Android Armor requests credit card information—even a deep or SD card scan would find nothing as there’s no malware on the phone.

This slideshow requires JavaScript.

There’s a lot of red flags with these pop-ups and Android Armor. In this case, we didn’t encounter a truly malicious app, but shady advertising practices.

This is another example of misleading advertisements where they win and you lose; the company gets you to install their app and you get a false sense of security.

We’re accustomed to seeing these practices with malware, but this isn’t standard practice for legitimate software. This could be a case of an overzealous advertiser who gets paid each time the app is installed.

We’ve reached out to Android Armor to see if they are aware of the practices and have not heard back.

Please use caution when encountering these types of pop-ups, whether it be on a PC or mobile device.

On a PC, nine times out of 10 it’s malware, often really bad stuff. On a mobile device it can go either way, my advice, just don’t install any app delivered via pop-up, spam, or phishing link. If an app seems interesting, don’t install at that time, search it out and find a reputable place to install—providing you find it’s legitimate.

In cases like this where a website is using scripts to display advertising content you can disable Java Script in your browser, however doing so could disable some components of websites you normally visit.

We’ll continue looking into this advertising strategy and any apps involved; safe surfing.


  • Pingback: Android Virus Detected, publicidad engañosa con Pop-ups

  • Pingback: Android Virus Detected, publicidad engañosa con Pop-ups | Arrobadev

  • Gary Walter

    about 8th down on a Google search, but gave the best answer by far. It’s what I suspected!

  • Pingback: The Rise of Android Scarevertising | Malwarebytes Unpacked

  • dragonwolf1775 .

    I knew that pop up was stupid… i have avast! Antivirus and it always says it is malicious. But mine never has said Tapsnake, mine has said i went to an adult oriented website and caught their fake virus. WTF. Its calles Hornyworm anyone ever heard of that? Cause i havent… but you Malwarebytes keepmy computer clean so i trust ya c:

    Still it sucks. Avast tries to block the Url but its never been sucessful, its just annoying anymore and i canr get rid of it

  • autorep

    I found this page because my android phone got this same red warning screen with the green android logo on it telling me my phone was infected with some worm or something and to “click now” to remove it. I think a local entertainment site got their website hijacked and the new administrators are using their site to infect or try and sell their removal tool. Although I didn’t go any further than the initial “You are infected” screen, I am noticing horrible performance from my Note 3 III phone now. Even with all active screens closed, I can watch the battery life percentage % bar change a percent just by staring at the screen before even blinking. Last night, I unplugged my phone, slept for 7 hours, woke up to see how much juice was used and it was down to 83% battery life. There were many days of using my phone all day and still having 75-80% battery life, so I don’t know what has happened to my phone just by visiting that site and getting that warning screen.

    I have since looked for some removal tools, anti-virus, malware, adware scans or removal tools, both searching the web and searching google play store and on the web. I had downloaded Malwarebytes Antivirus from the play store and performed a scan, but it isn’t catching anything to remove or clean.

    If anyone has any suggestions, please let me know. I had everything on my phone pretty well optimized for good battery life, now I need to figure out what to do to fix the problem or remove what is draining my phone’s battery so quickly. I may have to figure out how to save my photos and contacts and see about reverting / resetting my phone back to original settings or something.

  • Jerrett L

    I gotom his message a couple days ago, just before clocking in at work.

  • Ben Eustis

    I get that too. It’s so annoying…

  • Pingback: Mobile advertisers use malware tricks to get installs | Malwarebytes Unpacked

  • biglukeg1086

    Had this pop up yesterday. When it attempted to download I noticed it didn’t look like Samsung UI so I instantly closed the window and did a master reset. I’ve yet to see another pop up. Also I scanned the phone with lookout. Nothing showed up. Am I good?

  • Armando Orozco

    Hi Ben,

    Yeah, you should be good, as long as you didn’t install any app after the pop-up. Unfortunately these are ad pop-ups like you’d see on a desktop pc. Using some form of ad-blocker will help, they only block WiFi traffic though.

    -Armando

  • Sidney

    I thought it was fake! But I clicked ok on the pop up on my kindle fire and it did the scan but I didn’t click on the button to which I should download or install it. Am I good?

  • Armando Orozco

    Hi Sidney,

    If you did not install the app they offer you should be ok, The web based scan is fake.

    -Armando

  • Sharon

    I got the same message on my brand new note 4. I turned my phone off then back on and the message was gone.

  • meowcat

    Hi. OK, I got the pop-up, and I clicked the first ok, it took me to the webpage, I clicked the ok there, (what was I thinking?) and then it made my avast run a scan. I don’t think I clicked the download button though, but my memory from then is a bit off because I had a huge fever. If I clicked the downloaded button would I have gone to another website, and been shown the thing downloading? Which I wasn’t shown. And will it affect other people using my network connection. Because I don’t shop online, but my roommate does.

  • Jayw56565

    360 security app. Very useful and free. I recommend it to any android phone user. It’s already got rid of 3 threats for me. Plus, it cleans your phone’s storage and memory and makes it faster

  • Armando Orozco

    Hi Meowcat,

    You should be good, as long as you didn’t install any app after the pop-up. Unfortunately these are ad pop-ups and web based. Bad advertising affiliates are targeting sites you frequent. The pop-ups you see are similar to ad pop-ups you’d see on your PC.

    -Armando

  • facts hurt you so bad

    I got this message on rapidgator.

  • marie

    I don’t know why but I accident clicked the download on my kindle and it showed the install loading screen and then afterwards I downloaded the cm security app which said that I was safe…..am I really safe?

  • Armando Orozco

    Hi Marie,

    You should be ok, you can install MBAM Mobile and scan to ensure. I suspect the install screen was a browser window.

    Review all recent app installs to verify the fake security app is not installed.

    -Armando

  • Frank Rizo

    Have tried many different tactics to get rid of quick scanner popups (your device has been infected, etc): uninstalled updates on Chrome, with clearing data, cache, history: reinstalling app (Break) which is site on which popups most frequently appear; and, with help of Nexus 7 customer support, doing a system reboot, or something whereby device was taken back to original state. Nothing has so far worked. Popups continue. I have not agreed to the scan. I have not downloaded anything.

  • Armando Orozco

    Hi Frank,

    Unfortunately this is caused by how the browsers are handling
    javascript and the redirections. Chrome doesn’t do a great job of preventing
    these redirects or pop-ups. Advertising affiliates
    have found this loop hole and have been exploiting it. If they get shutdown
    it’s only a temporary fix, cause they’ll be back with a new affiliate id.

    The only way to block is to disable javascript or try an app like
    Ad-block Plus. Ad-block Plus works only with Wifi and needs additional
    configuration, but works.

    https://adblockplus.org/en/android-install

    -Armando

  • Frank Rizo

    Thanks. I will try Ad-Block Plus via the link.

  • Frank Rizo

    Looked up adblock for android, after reading a review. When I click on the download a streaming cursor appears, and an alert about podcasts not loadable. I am a real beginner. Do not understand most of this stuff. Had successfully downloaded from your link but deleted it after being warned thru an alert that it could change content of my USB, whatever that means. Do, I looked up reviews of adblock, and proceeded with download of adblock for android, which I cannot install.

  • Frank Rizo

    Tried downloading from your link. Notified that download was successful. Clicked on it. Moved to Podcasts app, with alert that podcasts are being imported. ????

  • Armando Orozco

    Try configuring following their instructions https://adblockplus.org/en/android-config

    -Armando

  • Frank Rizo

    Instructions? What instructions? I click on the download, then I am in the Podcasts app, with a window showing a flowing redline, and an alert that says, “Podcasts are being imported.” No instructions. What does Adblocker have to do with the Podcasts app?
    I have a Nexus 7 (2013).

  • Cecile Nguyen (Malwarebytes)

    Hi Samantha, please post in our forum at https://forums.malwarebytes.org/index.php?/forum/131-malwarebytes-anti-malware-mobile-help/?utm_source=blog&utm_medium=social and one of our experts can assist you. Thanks in advance for your patience.

  • Jason Forehand

    Lookout blows Avast out of the water

  • Armando Orozco

    You might have the wrong app, the app is Adblock Plus. Follow this link: https://adblockplus.org/en/android-config

  • Frank Rizo

    Thanks, Armando. You always come through. I am saving this if I Nerf it in the future. For some reason I have not been having any popups or ads lately. Appreciate your help.

  • Johnnie008

    Armondo, I clicked on the first OK in the first Pop Up screens hot you show in order to stop the constant redirect to everytime I forced close my Chrome on my Android device. I never clicked on the second screen Remove Virus. I was able to close the window and force close chrome. When I restarted chrome the redirect stopped. I scanned my device with Lookout and Malwarbytes and found nothing. Do you think my device is OK. I am at a point in doing a Factory Reset. I really do not trust that my device isn’t infected.

  • Johnnie008

    Armondo.., I clicked on the first OK in the first Pop Up screens hot you show in order to stop the constant redirect to everytime I forced close my Chrome on my Android device. I never clicked on the second screen Remove Virus. I was able to close the window and force close chrome. When I restarted chrome the redirect stopped. I scanned my device with Lookout and Malwarbytes and found nothing. Do you think my device is OK. I am at a point in doing a Factory Reset. I really do not trust that my device isn’t infected.

  • Armando Orozco

    Hi Johnnie008,

    Yes, you should be good, as long as you didn’t install the app. What you saw is similar to the popup windows we see on our PC’s. They’re just trying to trick people into installing.

    -Armando

  • Frank Rizo

    I no have have problem with popups. Don’t know why. Don’t care. But am having the following problem on my Nexus 7 2013 tablet: a notification from Chrome Sync, saying that my Google account password is required. I enter my password, but it is not accepted: ” Inappropriate pass phrase.” So, I click Cancel.
    I have no problem accessing Chrome browser. Although I exit from the Chrome Sync page and the notification disappears, the notification shows up again. It has been in my notifications bar for several days now. I contacted Nexus 7 support, but no real understanding there of the problem. Their suggestions dealt with ability to open Chrome browser, which is not a problem. I sent a query to Chrome Help, but no response from them.
    It is a problem only in the sense that it is there and requires my password but will not accept it, and leaves me wondering what this is all about. Someone trying to pull something on me?

  • miza

    I’ve had the same issue. Resetting my phone didn’t resolve the battery life issue. It could be just a coincidence that my battery began dying when these pop ups started to get popular. We’ll see. It does seem odd that these ads are shown on legit sites and that reloading the page doesn’t bring the pop-up back… But it could be because the ads being served on a page change.

  • Meredith Washburn

    I have received this message on my Kindle….surprise….they say this cannot happen on a Kindle…yeah right.