First appearing last spring, these new features are not limited to a single variant of MobiDash. Instead, the correlation among these stealth versions lays within the package name com.veniosg.dir.android. As a result, these stealth features hide the existence of Adware MobiDash—even when it’s in plain sight!
When I first came upon this stealthy MobiDash, a customer was having a terrible time removing the adware from their mobile device. Malwarebytes for Android was unable to remove it, due to it being an active device administrator.
As by design by the Android Operating System, any app given device administrator privileges cannot be uninstalled until first being removed from the device administrator’s list. Attempting to uninstall an app with device administrator rights will display the screen shown above. The screen displays a warning about not being able to uninstall, and provides a link to the device administrator’s list.
Okay, simple enough, just remove the offending piece of adware from the list and uninstall, right? Well, what if it doesn’t exist in the device administrator’s list!? Have a look for yourself below.
There’s “Find My Device” and “Malwarebytes,” both with legitimate reasons to be in the device administrator’s list. But there’s no adware app in sight.
But wait. Look a little closer.
That blank line right at the bottom of list—bingo! If you didn’t see it at first, you’re not alone.
Even more stealth
After removing Adware MobiDash from the device administrator’s list, now that you see it, the next step is uninstalling. By far, the easiest method to uninstall this tricky adware is to rescan with Malwarebytes for Android. This method assists with easily uninstalling. Removing manually can also be done, albeit it’s a bit trickier.
Depending on your mobile device’s Android OS version, there may be a shortcut icon disguising itself as Settings.
If this exists alongside with the real Settings icon, simply drag the fake Settings icon to Uninstall.
However, there are many cases where this icon doesn’t exist. Thus, it must be removed via the mobile device’s App List: Settings > Apps. Scroll all the way to the bottom of list, and you’ll discover a blank entry at the very end.
Click on it, and you can uninstall from the app info screen.
The how and why
So how, exactly, can this stealth Adware MobiDash version get device administrator rights? Well, it must be given the rights manually by the user. It’s surprisingly easy for a user to mistakenly do so, and even easier with this piece of adware. Why? Because usually giving an app device administrator rights comes with a list of scary operations to allow. This MobiDash version doesn’t ask for any, as shown below.
So why did it even bother tricking users into activating device administrator if there are no operations to allow? As highlighted above, it makes uninstalling way more tedious—especially with the extra stealth features.
I could preach about not activating device administrator to unknown apps, but instead I’ll just say, “It happens.” On Android, there are an abundance of features you must allow to get legitimate apps to work properly. This sometimes exhausts users to the point of just blindly allowing everything. It’s no wonder that the bad apps can slip under the radar.
Luckily in this case, the outcome is simply annoying ads and nothing worse. But if you don’t want to deal with the hassle of an adware infection, slowing down and being a little more vigilant can save you time in the long run. Stay safe out there!
*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Nathan Collier. Read the original post at: https://blog.malwarebytes.com/cybercrime/2018/07/mobile-menace-monday-adware-mobidash-gets-stealthy/