android gotoamazing.com browser hijack

By | October 6, 2015

I recently purchased a Dragon Touch X10 for a family member. Two weeks later, any web browser installed had its homepage redirected to gotoamazing.com . I started looking into the culprit and here’s what I found.The tablet was only two weeks old, so I am unsure whether the browser hijack was pre-installed on the Dragon Touch X10 tablet, or if somehow mobile malware installed it. Several additional apps, mainly power savers, and temperature monitors were installed. I removed those through the apps manager without an issue.dragon touc x10 tablet

I installed Firefox and Chrome but their homepages were redirected to gotoamazing.com as well within minutes. After reading around the web on how these redirectors get installed, I installed Malwarebytes Mobile and ran a scan. Initially, no problems were detected, but that was prior to rooting the device.




I knew something was still wrong because when I changed the homepage in the browser, it got set back to gotoamazing as soon as it was closed and re-opened. After checking some other forums online for how browsers can get hooked by malware, I found I needed to check out hidden files and pre-installed apps. Couldn’t do it without rooting, so I rooted the device with Kingo , a free one-click root tool and installed a tool I found called Total Commander to view the file system. I reran MalwareBytes on the tablet and it detected two malware objects in the priv-apps system folder. This is the folder that preinstalled apps are placed. One app was QuickSearch and the other was called Xfoto. Since the partition is write-protected, I was unable to delete these apps.   Total Commander was able to perform a neat trick that remounts the system partition as read/write and then deletes the protected files. It was able to delete both of them.

I then started looking deeper in the applications manager and found that the Browser app, which looked like the standard Android browser wasn’t the actual native app. It had no entry in the Google Play store. I removed it as well and installed Chrome, which hasn’t been hijacked since.

[UPDATE]
After talking to others having the same problem on the same device, I’m not recommending the purchase of this tablet. I am starting to think it may have been shipped with the malware already in place.  The Dragon Touch X10 is a low cost tablet, but we had installed nothing “sketchy” on the tablet and the APKs were located in a protected operating system folder. There isn’t much that could place the files there unless they were placed when the system was originally configured at the factory. After reading the reviews on Amazon of the same behavior on this tablet, this “malware from the factory” scenario is looking more likely.

The tablet seller also offers perks for reviews on the product. This may be the reason it is rated so well on Amazon’s site. Perks include a case, screen protector and similar accessories. A small note is included in the box at shipping, indicating these spiffs are offered after a review is placed. They did not encourage reviews in one direction or the other, however.

 

[UPDATE 2]

Here are a few reviewers on Amazon that found the same experience.

dragon-touch-malware-review

another reviewer found malwaredt_malware3dt_malware4

 

 

 

[UPDATE 3]

The Dragon Touch X10 is now nowhere to be found on Amazon

5 thoughts on “android gotoamazing.com browser hijack

  1. CJ

    I’m experiencing the very same issue. Same tablet, also bought it for a family member; I basically keep it maintained for them. Everything was fine at first, but after a few weeks, I’m noticing power saver/monitor apps as well, and since last night it started redirecting the browser to gotoamazing.com.

    The difference comes in after the Malwarebytes scan: no issues are found, even after I restart the device and scan it again as you did. Is there anything else I can do? You mentioned the Android browser not actually being the browser and referred to a few specific file locations, but I’m not sure if I can do that or if the malware is in the same location.

    Reply
    1. admin Post author

      Try using the on-click root app I mentioned in the article, then re-scanning with Malwarebytes to see if the rogue apps are detected. The .apk files had to be removed with Total Commander after the rooting anyway as the system partition is mounted as read only.

      Reply
      1. CJ

        Update: I managed to remove the offending files, I think. This was the first time I had rooted a tablet, so it was something to learn. I used the method & tools you listed. After scanning again with Malwarebytes, it showed three files, two of which were the same ones you mentioned. I removed all three and it seems to be working normally so far… no more browser hijacking yet. But I’m skeptical.

        Really hoping it doesn’t install anything else from here on. I left a one-star review on their Amazon page after this ordeal. Maybe I should try to get that free gift they offered with that slip of paper in the package…though you have to show them your review, so they may not appreciate mine. 😉

        I guarantee they include that offer to offset the terrible reviews they get from this type of stuff.

        Reply
  2. Surreal

    After about 2 1/2 weeks my X10 starting installing apps on its own although my security software quickly removed them. I wasn’t to concerned at first till malwarebytes found issues in the system folder same as you. If I was outside my return window I’d just root the tablet and remove them but I’m getting my money back and buying something nicer from a reputable brand. What’s sickening is that the malware seems to be dormant for the first few weeks as if to wait till outside the return window. Which makes me think that the seller intentionally put it there to offset the cost plus the high return rate. Who knows how much ad revenue they could be pulling in but I’m just speculating at this point

    Reply
  3. Terry

    I’m not sure what the benefit is with this type of Malware, no one is buying anything from gotoamazing.com all it serves to do is to make people mad! Or am I somehow missing the point. Surely if their ‘products and services were any good they would not need to literally force people onto their website and if sponsorship revenue is their aim then I still don’t get it, cos I and I hope the rest of the world ain’t buying nothing from anyone who has anything to to with these people and their website.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *