While browsing reddit and clicking a link to imgur I found myself accosted by a fake virus warning advert:
The URL in use was:
gpfree0002.pw is registered via a privacy service and the nameservers and web hosting point at DDoS protection service CloudFlare.
The base64 data in the URL above decodes to:
vid..00000002-a560-4e43-8000-000000000000__vpid..90532800-1ffb-11e6-82fb-5b20a499adfb__caid..b1f66113-60b7-48cf-98d9-f7d5570f567b__rt..H__lid..207718af-b53b-46a0-bded-d939acd4d7bc__oid1..00889d81-2fd9-40b5-98bf-d155156ed832__rd..__aid..__ab..__sid..
The pop up message on the page reads:
“Your system is heavily damaged by Four virus!”
“We detect that your ” + getURLParameter(‘brand’) + ” ” + getURLParameter(‘model’) + ” is 28.1% DAMAGED because of four harmful viruses from recent adult sites. Soon it will damage your phone’s SIM card and will corrupt your contacts, photos, data, applications , etc.”
“If you do not remove the virus now , it will cause severe damage to your phone . Here’s what you NEED to do (step by step ) :”
“Step 1: Tap the button and install APP for free on Google Play!”
“Step 2: Open the app to speed up and fix your browser now!”
“REPAIR FAST NOW”
“WARNING !”
“This ” + (getURLParameter(“brand”)) + ” ” + (getURLParameter(“model”)) + ” is infected with viruses and your browser is seriously damaged. You need to remove viruses and make corrections immediately.”
“It is necessary to remove and fix now.”
“Don’t close this window.”
“** If you leave , you will be at risk **”
It also seems to support many and multiple languages.
Upon touch it seems to then redirect you to:
Which in turn sends you on to an App Store app called “DU Cleaner(Boost&Clear Cache)”
https://play.google.com/store/apps/details?id=com.duapps.cleaner
Seems like a bit of a long play to get commission payments or similar. I’d expect this kind of scam to actually be trying to trick victims into calling a fake tech support service rather than installing a “free”* app to speed up their phones. (*probably asks for payment to fix errors).
The ilovemobiletrack.com domain is also registered via a privacy service DNS is hosted at CloudFlare. However the hostname click. is a CNAME to kmdhl.voluumtrk.com and is hosted at Amazon AWS.
voluumtrk.com seems to only relate to scams and popup content when you research it on Google. Alexa claims that the site is ranked the 1,668 most popular website in the world! Shows just how widespread this scam / junk is. Their popularity ranking peaked mid-april.
Other domains likely to be involved are:
gpfree0100.pw
gpfree0101.pw
gpfree0102.pw
gpfree0103.pw
gpfree0104.pw
gpfree0001.pw
gpfree0003.pw
goodappinstore.pw
jhrddztlfl.pw
freebestapps.pw
nwulhrgune.site
sejuhangfu.pw
apubyxopei.pw
afaisers.top
togying.pw
afinishe.xyz
warning.google.com-viruses-from-porn-sites.sstam.com
arunast.pw
zep4ndx02b.pw
Is there any way to stop this from happening? Do you think this is the result of malware on the phone? This keeps happening to me and I’ve tried cleaning my phone with various anti-virus apps but it’s still popping up.
The one I saw was on the imgur website only so if you didn’t visit that website the problem wouldn’t happen. Its an infection or bad advert on that specific website.
If you get it on all websites then you might have a more serious problem.
Thanks – you describe exactly the symptoms of Four Virus message. However how do I get rid of it? It affects the default browser in Galaxy 7 making it unusable. Luckily the Chrome browser is still OK. I tried looking for an unwanted app but cant work out which. I tried a couple of antivirus but no luck.
I really don’t know enough about how Android works (without seeing it in front of me) to know what you should do :(
Possibly try clearing the cache of the default browser but I wouldn’t know where to find that option.
Do post back if you find something that does solve it. Good luck!
I had this on Chrome on an HTC handset this afternoon – I tried resetting my Google Ad ID, which seems to have stopped it for now. I was fairly alarmed to discover this feature existed… I found it in settings/accounts & sync/Google/Ads – there’s an option to reset your ID (which is a number that Google collects interests against for targeted advertising), and also an option to switch off interest-based ads if you want to do that.
Hi Dave, Many thanks for looking into this. I reset the ad id, rebooted. The pop-up page didnt appear straightaway so for a moment I thought we’d won but no its back as before. Tried again including clearing the browser cache but its back again.
RegardsOwen Date: Tue, 31 May 2016 15:32:06 +0000 To: owenwalker@hotmail.com
Thanks for the post.
My suspicions were correct.
Yesterday – 3rd/4th (late night/early morning) June 2016 a pop-up from:
http://gpfree0101.pw/gaz6s9/x1psi.html?# (phone make & model)
I almost hit the “install now” link but hesitated at the last second. It looked very legit and will trick alot of people who aren’t as paranoid as I am.
When I Googled the url Google couldn’t find any information about it.
Only after doing a Google image search for ‘android virus pop-ups’ and searching a couple hundred pics did i find one which looked similar to the one on my phone, then clicking the ‘visit site’ button which brought me here (I know it sounds like it took a while but in reality it was 5-10mins max).
Anyway, thanks again
I have now had this bothering me for well over 36 hours. I can find no help with it, and of course, even thought Google logo looks authentic, I will not be clicking any links to follow for a fix. Especially seeing as Google appear to know nothing about “gpfree0102.pw”.
I was infected today on facebook, only way to get rid of it was to delete facebook then reinstall a fresh app for facebook…
My Nexus 5X has the same pop ups but with freebestapps.pw rather than gpfree0002.pw. It has been about 28 hrs for me and I have cleared the cache for Chrome and reset the ad id as above. No change. It even appeared when I was in Safe Mode. Wondering what to do next. There seems very little on the net about this – this is the only site so far that shows the screenshots that I have experienced.
I could probably work it out but I need a device with the problem in my hands to have a look around :\
I’ve had success! (I hope.) I went to Settings/Apps/Chrome, disabled then removed the Chrome browser completely. The icon disappeared from my home screen. Then I re-installed Chrome from the Play Store. I can’t remember if I restarted the phone or not (or when), but so far I have not seen a repeat of the pop-up. I have a feeling that the pop-up first appeared when I went to one of those entertainment clickbait sites (Look what this star looks like today!) My actions don’t seem to have affected anything except the Chrome tabs in my Recent apps list. Fingers crossed. It’s been over 24 hours.
Hola ya lo he resuelto de esta forma. he instalado el programa root unistaller aquihttps://play.google.com/store/apps/details?id=com.rootuninstaller.free
vais a la aplicación (en mi caso navegador, en mi caso elephone p6000) chrome, y forzais detención y borrar datos. al lanzar de nuevo ya ha desaparecido. suerte espero haberlo explicado bien
in english [edited by admin to correct some words]:
Hello I have already resolved this way. I have installed the program root unistaller aqui https://play.google.com/store/apps/details?id=com.rootuninstaller . free going to the application (in my case for telephone p6000) chrome, and forced stop and erase data. When again already has disappeared. luck hope I explained it well
Per eliminare definitivamente il virus chiamiamolo così basta andare in gestione applicazioni/internet/ imposta come predefinita e premete elimina predefiniti/per ultimo fate arresto forzato. Chiudete tutto aprite internet e ripartirà tutto da zero senza problemi ok. Spero di essere stato di aiuto.
This is the only site i could find that had any info on this! Those exact images cane up on my husbands samsung galaxy and the only thing we could think of today was an automatic phone update and looking up a recipe on google chrome. We have just disabled and uninstalled chrome so fingers crossed.
Bought a used Samsung Galaxy S4 in Feb 16. This error first popped up on Google Chrome towards end of May 16. My phone completely died soon after. Returned phone to vendor, got money back. Bought another. On 17th June same error occurred on Chrome once again.
Following advice here, I installed ‘root uninstaller’ and got rid of Chrome for good. Running Firefox instead. So far so good…
Fantastic Sam! i’m veru happy for you. now work perfect … sure
I am currently getting it as zkhguewjmh.pw otherwise it is the same.
How so I get rid of it?
Is there an app for the job?
Malware and virusscanners dont find anything.
Click Internet. Close all tabs. Simple
Interesting, glad I found this thread. On my S6 it has only affected stock internet app, Chrome has been fine. I am able to stop it temporarily by deleting cache etc. but it always comes back. Definitely seems to be from clickbait sites, will monitor more closely.
Is this the sort of thing you’d recommend resetting phone to? This has happened tonight in J5 on internet explorer. I’ve deleted internet history and ran scanner with nothing found. Is it worth factory resetting phone? My phone vibrated and took me to this ext site with pop ups etc. Very much don’t want to risk being infected. Ccj
I still have no real answer, and cannot sat catergorically, that this pest has not done any damage to my mobile phone. However, my tech son and I have discovered that if ignored, it seems to dissappear after a week or so. Then, if you decided to visit one of those tempting sites, it comes back. People have noted that site tepmting a “look at at what Will Smith’s son” might have been the trigger, and others say visiting those Russian street brawling scenes may be the trigger. Yes, I visited both. The Russian street life video’s worked, but the Will Smith’s son did’nt take me anywhere. It wasn’t until I tried to leave the internet that the fake warning came up. Acting on my tech sons advice, I now only go to the internet via GOOGLE and not Chrome. No, no more russian video’s for me until I know that they are safe. Cheers to you Chris.
Got this on my samsung A5, found an online guide that told me to go into settings>apps> find the internet app > Force stop > Press Delete all information > Press Delete cache > Press reset defaults
Just tried this and its been 5 mins of my browser working again, will keep updating fix.
Is there any chance you coule tell us what you were looking at prior to getting hit by it?
I was only looking at an AFL (Australian Rules Football) statistic site and it interrupted me! Brand new Galaxy S5!!!
Got the same, but getting it as http://rcknmwcyct.pw/gaz6s9/x1psi.html?model=……
My phone (Nexus 5X, standard Marshmallow updates) has been fine for weeks now, although I did have another occurrence that I fixed the same way – deleting and reinstalling Chrome browser. See my posts above.
Well I’m still only using GOOGLE and not CHROME for browsing, and everything seems to be fine. I still don’t look at the Russian street crazies though. LOL. Many thanks to Joe for letting us know where he got stung too.
I have uninstalled and reinstalled factory Chrome app and right now I don’t have the virus Four popup. Thanks for the post about syncing from Google ads. I had 2000 pics from my husband’s pictures and even Verizon did not know how to stop it. Verizon also did not know how to get rid of the Four popup and told me to do a factory reset. Glad I saw the post about Chrome. Thanks.
It doesn’t matter what website you visit. It seems to know if you’ve been at the website recently, and if you have, it doesn’t activate. I have had it happen all over on dictionary sites of all things. It is a strange virus or whatever it is.. Not convinced anything is installed on the phone, just that it somehow redirects the page there.
It certainly isn’t any additional software installed on the phone. I’m confident of that. Might be DNS poisoning (either at the hosting provider of some common script used on a lot of sites or at random internet providers (customer side) around the world).
Sadly when I had it – I didn’t bother investigating too far. If it happens again – I will. This article has become one of the most popular pages on my site :\
I keep getting hit on Daily Mail US News. But I am sure I got it from the clickbait sites at the bottom. Unfortunately I don’t know which one but I did go to one about Jaden Smith too.
This is the address that pops up for me.
Probably shouldn’t click on it even though I think it’s just an ad not a virus
http://nwulhrgune.site/zisj19s/x1psi.html?model=Moto%20X&brand=Motorola&ip=71.87.146.17&voluumdata=BASE64dmlkLi4wMDAwMDAwNi1hMjBiLTQ0M2ItODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLjBiMzhjODAwLTQ1ZDUtMTFlNi04ZTBhLWJjMjhiYjg5ZDI4M19fY2FpZC4uNTljN2E5ZTItNTIwZi00ZTE5LWE5YzktNjU0YzE0OGUzOTk2X19ydC4uUl9fbGlkLi4zYmY5MzJjNi1mNDdhLTQyMGEtYjFhZS05YTBlOWY2MjUxMmVfX29pZDEuLjJlNGJkMGY1LTM2YmQtNGIwNi1hZjU2LTEwM2ZjNmU3MTQ3NF9fcmQuLl9fYWlkLi5fX2FiLi5fX3NpZC4u#
I was on the facebook quizzes when mine popped up and it looked exactly like that just with the name of my phone.
my best guess is to just clear your cache and steer clear of shifty sites- if you use chrome it should have an option in your settings to help with that. and having a antivirus handy couldnt hurt either. avast is pretty rad at helping ward off viruses imo.
i got these ‘viruses’ when looking up lyrics to a song on AZLyrics, so staying away from that site. it seemed to spread to a more trustworthy site though, so i ran a scan and cleared my cache and autofill. seemed to do the trick.
tried clearing cache, reinstalling etc, but the scam is still poisoning my website ( VirusTotal 0/68 scanned ) . It will appear once everyday to a same person, and almost everytime if u use incognito mode or a new browser with different cookies.
it is really hurting my website credibility. anyone got any clue how to get rid of it? my site is running TribalFusion and Adsense. already reported to TF.
So relieved to find this thread as I’ve also been fighting this pop up! Avast antivirus didn’t detect it, nor did Malware Bytes. I tried the above advice of deleting then reinstalling Chrome and so far so good. Thank you!
Yep same here! I was innocently looking on Timeout (on my Nexus 7 tablet) – hardly a shifty website – then the pops up suddenly appeared. On mine it said to install applock, so it does sound like a scam to download apps rather than an actual virus. Touch wood! Someone should notify Google for a bug fix.
Yep same here! I was innocently looking on Timeout (on my Nexus 7 tablet) – hardly a shifty website – then the pop up suddenly appeared. On mine it said to install applock, so it does sound like a scam to download apps rather than an actual virus. Touch wood! Someone should notify Google for a bug fix.
Mine started yesterday when I’m browsing a health forum. Factory reset my phone, clear history/cache, remove google sync, reset google ad ID. None were working. It appeared 3 times so far and it seems random.
Mine started this weekend when viewing science curriculum websites. My pop up was clearly a scam as it said the four viruses were “due to your porn history ???”. Literally with the question marks like that. (and no I was not viewing porn) I’ve removed Chrome for now and will go from there. Thanks for posting this. I couldn’t find anything anywhere else.
I think it is affecting certain websites targeting android phones. No sign of the fake warning on my iphone. It appeared in certain websites even when i’m on different ip address or wifi.
I had this pop up today and click on the link it took me to the play store and had me download (turbo ckeaner) should I be worried? Is my phone infected with a virus from the fake link ? Should I uninstalled turbo cleaner ? Please help if you know the effect of clicking on the fake link thanks you.
Leave a bad review for the app and then uninstall it. My phone certainly isn’t / wasn’t infected yet came up with the advert. It is just a rogue advertiser putting adverts on sites that don’t bother vetting their adverts well enough and scaring the users into installing and potentially paying for things they don’t need.
Some people say that clearing your browser cache, cookies and advertising ID solves it. I’ve not had the problem since the day I blogged about it and I did nothing… it just solved itself / went away.
thecomputerperson you are wrong, i`m suffering this in my site and i only use adsense, i suspect it`s an advertiser of adsense who is injecting js in the ads and google didn`t find it. I checked my site and it`s clean btw.
I had this as well I used the google app instead of chrome on the default engine and it is working so far.
Uninstalled chome n phone downloaded default version..restarted and no prolbems yet…
JUST OPEN INTERNET, CLICK OK TO GET RID OF THE SPAM BOX, THEN JUST CLOSE ALL TABS. IT’S WORKED FOR NOW ANYWAY LOL :) FINGERS CROSSED
Had this warning on my Android Galaxy S6 today:
“www.afaisers.top says
WARNING! This generic android 6.0 is infected with viruses and your browser is severely damaged. You need to remove viruses and make corrections immediately. It is necessary to remove and fix now.
Don’t close this window.
**if you leave, you will be blocked.**
ok “
I found zero info (McAffee, Google, Android searches) other than this blog.
I uninstalled/forced stop of Chrome browser from my phone thus far. Downloaded Firefox browser. Left a 2-star review in the google playstore regarding Chrome inserting this warning notification and telling google I will not use it until I am notified of how to secure against further possible problems.
I have not clicked on porn sites ever with this browser. I was viewing where to find a local horse riding stable.
Thank you to all who have posted comments here. Some scary $hit!
We found this link for research:
https://www.scamadviser.com/check-website/afaisers.top
…Now, spam calls are coming to my phone.
I got this when looking at accuweather website linked via my Google calendar app
I have received this warning twice. Asked my daughter who was visiting overnight if she’d gotten it on her phone and she had not. Got a text from her a few mins ago and she had just gotten the warning!! Was it possibly because she was using my wi-fi? Sorry if that’s a dumb question…
So it sounds like deleting and reinstalling Chrome isn’t enough…one must also change the browser ID? How is that done. BTW I have a Motorola Turbo. Thanks…this is the only site I’ve seen any discussion about how to solve the problem.
thanks buster! that fix took care of it!
I got the message too not knowing that its a scam. Just browsing on the weather not an adult site. I almost down load the steps that was written. Good thing i check it out here. Google has to do something about this. By the way i just got this newly galaxy a5. Hate scam.
I have this POFS virus too… I’ve tried wiping cache, reformatting partition / factory restore, safe mode – disabling web view / browser message app, downloading & running the latest anti-virus / spyware apps.. ALL TO NO AVAIL.. I cannot even use one of my apps; investors hangout.. For the spyware has plauged my device and causes me to redirect to actiontrk where it wants me to download ducleaner. I’ve even disabled javascript.. I used to be IT savy, this one has me puzzled. What to do?
I’ve had this happen on 2 different phones. A galaxy and Amazon fire phone. I immediately closed out the webpage, restarted my phone then when back into the browser, then into settings and cleared my web history. I’ve had no issues with either phone after doing those steps in that order. If u don’t close the affected browser window then it will default to the infected page every time u visit your browser. If those steps don’t work, download a different browser. Hope this helps. Oh I also didn’t follow any links from the infected page. If u have done that you will need to get a good virus protection software.
@Jon:
I don’t think she was infected through your wifi. It is a fake virus warning, sort like an advertisement to fool people into downloading the actual malware itself. Some of websites use this advertisement to gain revenue.
this seems to be a javascript problem. I cant completely uninstall google chrome, but when i disable javascript i seem to not have any issues. this has been happening to me for a while but it just recently got worse.
Thanks Kat! What you described worked for me too. I also did not follow any links. It’s only been 15 minutes, but good so far.
I don’t think it is something on the device. My guess would be that those are malicious advertisements on homepages. They don’t appear to be a fraud to begin with (therefore not identified as scam by the site- owner).
Thanks to all. So far, this is the only (and certainly the best) forum help discussion on this issue. Like most of the other posters, I have “just now” followed a bunch the suggestions posted here, and so far so good. When the scary warning screen popped, I immediately shut down my Android Marshmallow smartphone. On reboot, I went into Chrome and cleared out the tabs and history. On advice here, I went into settings\applications\Chrome and cleared cache and data. I did not delete Chrome. Suspicion of what allowed the warning scam is speculative. It certainly could be a recent connection to a rogue or infected website, or a recently installed application BUT, the “infection” could have happened days or weeks earlier and just “slept” until it popped up now. I have run a bunch of “tests” including returning to the web site where this warning suddenly popped-up over the content. After my remediations, it seems to be gone…we shall see. If I get attacked again, I will return here to both report and learn more from others’ experiences.
I have read all the comments.I cant get past opening the default browser and seeing the fake warning..Kridmobil.com.. only option is press OK ..then it will start downloading or exist..I cant clear the cache in the default browser without opening the browser.. Chrome is fine .This came after two minutes of opening a brand new Huawei Y6Pro – only opened the browser to check it worked and opened one mainstream news site.. any suggestions
Hi all. I’m a new victim of this… it happened to me today on my galaxy s5. I was at home using chrome and all of a sudden it popped out of nowhere telling me I need to install something called “DU battery saver”. Of course I didn’t press OK and closed all the tabs as soon as I saw the message. Not even half an hour later, and it started happening on my galaxy tab 2 as well. This is true when using ANY BROWSER, not just chrome. It always comes back.
I looked it up and found this thread. Read all of your comments and tried everything you suggested. NOTHING WORKS. My tablet is relatively new and I don’t use it very often, so I even did a factory data reset on it to see if that helps, only to get that annoying message again.
At the time this happened my father was home and he also has an android phone. He didn’t get anything, so I don’t think it’s a wifi issue. Since this thing “skipped” from my phone to my tablet, I think that it has something to do with the google account that is connected to chrome. I use the same account on both devices and they were synced. I’m worried that maybe it somehow infected the entire account itself and scared that this will also happen on my computer.
In my case, it seems like the only solution is to get a new phone & tablet, which of course won’t happen. So depressing…
Try turning off targeted advertising:
https://support.google.com/ads/answer/2662922?hl=en-GB
Might help?
Ok, my mom just got the message on her note 3, stock browser. She’s connected to my wifi. Two weeks ago, my sister samsung j5 got the same message too using chrome, different wifi. So I don’t think it has something to do with wifi and gmail account. The only solution here is to turn off javascript in your browser. Also, only android phones are affected by the fake virus warning, while family members who are using ios did not complain anything. No, i’m not trying to say ios is better than android.
I am now seeing these popups on imgur using my desktop computer. Happens very rarely, like 1x/day, so I assume it’s a browser detection bug and it thinks I’m on a phone.
I’ve solved my issue in different way. I cleaned all the data of Facebook and Chrome by going settings application manager than clear cache. Now the issue is no more.
Somebody has to have an answer to this! This is a Google problem and they need to give us the solution. I’ve done EVERYTHING suggested and it won’t go away. I can’t even change my browser setting.
SOMEBODY PLEASE HELP!
I got a similar popup today on my HTC 10 (android) while using the official reddit app and following a link to imgur. The popup claimed I had won an iPhone 7, but it was the same fake Google design.
After some research this seem to be an ad problem on some sites, imgur being one of them.
Sites like imgur which use ads are not malicious per se, but they use a service which channel different ads to their sites, and sometimes a malicious ad sneak its way into this group so to speak.
This means its probably not a problem with your WiFi, phone or app, but more likely an unintended effect of the ad stream these sites use.
If the problem, like for me, is with imgur specifically, one solution is to install the official imgur app instead of using the browser to open imgur links.
Ad blockers for your phone is another step you could take in order to get rid of these intrusive ads. Im not sure how many options you have in this regard as Chrome (which typically is the stock browser in android phones) dont offer any adblock plugins as far as I know.
I think the Firefox browser is compatible with uBlock which is a great ad blocker, or you could install the official Adblock browser for android: https://play.google.com/store/apps/details?id=org.adblockplus.browser
Turn on airplane mode and switch off wifi. Then go back to the browser where the pop-up hit and close the tab and clear your browser cache.
my dads tablet keeps coming up with pop up can someone just give the simple way to get rid of the pop up thank you … i am not a computer pro …
This notice came up on my Chrome browser today for the first time. I thought it looked suspicious. The domain it came from is . The format was the “Your system is heavily damaged by Four virus!” Then goes on with the “We detect that your Samsung Galaxy S7 is 28.1% . . . “. I tried clearing browsing date, but it comes right back. When I closed Chrome and then reopened it with a new tab, it didn’t return.
Just went into settings then application manager on my Galaxy S 5 phone did as I read on here to get rid of this mess in application manager all button till I got to internet hit force stop , clear cache , last clear data then closed out went back clicked on internet app phone is okay now no more of this pop up and able to search again get into my Yahoo emails , search on Craigslist , Facebook or etc hope this helps many others who are having this problem do this step by step as I did and you should get the same results to .
Thank You
What just happened it’s got to stop now it has the potential do destroy the whole web I need a new device not mention these people have too be tracked down and dealt with. Violently if necessary.
Just went to a website offering to stream foreign TV. “Virus Detected” popped up. Warning to go to google app store to remove virus and install something. Immediately powered down phone. Turned back on went to chrome and it appeared again and tried to install something. Powered down. Turned it on & it came back. Did this same thing several times. After 5th or 6th time of Powering off and turning back on it has now stopped. chrome now behaving normally.
if you go into Settings, Application Manager, then select your browser that’s been hijacked, go to Storage, and then you delete all data, this problem goes away
I have found that this ‘virus’ is also on an iPhone too, but is it a scam also ?
Yes. It is a fake website / message and not official or genuine.
This pop-up is another dirty trick aimed to infect or hijack your phone. Everyone is getting this 28.1% – they are even too lazy to make it random. And, I never used my phone to view “adult sites”. Close,it, do not click OK. maybe reboot the phone.
I see on https://youtu.be/Lz1XNEdwLtU very specific instructions. You refer to remedies
Thanks, I thought it was a scam that it why I googled it to see. Confirmed, thanks!😊