Android - How to find out which app is trying to open spam websites?

Based on the troubleshooting OP did following my advices, the culprit appeared to be a system app as a malware named System Locker with package name com.tihomobi.lockframe.syslocker. The issue appears to be a result of a system update, per some users of the device.

As usual with a system app, if you get to use the Disable option under Settings → Apps → System apps/All apps → the culprit, than by all means, do disable that app, force-stop it or reboot the Android. The issue should stand resolved until you factory reset the device.

Troubleshooting #0

Before you begin with a bit technical steps mentioned below, you would want to try a rather user friendly solution suggested here. It that doesn't work for you, than come back and follow the rest of my answer.

Troubleshooting #1

Here's how I found out the culprit. The in-built Android tool dumpsys inter alia shows which app was called by which other app. The caller is referred to as Calling Package.

Provided that you have setup adb and usb-debugging successfully in the PC and Android device, do the following:

  1. keep the device connected to PC

  2. reboot the device or force-stop that default browser app

  3. let the malware do its job, that is, have the browser be launched automatically

  4. as soon as the browser is launched, do nothing with the device physically, but run the following adb command on PC:

     adb shell dumpsys activity activities

Here's the output from OP's device:

ACTIVITY MANAGER ACTIVITIES (dumpsys activity activities)
Display #0 (activities from top to bottom):
  Stack #1:
    Task id #2
    * TaskRecord{8190ba1 #2 A=android.task.browser U=0 sz=1}
      userId=0 effectiveUid=u0a64 mCallingUid=u0a26 mCallingPackage=com.tihomobi.lockframe.syslocker
      intent={act=android.intent.action.VIEW dat= flg=0x10000000}
Hist #0: ActivityRecord{66cd59b u0 t2}

          launchedFromUid=10026 launchedFromPackage=com.tihomobi.lockframe.syslocker userId=0
          Intent { act=android.intent.action.VIEW dat= flg=0x10000000 }

In the output: :

  • is the package name of stock Android browser in your device
  • com.tihomobi.lockframe.syslocker is the package name of the malware app and is referred as calling package.

If you've found the malware, avoid next troubleshooting and skip to the heading Nuke the malware.

Troubleshooting #2

(In response to a duplicate posted here -- the culprit app was Farming Simulator 18)

In certain circumstances, aforesaid troubleshooting may not be able to help, such as when calling package name is the package name of the browser itself shown in dumpsys output. In that case, prefer logcat. Setup logcat like this:

adb logcat -v long,descriptive | grep "dat=http"   # you can grep anything from URL too. It is purely up to you.
adb logcat -v long,descriptive > logcat.txt        # alternative; if grep is not installed in your OS. You need to search into that file now.

Now unlock the device and let the browser with that URL be launched automatically. Also, press Ctrl with C if you are saving the output into a file.

The output we're seeking would look akin to:

[ 11-27 16:03:22.592  3499: 6536 I/ActivityManager ]
START u0 {act=android.intent.action.VIEW dat= flg=0x10000000 pkg=org.mozilla.firefox cmp=org.mozilla.firefox/.App} 

from uid 10021

[ 11-27 16:03:22.647  3499:15238 I/ActivityManager ]
START u0 {act=android.intent.action.VIEW dat= pkg=org.mozilla.firefox cmp=org.mozilla.firefox/org.mozilla.gecko.BrowserApp} 

from uid 10331

See the two highlighted UIDs 10021 and 10331. One of them (they would be different in you case) is for the browser app launched, and one of them is malware app requesting that URL. So, how to find what is what?

If you've root access, simply do:

adb shell su -c 'ls -l /data/data/ | grep u0_a21'
adb shell su -c 'ls -l /data/data/ | grep u0_a331'

Output would be like:

drwx------  5 u0_a21    u0_a21    4096 2018-01-01 10:31
drwx------  5 u0_a331    u0_a331    4096 2018-01-01 10:31 com.tihomobi.lockframe.syslocker

If you don't have root access, do:

adb shell dumpsys package > packages_dump.txt

Now search for the line with your UIDs such as "userId=10021" and "userId=10331". The line above the line searched would give you the package name, and may look something like this:

Package [] (172ca1a):
Package [com.tihomobi.lockframe.syslocker] (172ca1a):

The two package names are (for Chrome browser -- certainly not a malware) and com.tihomobi.lockframe.syslocker. To know the app's name from package name, use my answer here.

Nuke the malware

Now that you know the culprit, you can disable it through GUI as stated above. If that is not possible, do:

adb shell pm disable-user PKG_NAME  # disables the app
adb shell pm uninstall --user 0 PKG_NAME # removes the app for primary user
adb shell am force-stop PKG_NAME # only force-stops the app

Replace PKG_NAME with package name of the malware you noted in the troubleshooting above.

That should do the trick. Furthermore, you can also consider removing the malware app permanently for all users, but that requires root access though.

Inspired by the Firelord answer I investigated logcat in very simple way and found the quilty immediatelly - it was Barcode Scanner by the The space team. The steps:

  1. Connected my Galaxy Note 8 to PC, open CMD and took the logcat with basic command from withn CMD prompt:

C:\Users\igorn> adb logcat > note8.1.log

  1. As soon as the new tab with spam page was opened, I stopped the logcat capturing immediately by Ctrl-C and searched the log for "chrome":

grep -i chrome note8.1.log

Last ten of found lines revealed the suspicious:

02-03 09:43:14.443 3931 4232 D GameManagerService: handleForegroundChange(). pkgName: com.qrcodescanner.barcodescanner, clsName: kotovich.kotovich.kotovich.kotovich.ScannerChromeActivity,FgActivityName:com.qrcodescanner.barcodescanner/kotovich.kotovich.kotovich.kotovich.ScannerChromeActivity,userID:0

  1. Than I went to application list in device settings and saw the Barcode Scanner. Checked it on GoolePlay and found a plenty of 1-star reviews for exactly same malware behavior! As well I noted that this application got last update two days ago, that match perfectly the timing - the problem started to appear exactly two days ago! Bingo!

  2. Uninstalled it and the problem gone! Happy end :)

For infomation only: neither of other approaches like installing BitDefender, MalwareBytes, etc worked for me, so I was simply happy to sort it out! So thank you, Firelord!

So I was having this same issue and I kinda stumbled on a simple way to fix it.

First thing I did is I reset all the browser defaults so if ANY application wanted to open a browser it needed to ask me permission and then I can select which browser I wanted it to use.

Second I installed a browser I have never used... went into its settings and reset all its defaulted programs too so it couldnt just piggy back onto the new browser.

Then when it prompted me to select what browser that I wanted it to use I told it the new one I installed and told it to use that as default so it would put it in the browser.

I then went into the browser and found the only app that is set to use it as a default. It also showed me the last time it was used by that program and that time matched the time I told the spam thing to use the new browser as default.

In my case it turned out to be my QR code reader... I did notice its icon had changed a couple months ago. So it was either bought by a company that changed how it worked or the company was hacked and so it traveled down.

And as far as the browser goes I used the Samsung browser but I am sure the reset of them will have that last used part to make it easier for you to track down.

Hope this helps. :-)