I got the same problem for some days now: Sporadically the browser opens a game-news.top website without any action of me.
To find out the origin of this behavior I coded a small oneliner app that can react to URL intents and instead of loading the website just shows you the URL and (more importantly) the origin if available.
These screenshots show what’s happening:
Works really well on the emulator. YouTube sent this intent, so intent origin is the package name of YouTube.
This way it should be possible to identify the origin of the mysterious game-news.top URL intents.
Unfortunately on my infected Huawei device this app is useless because Huawei reroutes every URL intent. So the intent origin is always com.huawei… no matter whrere it originally came from.
So if you don’t have a Huawei device it would be great to get your results with this app.
The app does not need a single permission and is not proguarded in case you want to decompile it and inspect the source.
Maybe together we can find the shady app and eliminate our infections.
Please let us all know about your results:
If Firefox / Chrome / … is your system’s default browser, disable this setting temporarily.
Next time an URL intent is fired, the system asks you how to open it. Select IntentOrigin once to see the data (URL) and hopefully the origin of the intent.
The origin is displayed as package name of the sending application or “null” if not available.
Works on Android 5.1 and later.
Does not work on Huawei phones.