IOS – about://(null) popup

ios

I encountered a popup similar to this one this morning while checking the weather report at http://touch.woodtv.com/forecast in Safari, though I have not been able to reproduce it.

The title is "about://(null)" and the text "Why you no play Candy Crush!!" The popup occurred twice. I tapped Cancel both times.

I suspect the source of this is rogue JavaScript in an ad network, judging from the fact that the screenshot below shows it in an ad-supported application, and when I saw it, I was on an ad-supported website. My phone is not jailbroken.

I'm wondering if anyone is able to identify the source of the popup definitively. Speculation is running rampant on Apple's support communities and elsewhere, from push notifications (delete Facebook and all your games!) to carrier notifications (which don't work on iPod Touches…), and my gut tells me little of it is helpful. But I could also be very wrong.

(This is not my screenshot; it comes from https://discussions.apple.com/thread/5144627.)

Illustration of about://(null) popup

UPDATE 1: The Candy Crush people have this to say, but I'm not (yet) convinced there's actually something installed that is to blame: https://forums.king.com/forum/candy-crush-saga/bugs-known-issues-ccs/recent-spam-why-you-no-play-candy-crush/?entryId=2326

UPDATE 2: Just reproduced it in the iOS Simulator while clicking around woodtv.com, but I'm not sure how to track it down further from here.

enter image description here

Best Answer

Since I got the popup in iOS Simulator, I was able to use Safari's Develop menu to inspect the page. From there it was just an exercise in rooting around to find the obfuscated JavaScript, which, when run through jsbeautifier.org (which has the side effect of de-obfuscating it), looks like this:

var m = ['iphone', 'ipod', 'ipad', 'android'],
    u = navigator['userAgent']['toLowerCase']();
for (var d = 0; d < m['length']; d++) {
    if (u['indexOf'](m[d]) != -1) {
        if (confirm('Why you no play Candy Crush!!')) {
            window['top']['location'] = document['getElementById']('creative')['href'];
            break;
        };
    };
};

I think it's pretty safe to say that this is indeed a rogue ad, since on the page where I saw it, the ad itself was blank. It's trying to get you to click through to a link.

So, in other words, it's a real pain in the buttocks, but probably not actual malware. The ad in question is apparently delivered by AdMax by NEXAGE, so I'll see what I can do about alerting them.

Related Question