I have a new Pipo P1 tablet with Android 4.4.2 and the much(Overly?) vaunted RK3288 chip. I used it last night as an e-reader. Afterwards, I opened the browser, which loads the last url (http://www.jw.org - as squeaky clean a website as they come)

I typed in something innocuous - google, I think, and was redirected through zh.zerodirect1.com to this (long) url:
http://www.google-playstore.com/zero...__var5..DOMAIN

The screen is attached as a jpeg. It bothers me how nearly I went for it! It seemed forceful for Google's way of expressing things (more like m$ . I started checking
* No updates from the "Settings / About Tablet / Check for Updates)."
* No CVE number referred to in the text (as I might expect).
* The phrase "kill your phone's internet speed" is bad grammar.
* Hitting the back button allowed me to see the zh.zerodirect1.com url.
* The playstore is actually play.google.com, not google-playstore.com.
* No similar behaviour on another Android system.
* Once I decided to ask, and saw the whole url, the whole thing became obvious. My next move is to look for a rootkit checker in the play store.

NOW MY QUESTION: Where the <expletive deleted> did that come from? Is there a rootkit fitted as from new?

My only apps are all known apps used previously on another tablet without issue. The only odd thing is an app totally in Chinese, which came with the tablet. I mean to get a chinese speaker to explain it to me.

Attached Thumbnails

 

Well, I got that link up on an x86_64 linux box and clicked on it, with noscript functional. It sent me here.
http://ezte8.redirectvoluum.com/redi...oZ5Q7U%3D&rm=D

Another piece of hard work by someone - but nowhere near the playstore :-P.

"The Play Store," just like Apple Software Update, is an application, not a site. (That is to say, you should only update through the application, not through any site.) Only the application for software-updating the machine, that comes with the machine, should ever be trusted to update anything whatsoever on the machine.

Tablets, like mobile phones, should (IMHO) always be treated as inherently insecure devices. For instance, I'd never use one to do my banking, nor "tap" it against anything at Starbucks or anywhere else. (Sorry, Apple.)

Agreed completely on the security.

It does not seem to be repeating, and I am a wary owner at this stage. I was surprised to run into a hack attempt for Android, when I am in communication with nothing suspicious. Maybe I checked Ebay - that might have done it.

Maybe it isn't your device, but rather something hinky with your ISP? Given the number of ISPs that like to redirect traffic (particularly mistyped URLs) or insert their own code into web pages, I wouldn't rule them out as a suspect. Your browser probably identifies you as using Android, and the re-direct took over from there.

OK, In summary

1. I really don't know where that suspicious url came from. As I get a provider IP address, it could have been an attack from outside.
2. Nothing major went wrong, fortunately.
3. I can be pretty certain only the browser and base system was running.
4. Nobody recognised this approach, which is a sign it is not too widespread.
5. No repeat occurred. I may not even have the same IP now.
So I am marking this one solved, because it's as near solved as it's ever going to be.