Warning GMC suspensions due to Malicious software asaplabs

I am receiving a lot of clients that are getting suspended due to Malicious software starting yesterday.

They seem to be using an app (which one I don’t know yet) that is sourcing from asaplabs

Not sure if its anything to do with ASAPLab (different URL)

When checking several clients the subdomain URLs are all different such as

geo.s.asaplabs.

ym.s.asaplabs

Which redirects to an unrelated website URL.

I recommend a Shopify staff member look into this, as it is definitely a phishing attempt.

For anyone else reading this, please contact Shopify Support.

There was an app on our store called Yandex that we weren’t using but must have been installed a few years ago.

This morning it appeared to be inserting a line of code into the head that is redirecting some traffic to an asaplabs domain so I have deleted it.

I would recommend anybody else with the Yandex app do the same.

Hi @EmmanuelFlossie ,

Did you find a resolution for your issues? Was it the Yandex app too? We don’t have that app but we’re seeing the same issues pop-up.

My Malwarebytes browser guard is popping up with an error, citing the asaplabs domain as an issue;

Capture.PNG580×146 31.7 KB

Shopify support are telling us to speak to Google ads (regarding ad disapprovals caused by their flag for ‘malicious content’) and saying Google are having a lot of ‘false flags’ at the moment - That doesn’t really hold water though as my browser guard (which has nothing to do with Google) is flagging the clients site for containing a trojan!

Cheers!

Update: We found the culprit app for ours, it was pop up app used to notify international users of being on the wrong site. Doesn’t seem like it was isolated to the Yandex app.

I have not looked into the clients account, I just found it very suspicious I got a lot of emails in one day about the same issue. Which signals a global issue.

When I first looked at it, the subdomain was geo, which I thought was related to a GEO app, but the second subdomain does not make sense.

It is entirely possible several apps have been hacked, not just one.

And yes, this is not a Google issue, I’m using bitdefender that is detecting the issue, which has nothing to do with Google.

And the URL itself is redirecting, which should not be the case if it was a real app.

Shopify needs to look at this deeper.

Hi everyone,

We were also having the same issue and contacted Shopify support. They were able to look in the backend of our store and told us the culprit was an app called “Geo Targeting - Notify pop-ups”. We deleted it and the script from asaplabs was gone after that.

These were the details shared by the Shopify rep:

• It seems like it is coming from a third party app - in your case, it is coming from the “Geo Targeting - Notify pop-ups” app. It is suggested that you remove it and revoke any access they have.

• When we search on the back end through installed apps on the store, this one has “asaplabs” in the script URL

• Only we have access to this back end, it’s like a “profile” of all stores.

Since only Shopify can see the scripts of all apps installed I would suggest anyone facing this issue goes to the chat and ask for their assistance.

Hope this helps!

It looks like “Geo Targeting - Notify pop-ups” had the same developer (Simtech Development Ltd.) as the Yandex app that was causing us problems:

https://www.delightchat.io/apps/geo-targeting

https://www.delightchat.io/apps/yandex-metrica

There is one other app I’ve found a record of being developed by Simtech called “Custom JavaScript & jQuery” which I would assume also could be affected:

https://www.delightchat.io/apps/custom-js

Thanks for the info @EvanG1 .

We’ve removed the geotargeting app from the site now, and I’m no longer getting the flags from my browser guard. Unfortunately Google doesn’t agree the issue is resolved and our ads are still suspended

Great work @EvanG1

@James-Does-PPC Google unfortunately uses website caches to verify Malicious Software. Which means you need to wait until the cache in Google are cleared of the old plugin.

Yes this is annoying. Please note I am aware of this process only for Google Ads, I do not know if this is the same for Google Merchant Center.

You can check when a page is cache by adding cache: in front of your URL.

For example

cache:https://feedarmy.com/kb/asaplabs-io-suspended-shopify-account-due-to-malicious-software-in-google-merchant-center/

Hey @EmmanuelFlossie ,

Thanks for the insight - That’s interesting to know.

Strangely, when I use the URL for the site in question the cache note gives a different site as a response..

If it helps with your merchant centre question, our product feed didn’t go down at the same time. Only the text ads.

That might be from the app, because what I noticed was that the app redirects sites. Hence why you get a different cache.

Just double check you didn’t use my website

first navigate to your product landing page (any)

Then type cache:

Infront. If it does the same, than you need to wait a few days until the cache is back to normal.

Interesting, I wonder if that is where the app was redirecting to. I have scanned the site it was going to using a 3rd party tool and it came up clean.

Yes I did use our site, rather than yours (appreciate the check though, you never know!)

Any experience with how often the pages are crawled?

Crawl rates are increased or decreased by Google dependent on the volume of traffic you get. The more popular your website is, the higher the crawl rate.

But I don’t know too much about crawl rates, so I recommend you have a look here: https://support.google.com/webmasters/answer/48620?hl=en

Thanks @EmmanuelFlossie ,

I’ve spoken with Google ads support and they have sent me a link report.

The report is from the crawl yesterday, and the links in the report don’t contain the asaplabs URL (they mostly look very spammy).

I assume they are the ones dynamically being inserted by the compromised apps.

They have advised 3-4 days for a re-crawl, although I suspect this is a generic answer.

Thank you for posting this. I spent 2 days trying to find a solution to this problem. My Google Search Console was showing me a lot of pages with soft 404 and it was growing every week.

Deleting “Geo Targeting - Notify pop-ups” did the trick for me. The app was disabled but still present. I remember disabling it because it was causing other problems for me.

Thanks again.

Hello all,

This issue has reared its head again for us today.

We’re currently investigating the cause, perhaps more apps have been compromised.

We have also been battling with Google Ads since mid June 2022, malicious content and soft 404. We had the Yandex app installed and removed the app and also removed any scripting associated with it manually from the theme. Yandex and asaplabs and some related apps have been compromised. However, once we removed the code, Google still was denying our ads. Google on their end, needs to clear their cache! That’s right. If you take an example page of your website that is being flagged, type in cache:https://xxyourwebsitelinkxx and take a look at the google cache date. The deleted code may still be present in their scanning and they HAVE to refresh their cache or they will still be detecting the code!

Looks like this may have been an error on our end, looks like one of the compromised apps was still on our US sub-domain.

What does this mean exactly?

@AdamSTM are you suspended from Google Ads due to Malicious Software?