A friend asked me for help, saying some kind of “gambling app” had managed to attach itself to his Android phone, and kept popping up all the time. I figured he had been tricked into installing something, and we would probably have to track down the app, which likely had some innocuous name to obscure its purpose. Or possibly even worse, it had managed to take advantage of some vulnerability in his OS version to hide itself. Turned out it was a bit simpler than that. It was a website he had visited in Chrome (most likely following a link from an ad or something), which had an interesting technique to prevent him from getting away: it kept pestering him to allow it to access his location data. The trick was, it had maybe a hundred (maybe more) different site names of the form “«nn».example.com”, so when you blocked one, it would simply ask again, the request coming from a different number for «nn». The expectation obviously was that the user would eventually give up and allow one of these sites access. I was able to close the offending tab, but on quitting and restarting Chrome, it would come back. I figured out that his Chrome setting was to restore the last-visited page(s) when Chrome was restarted, which was why this page kept coming up. So I just turned off that setting. I thought maybe there was some deeper malware that would just bring the problem back when that setting was restored, and that he should consult somebody expert on more recent versions of Android to see about a permanent fix. But he suggested re-enabling that setting, just to confirm the problem was still there. And I did. And it wasn’t! So there was no obvious sign of any malware installation, it was just the website itself, exploiting a quirk of browser behaviour, to gain a lock on the user and blackmail them into giving up their location data.