I thought that Oldboot/Moubad firmware infections were limited to tablets that had been purposely flashed with updates from an SD card. My EKEN A76H tablet seems to have a permanent rootkit infection, but has never been reflashed. I did a factory reset, data delete/format. The tablet behaved for about 30 minutes, and then again began streaming full screen video clip ads which could not be dismissed. It appears a rootkit remained that reloaded the malware, and connected to its servers in that 30 minutes. I bought the tablet new, and it behaved for three months. I always used Google Play Store to download. I don't play video games, or have Facebook, yada, yada. Just Firefox, youtube and productivity utilities. Unfortunately, EKEN doesn't have firmware available for my model, so I can't reflash it, even if I wanted to. Either the rootkit came with the EKEN, and had a 3 month timer before it went into action, or I got the infection over the internet..somehow.
Indeed, when I downloaded 360 Mobile Security it found three trojans in ROM.
360 Mobile Security is willing to go after the ROMed trojans given root permissions, but there is no info on rooting an EKEN EKEN A76H.
Take Down This Post ... Infection from ext. SD card
I just realized I had recently installed an external SD card. Obviously, that was the infection vector.
I apologize for noise in the forum bandwidth.
Stan
rootmaniac said:
I thought that Oldboot/Moubad firmware infections were limited to tablets that had been purposely flashed with updates from an SD card. My EKEN A76H tablet seems to have a permanent rootkit infection, but has never been reflashed. I did a factory reset, data delete/format. The tablet behaved for about 30 minutes, and then again began streaming full screen video clip ads which could not be dismissed. It appears a rootkit remained that reloaded the malware, and connected to its servers in that 30 minutes. I bought the tablet new, and it behaved for three months. I always used Google Play Store to download. I don't play video games, or have Facebook, yada, yada. Just Firefox, youtube and productivity utilities. Unfortunately, EKEN doesn't have firmware available for my model, so I can't reflash it, even if I wanted to. Either the rootkit came with the EKEN, and had a 3 month timer before it went into action, or I got the infection over the internet..somehow.
Indeed, when I downloaded 360 Mobile Security it found three trojans in ROM.
360 Mobile Security is willing to go after the ROMed trojans given root permissions, but there is no info on rooting an EKEN EKEN A76H.
Click to expand...
Click to collapse
Yes, all is possible. Android is also an Os which can in fact infected. There was also some leaks about infected modems that comes pre-installed with some devices, in Russia and China some routers was also infected, they opened the packages modded the hardware and it's also mostly impossible for beginners to identify.
So, yes all is possible and no without knowlage or deep inspection it's hard to find, some if not all Android Av's can't scan the hardware components due restriction and there is no USB or drive-by firewall available atm.
Related
model number : lenovo a5500-hv
android version: 4.4.2
baseband version: a5500-hv.v34, 2014/05/08 22:28
kernel version: 3.4.67
build number: a5500hv_a442_000_011_140508_row
As shared in subject, my tab ANDROID is infected by malware where multiple issues have starting lately
a) Constant popup message stating" Unfortunately, com.system.update has stopped"
b) Constant popup message stating" Unfortunately, org.snow.down.update has stopped"
c) Constant popup displaying to INSTALL application" com.android.keyguard"
d) Automatic checking (on) in Settings> Security> Allow installation of apps from unknown sources, despite my regular check off( its gets reactivated again). Device Administrators viewed are Android Device Manager (ticked), Daemon Service( twice listed- unchecked).
e) Installed Malwarebytes Anti-malware, upon scanning detected these 11 malwares, which it is unable to delete ( Norton is unable to detect those even). Any open app which I try to use after some seconds are abruptly closed.
Malware name- Path
Android/ Backdoor.Triada.c - /system/priv-app/higher.apk ( File linked to be uninstalled- AppManage)
Android/ Backdoor.Triada.js - /system/priv-app/BCTService.apk ( File linked to be uninstalled- bcct_service)
Android/ Trojan.Rootnik.I - /system/priv-app/Bseting.apk ( File linked to be uninstalled- com.android.sync)
Android/ Trojan.SMSSend.ge - /system/app/com.android.token.apk ( File linked to be uninstalled- com.android.taken)
Android/ Trojan.OveeAd.F - /system/priv-app/com.mws.tqy.vsdp.apk ( File linked to be uninstalled- com.system.update)
Android/ Backdoor.Triada.J - /system/priv-app/com_android_goglemap_services.apk ( File linked to be uninstalled- GoogleMapService)
Android/Trojan.Dropper.Shedun.dc - /system/priv-app/parlmast.apk ( File linked to be uninstalled- GuardService)
Android/Trojan.Dropper.Agent.MJ - /system/priv-apk/Sooner.apk ( File linked to be uninstalled- PhoneService)
Android/Trojan.OveeAd.J - /system/priv-apk/com.tsr.eny.hyu.apk ( File linked to be uninstalled- system.bin)
Android/Trojan.Guerrilla.Q - /system/priv-apk/NAT.apk ( File linked to be uninstalled- SysTool)
Android/Trojan.Triada.m - /system/priv-apk/com.glb.filemanager.apk ( File linked to be uninstalled- UPDATE)
PS: If I try to connect to Internet, app icons are downloaded and auto open displaying porn images.
Please assist to REMOVE the MALWARE INFECTION. Tried FACTORY DATA RESET from Settings, but no help. Tab not rooted.
Solution
Last night i got some pesky malwares. For now i think i removed them. Get Avast and see what it can find. After that try to remove the files from file explorer and the most important thing - go to Settings-Security-Device Administrators. From there remove everything and now from Avast you should be able to remove the infected apps. Hope i helped
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
The apps require extensive access to the devices on which they run, and they are able to harvest a great deal of data about users’ interests, demographics and location. Cheetah Mobile’s business model is not significantly different from the way in which some major American tech companies such as Facebook monetise their free products. However, Cheetah Mobile is different from American tech companies in that its headquarters are located in China and its data servers are primarily located there as well, and its main business partners are major Chinese tech firms. The Chinese government, according to sources, accesses its companies’ data for internal security, economic competitiveness or other purposes. Cheetah Mobile, and similar companies, represents a major point of entry for China to access American app marketplaces and their users to gather information. However, U.S. government officials in national security and intelligence agencies are highly aware of surveillance and hacking both inside and outside China, presumably coming from actors affiliated with the Chinese state.
Click to expand...
Click to collapse
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry to hear this. However I think it is possible that the CM app did its job as those malicious apps have probably already rooted your phone, so CM may have just used that root access without informing you, though whether or not other apps like CM app can still use that root, I'm not sure, it depends if its been left "on". I did watch a video on youtube for CM Stubborn Trojan app and the guy had to root his phone first. (You could try some/several of the root checker apps, if you want to know). So lets assume the CM app worked properly and removed trojan as it could get root without giving you a root request notification.
It's entirely possible that your reinfection is from your external SD card or via some other means eg. your router has had some ports opened or some other means. (Sorry I should have said reset router when I said change router password [do this for all routers you use & update firmware & ensure remote access is off (ref. dirty cow) while you are about it too!]
So I would reinstall CM Stubborn Trojan (lets assume it removes malware as it has root, even if it just blocks them it helps us) so you can then reflash official stock ROM for your country (& update to newest version if available), you must flash the FULL stock ROM so all partitions are reflashed. partial stock or custom ROM will not do this & potentially leave you open to reinfection! Reflash the FULL STOCK ROM is the only way to "easily" be sure you have cleaned the malware from your phone. NOTE: just doing a factory reset will NOT remove the malicious apps if they are in operating system folders, this only works for malicious apps in user data areas! Then you must make sure all possible ways you can be reinfected eg via sync, external SD cards or storage, your PC, router etc are cleaned/blocked/reset/updated
If you are not getting updates for your ROM you might want to consider installing a custom ROM (AFTER you have flashed the stock ROM!) from a reliable & trustworthy source, if available for your model, so that you get security patch updates. But you need to research and consider the risks of things like bricks, security etc for yourself first.
Hope this helps you clean your phone
Sometimes, it's times, it's the firmware itself that is infected
IronRoo said:
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Click to expand...
Click to collapse
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Josh Ross said:
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Click to expand...
Click to collapse
This was what I did finally, I went to service centre and spent bucks. They reloaded the firmware I suppose ( not flashing it) and instantaneously it was as good as new. I think, malware was itself part of original installation like uc browser- it was there. It just activated after some time or may be I clicked on some advertisement while running app and then the hell happened.
Any ways, its working fine, added an adblocker, restricted usage to few apps and keeping my fingers crossed for future.
Sent from my A0001 using XDA-Developers Legacy app
Yeah, the bloatware that you get with some phones nowadays is unbearable. If there is an option, go with a rooted phone, custom ROM, some couple custom solutions for protection and you will be good to go. And they work better than defaults most of the time. Good luck! Hopefully, we will only be hearing good news from you
PGHammer said:
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
Click to expand...
Click to collapse
I'd reflash stock.
Got my son a Note 5 for Christmas yesterday, I know on mine i run Lookout as the native antivirus and every couple of weeks I scan it with Malwarebytes and have not had a problem. When I was at the ATT store activating it for him the salesman told me NOT to install lookout and malwarebytes as they will harm the phone (Samsungs come with lookout already preloaded) he told me to use Avast (I have used that for PCs and know its a good product) and that has a malware scanner and antivirus all in one. What are peoples opinions or suggestions?
no need for malware and antivirus for android
no root no problem apps require root permission to do what the virus does
AlMaghraby said:
no need for malware and antivirus for android
no root no problem apps require root permission to do what the virus does
Click to expand...
Click to collapse
im not so much worried about the apps themselves causing issues, Im more concerned about when he uses the internet itself. you see he has Autism and dosent understand that people can put harmful stuff inside the links. He is 15 and he wanted a phone, movies, you tube etc.... but I know e will get curious (like all kids) and surf the net. His friends in school have phones so I thought he was old enough to have one too. Im just worried about him opening up an email or link and seeing something or his phone getting infected
https://disconnect.me/ ,if you must have ...
even if he surfs the internet those malware and viruses you talk about are made for windows not android so I see that there is no way to infect your phone without being rooted.
those links won't affect the phone.
and I suggest that you untick unknow resources install from setting and you will be just fine .
Has anybody deleted some of the bloatware apps, more specifically the stock File Manager?
com.jrdcom.filemanager
/data/app/com.jrdcom.filemanager-2/base.apk
Wondering if anybody tried and had any ramifications from it.
This thing just all of a sudden activated itself and runs in memory, and there is no Disable for it. I could install an app to freeze it, but that defeats the purpose.
Moscow Desire said:
Has anybody deleted some of the bloatware apps, more specifically the stock File Manager?
com.jrdcom.filemanager
/data/app/com.jrdcom.filemanager-2/base.apk
Wondering if anybody tried and had any ramifications from it.
This thing just all of a sudden activated itself and runs in memory, and there is no Disable for it. I could install an app to freeze it, but that defeats the purpose.
Click to expand...
Click to collapse
Im runnin lineage on mine and doesnt even have it on there.
I would freeze it. Make sure your downloads and such still work ok.
Give it a few days if good then remove.
TheMadScientist said:
Im runnin lineage on mine and doesnt even have it on there.
I would freeze it. Make sure your downloads and such still work ok.
Give it a few days if good then remove.
Click to expand...
Click to collapse
Thanks, I deleted the culprit. No issues so far.
LOL...after 3 or 4 days the lovely File Manager App magically installed itself. Looks like a more indepth investigation is forthcoming.
Obviously there is another app that re-installs it.
Stinkin thing.
I switched over to the xperia rom on idol 3 And it got rid of a load of crap, Bunch of xposed is working.
I just dont care for the stock rom on this thing at all, Even debloated it runs like crap,
Ive had this device now over a week and cant find any sort of setup I like, I am used to lgs UI.
Even tried t get touchwiz ui and grace to run but nogo.
Did you remove the system update apps too by chance?
TheMadScientist said:
Stinkin thing.
I switched over to the xperia rom on idol 3 And it got rid of a load of crap, Bunch of xposed is working.
I just dont care for the stock rom on this thing at all, Even debloated it runs like crap,
Ive had this device now over a week and cant find any sort of setup I like, I am used to lgs UI.
Even tried t get touchwiz ui and grace to run but nogo.
Did you remove the system update apps too by chance?
Click to expand...
Click to collapse
Haven't really had a chance to look deep into it yet. I've disabled auto updates, so pretty sure it's not getting it from the netz.
Funny thing, I tried running a 100mb system update and i failed to completely install. Havent thot about it much since then, But I suspect it was in that update somewhere, as I had never seen nor had an issue with it before.
Will strip down that update and see when I get a chance.
It comes pre installed as 'files' app, auto updates to "file manager" to then run this 'boost' branded adware. I call it adware because it does not adhere to the android force stop, disable peeking or any other android OS settings and automatically regenerates itself despite the OS not allowing auto updates.
Android should never allow provider apps to have a higher privelage that renders the OS setting useless, bundled apps should also not disable the uninstall and disable functionality of the OS.
I have spent weeks in settings to find out it is allowed to act like a virus and do what ever it wants being rewarded with ad revenue.
Thanks Google for allowing me to purchase hardware pre loaded with junk ads by default with no way of opting out, it's not only a privacy and security concern, it's a consumer complaint.
adware/spyware
Not happy said:
It comes pre installed as 'files' app, auto updates to "file manager" to then run this 'boost' branded adware. I call it adware because it does not adhere to the android force stop, disable peeking or any other android OS settings and automatically regenerates itself despite the OS not allowing auto updates.
Android should never allow provider apps to have a higher privelage that renders the OS setting useless, bundled apps should also not disable the uninstall and disable functionality of the OS.
I have spent weeks in settings to find out it is allowed to act like a virus and do what ever it wants being rewarded with ad revenue.
Thanks Google for allowing me to purchase hardware pre loaded with junk ads by default with no way of opting out, it's not only a privacy and security concern, it's a consumer complaint.
Click to expand...
Click to collapse
Yes , this lovely new addition to the file manager is actually the "Hawk Super Cleaner/ antivirus" seen here: https://play.google.com/store/apps/details?id=com.apps.go.clean.boost.master&hl=en
You can see my complaint(s) here: https://forum.xda-developers.com/idol-3/help/joy-launcher-joy-t3628670
I just installed TWRP and SuperSU on the stock Marshmallow following this guide:https://forum.xda-developers.com/idol-3/general/twrp-custom-recovery-idol3-6045-t3162608 and will be removing this cancer for good!
Cheers, I might have a look at rooting (pain seeing I bought 4 of these for myself and fam). I have reported the appin the playstore for being installed with root permissions bypassing the expected android user settings and will be following up with a complaint to the consumer watchdog.
I never bought hardware with the knowledge an innocent bloatware provider app would turn rouge with root permissions for ad revenue.
My phone will most likely be thrown at the wall so "File Manager" doesn't get another 1000 or so false positive downloads in the playstore from me.
Had 3 myself
Not happy said:
Cheers, I might have a look at rooting (pain seeing I bought 4 of these for myself and fam). I have reported the appin the playstore for being installed with root permissions bypassing the expected android user settings and will be following up with a complaint to the consumer watchdog.
I never bought hardware with the knowledge an innocent bloatware provider app would turn rouge with root permissions for ad revenue.
My phone will most likely be thrown at the wall so "File Manager" doesn't get another 1000 or so false positive downloads in the playstore from me.
Click to expand...
Click to collapse
I hear ya, I bought 3 of these.
I am very careful what I install on my device and read the manifest files on EVERYTHING so you can imagine how angry I was when my own phone manufacturer pushed unwanted adware/possible-probable spyware on to my device with no warnings or asking my permission.
Another odd thing is that after I uninstalled the Facebook app I had 2 apps appear (or were left over?) com.facebook.appmanager.apk and com.facebook.system.apk that were using up data and could not be removed until tonight after rooting.
Interesting article here: https://forum.xda-developers.com/tmobile-lg-v10/help/suspicious-apps-apps-section-facebook-t3415876
I have been studying computer and mobile security as a hobby for some time and have found that these "antivirus" and 'cleaner" apps on Android are the worst offenders of privacy of them all.
Scanning all your files, installed apps, contacts etc etc and sending all that data back to God knows where!
I have found that almost every single app that I have downloaded from the Play Store has some form of data mining and/or analytics.
Unfortunately, it's a catch 22 in Android..rooting your device breaks what little security is built into the system but it's the only way to remove pre-installed crapware.
---------- Post added at 06:02 AM ---------- Previous post was at 05:53 AM ----------
Also, good luck trying to get anything done with Google or Alcatel.
I battled with Google for almost 8 months straight trying to stop an unscrupulous advertiser that was using FAKE virus warnings to trick users into installing an "antivirus" app on the Play store and just got sent around in circles.
Google is complicit!
I was finally successful in stopping the fraudulent activity after I contacted the Federal Trade Commission.
http://smisecurity.altervista.org/DFNDR.html
Data mining is a given these days which is why I have Pi-hole for my home dns and ubuntu for my home box, gotta do what you can. As for this phone I wouldn't do much on it unless I re flash it which is why I am angry with it.
As for Android taking the normal software stance of do nothing unless legally required, this time is interesting to me because they are effectively allowing the bypassing of the playstore agree feature to Install an app, being side loaded from Alcatel like this one would think breaks the playstore terms so knowledge should be enough for action in this case from the android or playstore devs. Doubt it but.
Also apon sale did not mention android as being adapted software that over rides expected android and playstore behaviour but did advertise android and use their logo so most likely a trademark vialation also.
The problem is Alcatel are adapting android and side loading apps to bypass security and privacy user settings to double dip on the customer for income despite the final result, android and the playstore can bury their heads in the sand all they want but they have been made aware of the risks.
Went over it again for peace of mind (sorry) but I wish you the best in your education as we need more people shinning the light on privacy simply because we are in the rise of the machines, not long before people worldwide ask what happened to all the jobs and when did the need for conventional ID actually dissapear.
Not happy said:
The problem is Alcatel are adapting android and side loading apps to bypass security and privacy user settings to double dip on the customer for income despite the final result, android and the playstore can bury their heads in the sand all they want but they have been made aware of the risks.
.
Click to expand...
Click to collapse
Very well said!
The supervisor I spoke to at Alcatel tried to say that I/we agreed to the terms by using their devices which allowed them to push this on to our phones but I disagreed with him.
At one point I even thought of ditching my phone and getting an iPhone or an Android device that is compatible with the Replicant OS https://www.replicant.us/
I have a few Raspberry PI's laying around but never used one as an access point. (I'm assuming that's what your doing?)
I just sent a very nasty email to the developer "[email protected]" and referenced this thread.
Keep us updated if you get anywhere and I will be fighting this from my end and posting any updates as well.
Will do, I don't plan on not continuing with this one because my hardware and android do not operate as advertised.
The day I can rely on Linux for a phone OS is the day android gets ditched but will definatly check out your link also.
Pi-hole is basically a collection of hosts files that block ads and known bad domains on the DNS level, point the home router to it and bam the whole household gets an adblocker by default. Runs smooth but added a few commands to auto upgrade the lists with a Cron job.
Not happy said:
Pi-hole is basically a collection of hosts files that block ads and known bad domains on the DNS level, point the home router to it and bam the whole household gets an adblocker by default. Runs smooth but added a few commands to auto upgrade the lists with a Cron job.
Click to expand...
Click to collapse
Very cool!
I'll have to check that out.
I altered the hosts file on both my laptop and my other rooted phone to block ads and apps I used to have.
This is a small sample of IP's I blocked in the hosts file after running NETSTAT scans, there are a TON more that I added from MVP hosts (it is against MVP's EULA to post their blocked IP's)
http://winhelp2002.mvps.org/hosts.htm
127.0.0.1 localhost
127.0.0.1 search.vip.gq1.yahoo.com
127.0.0.1 a96-6-122-162.deploy.akamaitechnologies.com
127.0.0.1 a-0001.a-msedge.net
127.0.0.1 yahoo.com
127.0.0.1 rtr3.l7.search.vip.gq1.yahoo.com
127.0.0.1 c.amazon-adsystem.com
127.0.0.1 yandex.st
127.0.0.1 mc.yandex.ru
127.0.0.1 c1.popads.net
127.0.0.1 c1.popads.net/pop.js
127.0.0.1 google-analytics.com
127.0.0.1 google-analytics.com/analytics.js
::1 localhost #[IPv6]
---------- Post added at 01:40 PM ---------- Previous post was at 12:54 PM ----------
Wow! that PI-hole block list on Git Hub is a LOT larger than the one I was using!
Him guys and thanks again for the thread. Anyone found a solution? This app is wasting 20 percent of my battery, which does not last me a whole day anymore, it's outrageous. I also sent a report to Google and the app developers.
Cheers
Guys, I found someone with a solution, just see this post: https://forum.xda-developers.com/showpost.php?p=73642381&postcount=4
Cheers
That is not much of a solution unfortunately. The REAL solution is to install TWRP recovery on the adware/spyware infested Alcatel phone and flash to a different operating system. There is an (unofficial) ROM of Lineage 14 Nougat that is pretty decent that can be found on the XDA site.
sloshnmosh said:
That is not much of a solution unfortunately. The REAL solution is to install TWRP recovery on the adware/spyware infested Alcatel phone and flash to a different operating system. There is an (unofficial) ROM of Lineage 14 Nougat that is pretty decent that can be found on the XDA site.
Click to expand...
Click to collapse
It solved my problems
It's easy to solve the problem. Just go to applications. Select file manager uninstall upgrades, it will revert it back to factory version, no more spam !
I was getting really annoyed by the app that stealthily installed itself and called itself File Manager for my Alcatel POP 4. It constantly wanted to clean, boost, virus-protect, be a flashlight and camera app with it’s own toolbar and playing an ad whenever you asked any of those actions to be performed. The beauty of it was that it could not be disabled or uninstalled. I was desperately looking for a way to get rid of it without drastic measures, like a full factory reset or rooting my device. I found a suggestion on the net to install AppMgrIII from the Play Store. I did it as I was determined to try anything at that point. It offered me to replace the app with a “factory version”. I accepted that and sure enough, a normal-looking File Manager with no ads or toolbars appeared, all the rockets, boosts, virus-protection, cleaning brushes gone! I hope it won’t reinstall itself magically. In a perfect world I would prefer to have no file manager on my machine at all and a choice of installing one that I prefer but at least the nightmare of this intrusive monster seems to be over. I hope it stays that way.
Update: reverting back to factory version stopped the spam but it all came back with the next update. Now I reverted it back again and stopped automatic updates on Google Play for all apps. I will pick apps to be updated manually.
TLDR:
- Pixel XL 2 unrooted, Android 10 security patch 1/2020 probably compromised
- Where can I find the recent's calls aside the Phone app's history?
- Any other recommendation to identify the malware app?
Hello everyone.
Yesterday I was playing "Dropdom - Jewel Blast" and the Phone app splashed for a second and then back to the game. Was really fast, but the game forces an Ad every time it get focus again, so I'm sure that the game lost focus and then regained it.
I immediately opened the Phone app and saw a "tell why you called" link, but didn't follow (I know, I should, but thought I will find the phone number somewhere else). Looking at the calls history I don't see that entry.
Is there another place where I could find which phone was dialed? I would like to search that number for security reports to identify which app compromised my phone (if so).
I don't use out-of-the-store apps (except DNS66, but I trust it) nor browse shady sites.
It looks like a malware served by ADvertising, but I would like to learn about it. I'm afraid that reinstalling OS and same apps will lead me to the same security issue.
After this unique incident, I installed and run Avast antivirus, but nothing found.
Thanks everyone and any other forensic/wiping recommendation is welcome in advance.
Luigi
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
malandrex said:
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
Click to expand...
Click to collapse
Could be a fake Play store app reinstalling itself somehow eg from SD card. Is your antivirus scanning your external storage also? Check if you have more than one play store app shown in settings>apps (not your normal apps screen as they can be hidden there). Or it could be an overlay made to look like Playstore screen ... you did get official Avast app right?
else something has installed itself in system folder which is why factory reset not working and you will need to reinstall your FULL Samsung factory ROM suggest you use Samsung SmartSwitch like RootJunky here (use high quality cable eg samsung usb cable, else danger of bricking)
https://m.youtube.com/watch?v=9QhJngOuLQ4
malandrex said:
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
Click to expand...
Click to collapse
Download Odin 3.xx (current version)
Browse SamMobile for firmware for your device, download factory ROM. Pay close attention to the region code for your ROM, CSC code. Use one compatible with your device and regional settings. It can be found on the IMEI sticker on the back of the device
Follow the flashing instructions to the letter that you will find on SamMobile website.
Once completed the device is fully refreshed and has latest available software at the time of the build. Do device setup and download app updates.
Enjoy.
Many thanks for both replies , but I have a few more questions:
a) Does this virus have the power to attack my router? If so, what should I inspect at my router? Should I use my brother´s ios iphone as a router while cleaning my device?
b) If I attach the tablet at my PC to perform the firmwire installation, could the virus be transmitted to it? What should I do to avoid it?
c) Where can I safely download this ODIN?
And answering some questions you made:
a) The avast app was downloaded from the store
b) Ive already tried disconnecting the sd card, perform a factory reset without the card but the problem persists.
c) I logged at my google account and when looking at my registered activity, Google claims I did opened the Google Play Store and searched for the IQ Option Broker app. So the virus acts as if it was me.
malandrex said:
Many thanks for both replies , but I have a few more questions:
a) Does this virus have the power to attack my router? If so, what should I inspect at my router? Should I use my brother´s ios iphone as a router while cleaning my device?
b) If I attach the tablet at my PC to perform the firmwire installation, could the virus be transmitted to it? What should I do to avoid it?
c) Where can I safely download this ODIN?
And answering some questions you made:
a) The avast app was downloaded from the store
b) Ive already tried disconnecting the sd card, perform a factory reset without the card but the problem persists.
c) I logged at my google account and when looking at my registered activity, Google claims I did opened the Google Play Store and searched for the IQ Option Broker app. So the virus acts as if it was me.
Click to expand...
Click to collapse
b) Possibly access is possible via your modem (or Bluetooth as serious bug was just patched this month if an attacker knows your BT MAC ... though likely take a while to rollout to all Samsung so you moray not be patched). If you suspect modem then you need to therefore also update your modem firmware (assuming its been patched & is not old & still vulnerable to some old bug, or buy new one) AND change both user & admin passwords
There is an XDA article with link to safe Odin download, google to find. But I'd recommend using Samsung SmartSwitch as this is official way & no special knowledge required.
Re item c) then possible it's just someone trying to load an app remotely via your Google account, does it show any unrecognised login from another device? Also I'm not 100% sure if this requires user to tap install on newer phones, so might not be what you are seeing. Change Google password. (your phone not infected in this case as you didn't click install) Always use a different password)(used same password then check your email address on have I been pwnd)
See below
IronRoo said:
b) Possibly access is possible via your modem (or Bluetooth as serious bug was just patched this month if an attacker knows your BT MAC ... though likely take a while to rollout to all Samsung so you moray not be patched). If you suspect modem then you need to therefore also update your modem firmware (assuming its been patched & is not old & still vulnerable to some old bug, or buy new one) AND change both user & admin passwords
There is an XDA article with link to safe Odin download, google to find. But I'd recommend using Samsung SmartSwitch as this is official way & no special knowledge required.
Re item c) then possible it's just someone trying to load an app remotely via your Google account, does it show any unrecognised login from another device? Also I'm not 100% sure if this requires user to tap install on newer phones, so might not be what you are seeing. Change Google password. (your phone not infected in this case as you didn't click install) Always use a different password)(used same password then check your email address on have I been pwnd)
Click to expand...
Click to collapse
b) I have 2 modens here, one from the internet provider , which is at bridge mode and one that spreads the signal. THe last one is modern and updated and the bridged one , there is no way I can acesss the firmwire besides its info. However , when I had to put it at bridge mode, I had to use an ethernet cable with a computer which maybe wasnt the most protected one. Could that process corrupts a firmwire modem?
c) But I have 2 stage factor. Shouldnt my phone receive an SMS alerting someone is logging at my account? And no, I havent seen any unrecognized login when I accessed my google account.
But your reply gave me an idea...: Maybe an access to my google account was made from a "public" computer and since the access wasnt terminated, as I use this computer a lot, a bot may be trying to remotely install this app.
malandrex said:
b) I have 2 modens here, one from the internet provider , which is at bridge mode and one that spreads the signal. THe last one is modern and updated and the bridged one , there is no way I can acesss the firmwire besides its info. However , when I had to put it at bridge mode, I had to use an ethernet cable with a computer which maybe wasnt the most protected one. Could that process corrupts a firmwire modem?
c) But I have 2 stage factor. Shouldnt my phone receive an SMS alerting someone is logging at my account? And no, I havent seen any unrecognized login when I accessed my google account.
But your reply gave me an idea...: Maybe an access to my google account was made from a "public" computer and since the access wasnt terminated, as I use this computer a lot, a bot may be trying to remotely install this app.
Click to expand...
Click to collapse
b) would need to be a modem exposed hero their internet with known vulnerability, so not sure.
C) yes, should have got a msg so can role that out, I guess.
Suppose it' possible that public pc could be comprised and doing that ... bit of a long shot ...
IronRoo said:
b) would need to be a modem exposed hero their internet with known vulnerability, so not sure.
C) yes, should have got a msg so can role that out, I guess.
Suppose it' possible that public pc could be comprised and doing that ... bit of a long shot ...
Click to expand...
Click to collapse
I think I found the culprit , when I reviewd the few apps Ive installed on my tablet and googled them . There is Netflix, Omega Wars game, PUBG and COD Mobile, handycalc, Go Read, Hube and... QuickPic gallery!!!!!!!!! I used this app on my ancient galaxy S2 and at my other 2 previous tablets. When I looked for the program at Google Play one hour ago ,QuickPic wasnt available anymore!!!! I googled about it and saw many people complaining about this program when a chinese company bought it a few years ago . Maybe QuickPiC installed some crapware at my device!!!!
malandrex said:
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
Click to expand...
Click to collapse
BTW, can you find same app on Google, is it called IQ Forex, is closest I could fined
IronRoo said:
BTW, can you find same app on Google, is it called IQ Forex, is closest I could fined
Click to expand...
Click to collapse
The name of the program is IQ Option , from IQ Option developer
malandrex said:
The name of the program is IQ Option , from IQ Option developer
Click to expand...
Click to collapse
I can't find this one but doesn't mean anything, maybe not available in my country or not compatible with my phone.
PS: Don't rule out a compromised router even top of her range can be affected eg
https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/
IronRoo said:
I can't find this one but doesn't mean anything, maybe not available in my country or not compatible with my phone.
PS: Don't rule out a compromised router even top of her range can be affected eg
https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/
Click to expand...
Click to collapse
Dont have much free time , but despite the fact I think the router is still safe, Ill reset it on a weekend and change again its id and password as this is a process that takes too much time ( mostly due to my ignorance at the beginning of the process ).
Im thinking about taking my tablet for a Samsung assistance, but Im worried theyll change one virus for another if the employees are corrupt. Do you think I should take the risk or Im beeing too paranoic?