Related
this site tried to put this on my pc when i joined here
i also just got this alert when clicking to download an attachment added to a post here. Superoneclick.
could it be a false positive of some sort? The download hadn't begun so i doubt it was the actual attachment that was infected.
"The requested URL cannot be provided
The requested object at the URL:
http://forum.xda-developers.com/
attachment.php?attachmentid=437039&d=
1289271263
Threat detected:
object is infected by Exploit.Linux.Lotoor.g"
I am seeing it too
I am getting an alert from Kaspersky that the file rageagainstthecage file in the SuperOneClickv1.5.5-ShortFuse.zip is infected with Exploit.Linux.Lotoor.g
Kaspersky report:
detected: Trojan program Exploit.Linux.Lotoor.g file: C:\Documents and Settings\user\Desktop\SuperOneClickv1.5.5-ShortFuse\rageagainstthecage
I expect this is a false positive due to the nature of the application, but Id like someone brighter than me to confirm.
Thanks!
I'm going to have to agree with the false positive considering it says it's a linux exploit in the name. RaTC is an exploit to get root on android which is a form of linux. I've also used SuperOneClick so I know it's not malicious.
Well, maybe it is malicious if we take into consideration this:
...
Troj/DroidD-A
Aliases
* Exploit.Linux.Lotoor.k
* Exploit.Linux.Lotoor.g
* Trojan-Downloader.AndroidOS.Rooter.a
* Android.Rootcager
* Backdoor.AndroidOS.Rooter.a
* Trojan-Downloader.AndroidOS.Rooter.b
* Exploit.Linux.Lotoor.l
...
Troj/DroidD-A is a malware for Google Android phone. It purports to be legitimate application and had been on Google Market before it was taken down.
...
All the packages contains repackaged legitimate application with a trojan package in com.android.root package, which is specified to start its action prior to the normal application.
* It can access TelephonyManager and steal IMEI (International Mobile Equipment Identity) and IMSI (International Mobile Subscriber Identity) code, and various other data.
* It then add this information into an XML file
<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<Request>
<Protocol>1.0</Protocol>
<Command>0</Command>
<ClientInfo>
<Partner>%s</Partner>
<ProductId>%s</ProductId>
<IMEI>%s</IMEI>
<IMSI>%s</IMSI>
<Modle>%s</Modle>
</ClientInfo>
</Request>
* using a simple XOR byte encryption with a key predefined in the class adbRoot. The decrypted byte buffer contains the IP address and the URL of the server which is used to post data about the infected phone in an XML format using an HTTP POST request
The package contains runs a set of privilege escalation exploits. These exploits are detected by Sophos as PUA HackTool "Android Local Root Exploit".
After obtaining root privilege, it tries to install another DownloadProviderManager.apk (as package com\android\providers\downloadsmanager) which is the payload (also detected as Troj/DroidD-A)
This payloads will runs as a background service "DownloadManageService" and starts whenever the phone is boot up.
* It will try to access even more information and report back, including trying to enumerate packages installed on the phone and then report back to the same control center.
* It have function to install additional packages from remote download
...
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdroidda.html
That is so confusing lol. Tbh though, I doubt they'd be malicious or else they'd be taken down off of XDA. If they were, I'm sure they'd be taken down straight away as that would be MOST DEFINETLY against the rules. Wait to see what a mod or something says though.
Skellyyy said:
That is so confusing lol. Tbh though, I doubt they'd be malicious or else they'd be taken down off of XDA. If they were, I'm sure they'd be taken down straight away as that would be MOST DEFINETLY against the rules. Wait to see what a mod or something says though.
Click to expand...
Click to collapse
Has anyone got a live link to an example of this?
pulser_g2 said:
Has anyone got a live link to an example of this?
Click to expand...
Click to collapse
Seen this in a previous post, don't know if it'll help but here: http://forum.xda-developers.com/attachment.php?attachmentid=437039&d=
1289271263
Btw, I could swear you're stalking me. jk.
pulser_g2 said:
Has anyone got a live link to an example of this?
Click to expand...
Click to collapse
Here is another link (xda-dev as host): http://forum.xda-developers.com/attachment.php?attachmentid=591335&d=1304969547
Hope it can be solved.
Thx from Germany
Has anyone confirmed or denied that this in a trojan? Kaspersky detected this file on my computer (backup of my sdcard). That file was used when I rooted my phone, so I am concerned. By the way, the two links posted above do not work.
Gaining root privileges seems to be reasonable (especially if it's part of rooting your droid), however it's legitimacy depends on the reason.
In plain English, I'm trying to say that the question about lotoor should be answered per attachment (tool) and not on a global basis.
BTW: lotoor also detected (virustotal 14/42) for zr file which is part of MTKdroidTools. I'm not qualified enough to answer if this is legit
I got this when I downloaded the ace hack kit, but disregard it.
Of COURSE it's a malicious exploit!
If you have specifically rageagainstthecage or zergrush, congratulations, your virus software has successfully discovered your ROOTING software for what it is - a malicious linux-based exploit used to root android devices!
Remember when the phone manufacturers locked the door to root? Remember we decided to break in and root em anyway? These linux exploits are what break the lock - (Super) One Click Root, root.jar files, root.exe files, etc etc. All executables with these 'virus's' that root your phone. That isn't to say you guys don't have something that may well be dangerous to linux machines, but if you still have rooting software on your Windows PC, then this is most likely what it is, and it's a-okay.
Hope you guys are sighing with relief
The4thDoctor said:
Has anyone confirmed or denied that this in a trojan? Kaspersky detected this file on my computer (backup of my sdcard). That file was used when I rooted my phone, so I am concerned. By the way, the two links posted above do not work.
Click to expand...
Click to collapse
voshell said:
this site tried to put this on my pc when i joined here
Click to expand...
Click to collapse
Have you downloaded or installed "Exynos Abuse" to root Samsung/Exynos powered device ??
Because that's what I have, and I get it all the time on my antivirus Kaspersky
Exynos Abuse main development page http://forum.xda-developers.com/showthread.php?t=2050297
wait a minute .. but my kaspersky detected it in a file named "root me " on the computer , i did root my samung mini2 with it , yet it's STILL fully functional after ks quarantined it !!
Is it something else?
Microsoft Security Essential:
Expolit:AndroidOS/CVE-2011-1823
Category: Exploit
Description: This program is dangerous and exploits the computer on which it is run.
Recommended action: Remove this software immediately.
I was about to flash ZEUS but when I download the link from Youtube it just happened.
Is that a good idea to keep using it?
Thanks
reactorcooler said:
Microsoft Security Essential:
Expolit:AndroidOS/CVE-2011-1823
Category: Exploit
Description: This program is dangerous and exploits the computer on which it is run.
Recommended action: Remove this software immediately.
I was about to flash ZEUS but when I download the link from Youtube it just happened.
Is that a good idea to keep using it?
Thanks
Click to expand...
Click to collapse
If you download anything, I would make sure it originated on XDA (did the video have a link to XDA?)...it's probably a false-positive though...
it is well known that virus protection may pick rageagainstthecage out as malicious code. it may also find zergrush or psneuter out as well as these exploits can be used to push malware to the phone.
it's not a virus in soc. it's just a file that is associated with malware.
Dani897 said:
it is well known that virus protection may pick rageagainstthecage out as malicious code. it may also find zergrush or psneuter out as well as these exploits can be used to push malware to the phone.
it's not a virus in soc. it's just a file that is associated with malware.
Click to expand...
Click to collapse
What he said lol^^
turn off your antivirus when trying to use SOC.
I wouldn't download anything from youtube when it comes to an XDA application. Only use the XDA site for the proper things that aree needed for your device. All XDA stuff is virus free that I have used and seen, including superone click.
I just got a cheap Chinese phone which, according to the Amazon reviews, was full of adware and malware.
First thing I did was installing a custom TWRP and a custom rom, which I had to download from a russian forum.
I'd like to scan my mobile, to make sure that there is no malware. I have TWRP and root access, so I should be able to dump all the partitions on my computer (or to scan it directly on the phone as well)...
Is there any app or software that would look for malware into all the software on my phone (including recovery, kernel and system files)?
Hello,
I possess a GR5 BLL-L22 which is bootlocked, and I need an unlock code sinced Huawei doesn't provide them anymore.
I am willing to pay the credits needed to perform the unlock. I went into DC unlocker site and downloaded HCU on my Windows 10 computer, but there are signs that scream malware:
* download is a password protected zip
* App does not allow to run inside a Virtual machine
* Last but not least, my AV Sophos, detect it has adware and put it into quarantine
Any thoughts ?
Also, do I really need to install something on my computer to get an unlock code ? I believe I only need to pass the IMEI or some identifier to get the unlock code.
biaib said:
Hello,
I possess a GR5 BLL-L22 which is bootlocked, and I need an unlock code sinced Huawei doesn't provide them anymore.
I am willing to pay the credits needed to perform the unlock. I went into DC unlocker site and downloaded HCU, but there are signs that scream malware:
* download is a password protected zip
* App does not allow to run inside a Virtual machine
* Last but not least, my AV Sophos, detect it has adware and put it into quarantine
Any thoughts ?
Also, do I really need to install something on my computer to get an unlock code ? I believe I only need to pass the IMEI or some identifier to get the unlock code.
Click to expand...
Click to collapse
For the most port, you need to go in, get your code and then delete it. It's safe on my phone. However, you can always try Ministry of Solutions. But they may cost More. Rest assured, did you download from official site? If so, then it's safe. Just get your code and delete it.
Mannan Qamar said:
For the most port, you need to go in, get your code and then delete it. It's safe on my phone. However, you can always try Ministry of Solutions. But they may cost More. Rest assured, did you download from official site? If so, then it's safe. Just get your code and delete it.
Click to expand...
Click to collapse
Hello, thanks for the answer. What do you mean on your phone ? is there an android version of the unlocker ? because what I have is a zip archive with a windows installer in it.
If I desinstall it from windows, that does not guarantee at all it will remove any associated malware.
biaib said:
Hello, thanks for the answer. What do you mean on your phone ? is there an android version of the unlocker ? because what I have is a zip archive with a windows installer in it.
If I desinstall it from windows, that does not guarantee at all it will remove any associated malware.
Click to expand...
Click to collapse
Sorry. Typo. I meant on my PC. There is no Android version. You can always use an anti virus to check. Alternatively, if you downloaded it from Official Site you have nothing to worry about.
Its perfectly alright, I have used all their S/W on many occasions and I agree HCU flags as malware on my Win10 PC also.
I have to suspend Defender to run it.
I told them about this and they more or less said that I must be mistaken as no one else had complained.
I then sent them a screenshot and all they said that it is a false positive as their S/W is 100% virus free.
Sparkrite said:
Its perfectly alright, I have used all their S/W on many occasions and I agree HCU flags as malware on my Win10 PC also.
I have to suspend Defender to run it.
I told them about this and they more or less said that I must be mistaken as no one else had complained.
I then sent them a screenshot and all they said that it is a false positive as their S/W is 100% virus free.
Click to expand...
Click to collapse
Ok, thanks. In the end I used their dc-unlocker program which is not flagged.
I have a very weird problem accessing Samsung official ROM contents, and by now I've spent an entire day trying to track it down all over the web, to no avail.
The issue at hand is that I have a company A52 which I'm not allowed to root or flash, so instead, I started removing stock bloatware from command-line using pm, which lets me delete packages the UI doesn't. In the process, I deleted the stock Home app, which I thought was absolutely redundant as I use my own Home app - it's just that now the app switching functionality ("recents") is gone completely, the third nav bar button does nothing ever since. Who would've thought this was also provided by the original Home app, and can't be restored.
So far, if anyone has any solution to this issue, I'd be more than glad to hear!
So ultimately I decided to reinstall it. Unfortunately, several Samsung One UI Home APK's I found on several sites all fail to install, so I decided to grab a stock ROM, and extract from there. Actually, I downloaded multiple versions from multiple sites, just to make sure, all with the same results.
The zip contains a couple of .tar.md5 files, which I successfully extracted as tar archives. They mostly contain .img.lz4 files, which I also unlz4'ed. Based on my assumption and several threads on this site, I wanted to extract system- and vendor.img from super.img. I've learned that this is some kind of sparse image file, which I need to convert to raw in order to proceed. Seems legit:
Code:
$ file super.img
super.img: Android sparse image, version: 1.0, Total of 2535424 4096-byte output blocks in 132 input chunks.
Naturally, I tried to convert it using simg2img, but it simply says Cannot open input file super.img. I also tried using the free version of SuperR's Kitchen, but that also failed to extract anything from it.
What may I be doing wrong? Might this be some fancy new sparse format not supported by those tools? (The output from file suggests otherwise.) I did try this both on windows and Linux, with multiple different recent ROMs, all with the same results.
Any ideas? (Maybe suggestion for where to ask this if this isn't the appropriate forum?)
Whoa back up for a bit. If you removed it without rooting with the pm command, then it's still definitely there. What guide were you using to debloat using adb? It should have told you how to get it back.
For example in this guide, it shows you how to reinstall the bloat:
How to uninstall carrier/OEM bloatware without root access
If you want to get rid of carrier/OEM apps from your phone, here's how you can uninstall bloatware from your device without root access!
www.xda-developers.com
The easiest way to fix it is just to factory reset, but you can give their methods a try.
I didn't use any "guide", I just started considering each package which weren't able to be disabled/deleted from the UI, researching them one by one, and for each which I deemed superfluous, I figured out the package name, and simply pm uninstall them, which all succeeded. The only issue I ran into was this broken app switcher after deleting the stock launcher.
Fortunately, pm install-existing solved this hiccup, which I just learned about after posting the thread.
Anyways, having killed so much time with it, it would be really nice to finally figure out the stock ROM problem, too!