Help! Galaxy tab s4 with virus!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - Security Discussion

Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?

malandrex said:
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
Click to expand...
Click to collapse
Could be a fake Play store app reinstalling itself somehow eg from SD card. Is your antivirus scanning your external storage also? Check if you have more than one play store app shown in settings>apps (not your normal apps screen as they can be hidden there). Or it could be an overlay made to look like Playstore screen ... you did get official Avast app right?
else something has installed itself in system folder which is why factory reset not working and you will need to reinstall your FULL Samsung factory ROM suggest you use Samsung SmartSwitch like RootJunky here (use high quality cable eg samsung usb cable, else danger of bricking)
https://m.youtube.com/watch?v=9QhJngOuLQ4

malandrex said:
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
Click to expand...
Click to collapse
Download Odin 3.xx (current version)
Browse SamMobile for firmware for your device, download factory ROM. Pay close attention to the region code for your ROM, CSC code. Use one compatible with your device and regional settings. It can be found on the IMEI sticker on the back of the device
Follow the flashing instructions to the letter that you will find on SamMobile website.
Once completed the device is fully refreshed and has latest available software at the time of the build. Do device setup and download app updates.
Enjoy.

Many thanks for both replies , but I have a few more questions:
a) Does this virus have the power to attack my router? If so, what should I inspect at my router? Should I use my brother´s ios iphone as a router while cleaning my device?
b) If I attach the tablet at my PC to perform the firmwire installation, could the virus be transmitted to it? What should I do to avoid it?
c) Where can I safely download this ODIN?
And answering some questions you made:
a) The avast app was downloaded from the store
b) Ive already tried disconnecting the sd card, perform a factory reset without the card but the problem persists.
c) I logged at my google account and when looking at my registered activity, Google claims I did opened the Google Play Store and searched for the IQ Option Broker app. So the virus acts as if it was me.

malandrex said:
Many thanks for both replies , but I have a few more questions:
a) Does this virus have the power to attack my router? If so, what should I inspect at my router? Should I use my brother´s ios iphone as a router while cleaning my device?
b) If I attach the tablet at my PC to perform the firmwire installation, could the virus be transmitted to it? What should I do to avoid it?
c) Where can I safely download this ODIN?
And answering some questions you made:
a) The avast app was downloaded from the store
b) Ive already tried disconnecting the sd card, perform a factory reset without the card but the problem persists.
c) I logged at my google account and when looking at my registered activity, Google claims I did opened the Google Play Store and searched for the IQ Option Broker app. So the virus acts as if it was me.
Click to expand...
Click to collapse
b) Possibly access is possible via your modem (or Bluetooth as serious bug was just patched this month if an attacker knows your BT MAC ... though likely take a while to rollout to all Samsung so you moray not be patched). If you suspect modem then you need to therefore also update your modem firmware (assuming its been patched & is not old & still vulnerable to some old bug, or buy new one) AND change both user & admin passwords
There is an XDA article with link to safe Odin download, google to find. But I'd recommend using Samsung SmartSwitch as this is official way & no special knowledge required.
Re item c) then possible it's just someone trying to load an app remotely via your Google account, does it show any unrecognised login from another device? Also I'm not 100% sure if this requires user to tap install on newer phones, so might not be what you are seeing. Change Google password. (your phone not infected in this case as you didn't click install) Always use a different password)(used same password then check your email address on have I been pwnd)

See below

IronRoo said:
b) Possibly access is possible via your modem (or Bluetooth as serious bug was just patched this month if an attacker knows your BT MAC ... though likely take a while to rollout to all Samsung so you moray not be patched). If you suspect modem then you need to therefore also update your modem firmware (assuming its been patched & is not old & still vulnerable to some old bug, or buy new one) AND change both user & admin passwords
There is an XDA article with link to safe Odin download, google to find. But I'd recommend using Samsung SmartSwitch as this is official way & no special knowledge required.
Re item c) then possible it's just someone trying to load an app remotely via your Google account, does it show any unrecognised login from another device? Also I'm not 100% sure if this requires user to tap install on newer phones, so might not be what you are seeing. Change Google password. (your phone not infected in this case as you didn't click install) Always use a different password)(used same password then check your email address on have I been pwnd)
Click to expand...
Click to collapse
b) I have 2 modens here, one from the internet provider , which is at bridge mode and one that spreads the signal. THe last one is modern and updated and the bridged one , there is no way I can acesss the firmwire besides its info. However , when I had to put it at bridge mode, I had to use an ethernet cable with a computer which maybe wasnt the most protected one. Could that process corrupts a firmwire modem?
c) But I have 2 stage factor. Shouldnt my phone receive an SMS alerting someone is logging at my account? And no, I havent seen any unrecognized login when I accessed my google account.
But your reply gave me an idea...: Maybe an access to my google account was made from a "public" computer and since the access wasnt terminated, as I use this computer a lot, a bot may be trying to remotely install this app.

malandrex said:
b) I have 2 modens here, one from the internet provider , which is at bridge mode and one that spreads the signal. THe last one is modern and updated and the bridged one , there is no way I can acesss the firmwire besides its info. However , when I had to put it at bridge mode, I had to use an ethernet cable with a computer which maybe wasnt the most protected one. Could that process corrupts a firmwire modem?
c) But I have 2 stage factor. Shouldnt my phone receive an SMS alerting someone is logging at my account? And no, I havent seen any unrecognized login when I accessed my google account.
But your reply gave me an idea...: Maybe an access to my google account was made from a "public" computer and since the access wasnt terminated, as I use this computer a lot, a bot may be trying to remotely install this app.
Click to expand...
Click to collapse
b) would need to be a modem exposed hero their internet with known vulnerability, so not sure.
C) yes, should have got a msg so can role that out, I guess.
Suppose it' possible that public pc could be comprised and doing that ... bit of a long shot ...

IronRoo said:
b) would need to be a modem exposed hero their internet with known vulnerability, so not sure.
C) yes, should have got a msg so can role that out, I guess.
Suppose it' possible that public pc could be comprised and doing that ... bit of a long shot ...
Click to expand...
Click to collapse
I think I found the culprit , when I reviewd the few apps Ive installed on my tablet and googled them . There is Netflix, Omega Wars game, PUBG and COD Mobile, handycalc, Go Read, Hube and... QuickPic gallery!!!!!!!!! I used this app on my ancient galaxy S2 and at my other 2 previous tablets. When I looked for the program at Google Play one hour ago ,QuickPic wasnt available anymore!!!! I googled about it and saw many people complaining about this program when a chinese company bought it a few years ago . Maybe QuickPiC installed some crapware at my device!!!!

malandrex said:
Hi guys, I believe my galaxy tab s4 is contaminated with a virus . I already did many factorys resets and didnt installed no apps but from time to time , even when Im at the home screen with Avast only or with the antivirus that comes with the tablet activated, google play store opens without my request showing a program called IQ Option broker. What should I do?
Click to expand...
Click to collapse
BTW, can you find same app on Google, is it called IQ Forex, is closest I could fined

IronRoo said:
BTW, can you find same app on Google, is it called IQ Forex, is closest I could fined
Click to expand...
Click to collapse
The name of the program is IQ Option , from IQ Option developer

malandrex said:
The name of the program is IQ Option , from IQ Option developer
Click to expand...
Click to collapse
I can't find this one but doesn't mean anything, maybe not available in my country or not compatible with my phone.
PS: Don't rule out a compromised router even top of her range can be affected eg
https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/

IronRoo said:
I can't find this one but doesn't mean anything, maybe not available in my country or not compatible with my phone.
PS: Don't rule out a compromised router even top of her range can be affected eg
https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/
Click to expand...
Click to collapse
Dont have much free time , but despite the fact I think the router is still safe, Ill reset it on a weekend and change again its id and password as this is a process that takes too much time ( mostly due to my ignorance at the beginning of the process ).
Im thinking about taking my tablet for a Samsung assistance, but Im worried theyll change one virus for another if the employees are corrupt. Do you think I should take the risk or Im beeing too paranoic?

Related

[Q] Android without Google, completely

Hey,
jsut thought about this thought the whole day. I´ve got a Moto XT720 (Stock ROM) and it works pretty good. Now the thing is, I have the Google Account and so on. But I do not want that Google is tracking me, has access to my phone, and that my phone can connect to google servers (Mail, Calendar, Market, SYSTEM).
Is it possible that I can delete some apk´s so that I have a real standalone mobile phone?
Sorry for my bad english,
greetings
you gotta be kidding
Google's stuff is the spirit of their OS... Android needs google's account for the market moreover.
sounds a little impossible. just make an account for the market and don't use it for anything else. Only thing i can think of.
Exactly, but he wants remove google's apps too...
He wants a total googleapplicationless Android phone. What a problem !
Thanks guys,
I do not need the market also (for what?, I have the apps I want to use)
Greets
push..no one knows it?
If you do any web browsing on any device even on a pc or iphone google and bing etc will track data about you. You can't use any device online without someone tracking you unless you use a proxy and even then the proxy could still track you.
You can delete or freeze googles apps but browsing will be tracked on any online device so only sure way is switch off wifi and mobile data.
But that defeats the point of a smartphone then.
Dave
Sent from my LG P920 using Tapatalk
Maybe you should forget mobiles cause anytime you're tracked as soon as you power it on
Sent from my GT-I9000 using Tapatalk
a guess, flash a custom rom and dont flash the google apps pack?
ICS, at least stock ICS, has the ability to disable system apps.
Settings -> Apps (under 'Device) -> 'All' tab, click an app, click "Disable". It won't be uninstalled, but it will never run, meaning it cannot connect to the internet or do anything else.
e.coli said:
ICS, at least stock ICS, has the ability to disable system apps.
Settings -> Apps (under 'Device) -> 'All' tab, click an app, click "Disable". It won't be uninstalled, but it will never run, meaning it cannot connect to the internet or do anything else.
Click to expand...
Click to collapse
The problem is if he ever uses internet he will still be tracked. If he uses gps his location can also be tracked.
Dave
Sent from my LG P920 using Tapatalk
mistermentality said:
The problem is if he ever uses internet he will still be tracked. If he uses gps his location can also be tracked.
Dave
Sent from my LG P920 using Tapatalk
Click to expand...
Click to collapse
Yeah, it's a very strange request, but he could disable all internet-capable apps, and just use his phone for voice and offline apps?
He could still use GPS though, but not A-GPS. GPS just receives the signal from the satellites, this is why you can still log your position while off the cell network. It's one-way communication, so there's no way to be tracked just by listening to the GPS signal. He could download maps to the phone and use it for navigation that way.
Don't get an Android phone is my advice if you want no connection to Google.
-Sent from my Droid 2-
I agree, why would you use an google operating system, if you don't want to have any connection with google?
Android without the Android market is pretty dull, and even if you would use the amazon appstore (which is officially only working in the US/and maybe CAN) you would be stuck with only a fractal of not up to date apps, since in the amazon app store are alot of old versions flying around.
And please dont believe in the old google creep, who is sitting in front of the "internet" waiting is whole life only to set cookies in your browser. He does not exists!
I don't understand why you would want Android on your mobile device and not want google on it? Thats how smartphones work, if you don't want google on your phone I suggest you get a non smart phone.
Why so much hostility? Isn't the point of Android, and these forums, that it is so customizable? Maybe he doesn't like the new privacy policy.
Anyways, he could disable all Gapps and install Firefox or whatever, which would disconnect most of your connection to Google, but it's hard to avoid it if you want to use the internet at all.
e.coli said:
Why so much hostility? Isn't the point of Android, and these forums, that it is so customizable? Maybe he doesn't like the new privacy policy.
Anyways, he could disable all Gapps and install Firefox or whatever, which would disconnect most of your connection to Google, but it's hard to avoid it if you want to use the internet at all.
Click to expand...
Click to collapse
I don't think anyone's been hostile, just surprised maybe as seems op wants no tracking yet to be able to use internet which can't be done except at best through a proxy.
To the op, you can root and uninstall or freeze google apps and browse via a public proxy server if you want to avoid tracking but your carrier and possibly google (the main operating systems all record your gps data inc ios android and wp7, think only wp7 was found collecting that though which is why I say possibly not probably) can still see where you have physically been via cell, gps and wifi logs.
If its just google you wish to avoid another option could be use a firewall or dns blacklist app to stop your device being able to connect to known google internet addresses.
Dave
Sent from my LG P920 using Tapatalk
miro101 said:
And please dont believe in the old google creep, who is sitting in front of the "internet" waiting is whole life only to set cookies in your browser. He does not exists!
Click to expand...
Click to collapse
Actually, he does:
http://www.stateofsearch.com/top-15-of-eric-schmidts-remarkable-quotes/
If you don't know by now that all of the "free" apps aren't really free, you're kidding yourself. How do you think Google makes money? It's primary purpose is collecting information. Private informtaion (even the carriers...search on the term "carrier IQ"). That is the age we live in. The best that can be done is to either throw your phone away or learn how to secure your phone and info in as much as is possible. There are apps that can identify what apps are sending what data and block them from doing so (on rooted phones). Even then, data still gets out. It's a trade-off. For now, it's used for marketting purposes. However, that much data is bound to fall into the hands of some government who will use it to control the masses. It's just too tempting, and it's the nature of humanity. So, I'll limit whatever data exodus I can and accept the trade-off for the rest (until the government {read Anti-Christ} wrests control). The old saying applies: "It's not paranoia if they really are out to get you".
I honestly don't get the point in using a smartphone with fears of being 'monitored' or tracked. If you don't want to be tracked, don't use the internet, don't use a cell phone, and live under a rock for the rest of your life. That's the best advice I can offer.

[Q] Gfirewall and Gsearch bloatware/virus problem.. HELP!

Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch.
My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.
These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again!
I have a similar problem with 3G/H connection with Vodafone. Everytime i disable internet connection, it gets activated again in 1 minute max.. so i can't disable internet.. never!
I removed these 2 bloatware apps today and fortunatly they didn't show up again or get reinstalled.. ads and AdAway blocks are disappeared. I started a lot of antivirus controls with Avira and nothing showed up.. so i thought i was fine, BUT the internet problem persists.. i can't disable internet everytime i want. Someone of you could help me to solve this problem? I hope there is an alternative method to solve this without format/reset the phone!
I have the same problem with Gfirewall and Gsearch in my STAR N9800
Same full screen banner ad in my home screen.
In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
If I find something new, I'll write here
user064 said:
I have the same problem with Gfirewall and Gsearch in my STAR N9800
Same full screen banner ad in my home screen.
In my phone there is Trend Micro Worry Free Business Security Services as antivirus, but nothing was found after a full scan.
If I find something new, I'll write here
Click to expand...
Click to collapse
Hello! I solved with hard reset.. if you want to try i suggest you to use titanium backup for your safe apps, so you'll not lose anything
MatthewTaylor92 said:
Hello! I solved with hard reset.. if you want to try i suggest you to use titanium backup for your safe apps, so you'll not lose anything
Click to expand...
Click to collapse
I am facing the same issues, I do not think a hard reset will solve the problem, these two apps are embedded in the firmware, they lie dormant for a while then kick in, after a while, about 3months after purchase.
I have tried uninstalling & they just re-install, if you phone is rooted, you can hybernate them with ''App Quarantine''
I am struggling to deal with them, as my phone is not currently rooted.
FYI: CM security now shows Gsearch as a virus.
Any solutions please??
Cheers Martin
martinzx13 said:
I am facing the same issues, I do not think a hard reset will solve the problem, these two apps are embedded in the firmware, they lie dormant for a while then kick in, after a while, about 3months after purchase.
I have tried uninstalling & they just re-install, if you phone is rooted, you can hybernate them with ''App Quarantine''
I am struggling to deal with them, as my phone is not currently rooted.
FYI: CM security now shows Gsearch as a virus.
Any solutions please??
Cheers Martin
Click to expand...
Click to collapse
remove them after rooting your phone!!! seems soo unimaginable that they are embedded in your rom :/
pushkardua said:
remove them after rooting your phone!!! seems soo unimaginable that they are embedded in your rom :/
Click to expand...
Click to collapse
Yes you are very likely to be correct, I was kinda hoping, for a solution without rooting? Any ideas? Anyone?
Cheers Martin :angel::angel:
Same problem , rooted phone and uninstalled gsearch and gfirewall but in one or two days they auto-reinstall
Play Store
There is a app in the rom called Play Store (Not Google Play Store!) and Opera Service
Remove those apps from the rom to prevent advertisements at screen unlocking.
To remove Play Store and Opera service your phone needs to be rooted (use Titanium backup fi). You can check this by using a firewall like droidwall.
If you can't root your device:
Use a firewall like mobiwol if your device is not rooted (is creates an internal vpn where it can filter your traffic).
Suspicious files found running at background
I have the same problem with the two files reinstalling by itself after I delete them. I have a Chinese made smartphone Tronsmart PS7 running Android 4.2.2 rooted. After digging deeper into the files running at the background, I noticed there are files that have complete access to all the privilege rights in my phone other than android system, they are android.cube, AdupsFotaReboot, RebootAndWriteSys and Common Data Service. I have tried to force these files to stop and it seems the problem is solved, Anyone has any ideas what these 4 files are for?
I don't think to do any hard reset, if these are hard coded in ROM, this is not a stable solution
IMHO there are only two exit ways:
1) do a virus submission request
I've done this request 1 minute ago.
2) flash the device with another ROM (4.2.2 is getting older, anyway...)
You can see the manifests of Gsearch and Gfirewall, are identical:
Not so good news...
Hi all,
in my case, I found a solution. Once MTKDroidTools used to get root on the phone (root only, nothing else), I pressed the button "Delete China" and the application has removed the files from the "files_for_delete.txt" list. After this, the problems are over !!!
Another way to do this with the phone already rooted, you do it manually, and you can follow the steps of:
http://forum.xda-developers.com/showpost.php?p=44455669
or
http://electricheatingcosts.com/removing-chinese-smartphone-spyware/
Best regards.
No more Gsearch and Gfirewall
I had the same problem with my Chinese new teca n9900 and I found the same apps on my phone that you mentioned. I force stopped android.cube, AdupsFotaReboot, Common Data Service, and RebootandWriteSys in app manager in the setting and now Gfirewall and Gsearch stopped automatically installing. I can't seem to enable them back to restart even after I reboot the phone except for "android.cube" that app will restart after I reboot the phone which may be the app causing them to reinstall. I'm not sure what exactly these apps do but my phone seems to work perfectly without them running. Thank you.
Pete636 said:
I had the same problem with my Chinese new teca n9900 and I found the same apps on my phone that you mentioned. I force stopped android.cube, AdupsFotaReboot, Common Data Service, and RebootandWriteSys in app manager in the setting and now Gfirewall and Gsearch stopped automatically installing. I can't seem to enable them back to restart even after I reboot the phone except for "android.cube" that app will restart after I reboot the phone which may be the app causing them to reinstall. I'm not sure what exactly these apps do but my phone seems to work perfectly without them running. Thank you.
Click to expand...
Click to collapse
It seems like now i don't have Gfirewall anymore but Gsearch got reinstalled and i've got an add displayed again so this solution doesn't really work
uninstall gsearch en gfirewall.
I had the same troubles with my phone (elephone P8). First I stopped the software, then I uninstalled it. So far so good.. Did'nt get popupsuntill now..
Succes..
Arthur
Netherlands
MatthewTaylor92 said:
Hello guys, i have a problem as reported above with 2 bloatware apps on my android phone: Gfirewall and Gsearch.
My phone model is UBTEL U8 (MTK model, china phone) and i'm running Android 4.2.2 ROOTED. I have no custom rom/firmware installed.
These 2 apps appeared magically about 2/3 months ago, and i thought they were safe beacuse of Google logo and name. Nothing happened in these months except for some phone crashes and restarts, but 2 days ago a banner ad appeared in my home screen at phone restart and/or phone unlock. I use AdAway (similar to AdBlock) to disable ALL TYPES of banner, ads and related on my phone, browser and apps. When i went to AdAway i noticed that was disabled: i enabled it again and restarted the phone.. but banner ads still showing.. so i went again in AdAway and it was disabled.. again!
I have a similar problem with 3G/H connection with Vodafone. Everytime i disable internet connection, it gets activated again in 1 minute max.. so i can't disable internet.. never!
I removed these 2 bloatware apps today and fortunatly they didn't show up again or get reinstalled.. ads and AdAway blocks are disappeared. I started a lot of antivirus controls with Avira and nothing showed up.. so i thought i was fine, BUT the internet problem persists.. i can't disable internet everytime i want. Someone of you could help me to solve this problem? I hope there is an alternative method to solve this without format/reset the phone!
Click to expand...
Click to collapse
UPDATE:
I'm triyng "Disconnect Mobile" to limit the amount of data probably stolen by these two applications, and after the last unistall of Gsearch and Gfirewall, they do not auto-reinstall!
Disconnect Mobile is a privacy app inspired by our award-winning browser software. The app actively blocks the biggest mobile trackers when you use an app or browse the web using 3G, 4G, LTE, or Wi-Fi. Optional packs include ad filtering and malware protection. Does NOT require root.
Features:
- Blocks the biggest mobile trackers from tracking and collecting your info
- Blocks ads from more than 2500 ad tracking services
- Blocks thousands of websites suspected of malware, spyware, phishing scams and more
Click to expand...
Click to collapse
Like all ad-blocker apps, you can't find this on Play Store, you can find it on 1mobile, for example.
(I cannot post links)
Please let me know if this hint works on your phones
Hi all, my rooted phone is Ulefone U9592 and I found this information :
http://androidforums.com/android-applications/864435-gfirewall.html
TEXT : " My phone is rooted, i set every apk need confirm install, and wait the apk download and confirm install, i used root explorer try to search which directory is. In my phone, i found "/data/user/0/com. cube. android" have the gfirewall apk, i delete that directory, also check whose apk create this directory. The apk is Cube_CJIA01.apk in /system/app, i delete this apk. It fixed. (I think you find the name may not same Cube_CJIA01.apk)"
Well, I revised this information and the folder are : "/data/user/0/com. cube.activity" or "/data/data/com. cube.activity" and in the folder "files" I found :
"_com.gsz.own.pack.apk" and "_com.zgs.gg.pack.apk" (GSearch and GFirewall), I deleted this APK's and I think the problem is solved ..... NOT REALLY!!
If you check the folder "shared_prefs" you find various XML with the information shared at ALISOFT (Chinesse company) and specifically "ApkLoader.xml" with the URL where are downloaded GSearch and GFirewall. Only you need to delete in the XML the parts what you not are interested .... well, if you reboot the phone, the infected XML are restored. The best option is delete the file Cube_CJIA01.apk (do Backup) and reboot the phone. The mentioned folder disappears and the phone works well. Enjoy !!!
Best regards.
Hi jorfen,
I want to follow your instructions, but I need to root my phone before.
Pelase can you give me some hint (or link) to find the right software?
I don't want to install another chinese spyware (like probably VROOT), to remove GFirewall and GSearch
---------- Post added at 09:28 AM ---------- Previous post was at 08:54 AM ----------
may be I have already found the right answer to my question: Framaroot
Compatibility list:
http://www.tfq.me/rooting-almost-any-android-smartphone-without-computer/
App:
http://forum.xda-developers.com/apps/framaroot/root-framaroot-one-click-apk-to-root-t2130276
jorfen said:
If you check the folder "shared_prefs" you find various XML with the information shared at ALISOFT (Chinesse company) and specifically "ApkLoader.xml" with the URL where are downloaded GSearch and GFirewall. Only you need to delete in the XML the parts what you not are interested.
Click to expand...
Click to collapse
I found two files "ApkLoader.xml" and "ApkLoad.xml" with similar info inside, and in both of them I modified the string starting with
<string name="json">blah blah blah...</string> to <string name="json"></string>
jorfen said:
well, if you reboot the phone, the infected XML are restored. The best option is delete the file Cube_CJIA01.apk (do Backup) and reboot the phone. The mentioned folder disappears and the phone works well. Enjoy !!!
Click to expand...
Click to collapse
in my phone I found some files with different names:
_com.gsz.own.pack.apk
_com.zgs.gg.pack.apk
core.apk
gad.apk
uac.apk
uac.dex
jorfen, Cube_CJIA01.apk was in "/data/user/0/com.cube.activity/files" (or similar) in your phone?
Thanks in advance,
Federico
Hi Federico,
I think you already have rooted the phone. Well, I used for this MTKDroidTools, found in this forum (and modified for only install 'su" and "SuperUser.apk"). No problem, only is needed root for System access.
The app Cube_CJIA01.apk is in the folder "/System/app/" (the normal folder for System App's ). The folder "/data/user/0/" is a soft-link (use ln in linux) to the folder "/data/data/"). You locate in this folders the same information, and this is a default folder for working or write files, used in the APK's. Every reboot of phone regenerate information in this folder.
Best regards.
Good news from my virus submission request at Trend Micro:
The two samples are confirmed as malware.
They will be detected as AndroidOS_FakeGSearch.A
Click to expand...
Click to collapse
From now, all products coming from Trend Micro will handle this malware the right way

Need Help: BEEN Infected by MALWARE Lenovo tab model a5500-hv android version 4.4.2

model number : lenovo a5500-hv
android version: 4.4.2
baseband version: a5500-hv.v34, 2014/05/08 22:28
kernel version: 3.4.67
build number: a5500hv_a442_000_011_140508_row
As shared in subject, my tab ANDROID is infected by malware where multiple issues have starting lately
a) Constant popup message stating" Unfortunately, com.system.update has stopped"
b) Constant popup message stating" Unfortunately, org.snow.down.update has stopped"
c) Constant popup displaying to INSTALL application" com.android.keyguard"
d) Automatic checking (on) in Settings> Security> Allow installation of apps from unknown sources, despite my regular check off( its gets reactivated again). Device Administrators viewed are Android Device Manager (ticked), Daemon Service( twice listed- unchecked).
e) Installed Malwarebytes Anti-malware, upon scanning detected these 11 malwares, which it is unable to delete ( Norton is unable to detect those even). Any open app which I try to use after some seconds are abruptly closed.
Malware name- Path
Android/ Backdoor.Triada.c - /system/priv-app/higher.apk ( File linked to be uninstalled- AppManage)
Android/ Backdoor.Triada.js - /system/priv-app/BCTService.apk ( File linked to be uninstalled- bcct_service)
Android/ Trojan.Rootnik.I - /system/priv-app/Bseting.apk ( File linked to be uninstalled- com.android.sync)
Android/ Trojan.SMSSend.ge - /system/app/com.android.token.apk ( File linked to be uninstalled- com.android.taken)
Android/ Trojan.OveeAd.F - /system/priv-app/com.mws.tqy.vsdp.apk ( File linked to be uninstalled- com.system.update)
Android/ Backdoor.Triada.J - /system/priv-app/com_android_goglemap_services.apk ( File linked to be uninstalled- GoogleMapService)
Android/Trojan.Dropper.Shedun.dc - /system/priv-app/parlmast.apk ( File linked to be uninstalled- GuardService)
Android/Trojan.Dropper.Agent.MJ - /system/priv-apk/Sooner.apk ( File linked to be uninstalled- PhoneService)
Android/Trojan.OveeAd.J - /system/priv-apk/com.tsr.eny.hyu.apk ( File linked to be uninstalled- system.bin)
Android/Trojan.Guerrilla.Q - /system/priv-apk/NAT.apk ( File linked to be uninstalled- SysTool)
Android/Trojan.Triada.m - /system/priv-apk/com.glb.filemanager.apk ( File linked to be uninstalled- UPDATE)
PS: If I try to connect to Internet, app icons are downloaded and auto open displaying porn images.
Please assist to REMOVE the MALWARE INFECTION. Tried FACTORY DATA RESET from Settings, but no help. Tab not rooted.
Solution
Last night i got some pesky malwares. For now i think i removed them. Get Avast and see what it can find. After that try to remove the files from file explorer and the most important thing - go to Settings-Security-Device Administrators. From there remove everything and now from Avast you should be able to remove the infected apps. Hope i helped
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
The apps require extensive access to the devices on which they run, and they are able to harvest a great deal of data about users’ interests, demographics and location. Cheetah Mobile’s business model is not significantly different from the way in which some major American tech companies such as Facebook monetise their free products. However, Cheetah Mobile is different from American tech companies in that its headquarters are located in China and its data servers are primarily located there as well, and its main business partners are major Chinese tech firms. The Chinese government, according to sources, accesses its companies’ data for internal security, economic competitiveness or other purposes. Cheetah Mobile, and similar companies, represents a major point of entry for China to access American app marketplaces and their users to gather information. However, U.S. government officials in national security and intelligence agencies are highly aware of surveillance and hacking both inside and outside China, presumably coming from actors affiliated with the Chinese state.
Click to expand...
Click to collapse
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry to hear this. However I think it is possible that the CM app did its job as those malicious apps have probably already rooted your phone, so CM may have just used that root access without informing you, though whether or not other apps like CM app can still use that root, I'm not sure, it depends if its been left "on". I did watch a video on youtube for CM Stubborn Trojan app and the guy had to root his phone first. (You could try some/several of the root checker apps, if you want to know). So lets assume the CM app worked properly and removed trojan as it could get root without giving you a root request notification.
It's entirely possible that your reinfection is from your external SD card or via some other means eg. your router has had some ports opened or some other means. (Sorry I should have said reset router when I said change router password [do this for all routers you use & update firmware & ensure remote access is off (ref. dirty cow) while you are about it too!]
So I would reinstall CM Stubborn Trojan (lets assume it removes malware as it has root, even if it just blocks them it helps us) so you can then reflash official stock ROM for your country (& update to newest version if available), you must flash the FULL stock ROM so all partitions are reflashed. partial stock or custom ROM will not do this & potentially leave you open to reinfection! Reflash the FULL STOCK ROM is the only way to "easily" be sure you have cleaned the malware from your phone. NOTE: just doing a factory reset will NOT remove the malicious apps if they are in operating system folders, this only works for malicious apps in user data areas! Then you must make sure all possible ways you can be reinfected eg via sync, external SD cards or storage, your PC, router etc are cleaned/blocked/reset/updated
If you are not getting updates for your ROM you might want to consider installing a custom ROM (AFTER you have flashed the stock ROM!) from a reliable & trustworthy source, if available for your model, so that you get security patch updates. But you need to research and consider the risks of things like bricks, security etc for yourself first.
Hope this helps you clean your phone
Sometimes, it's times, it's the firmware itself that is infected
IronRoo said:
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Click to expand...
Click to collapse
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Josh Ross said:
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Click to expand...
Click to collapse
This was what I did finally, I went to service centre and spent bucks. They reloaded the firmware I suppose ( not flashing it) and instantaneously it was as good as new. I think, malware was itself part of original installation like uc browser- it was there. It just activated after some time or may be I clicked on some advertisement while running app and then the hell happened.
Any ways, its working fine, added an adblocker, restricted usage to few apps and keeping my fingers crossed for future.
Sent from my A0001 using XDA-Developers Legacy app
Yeah, the bloatware that you get with some phones nowadays is unbearable. If there is an option, go with a rooted phone, custom ROM, some couple custom solutions for protection and you will be good to go. And they work better than defaults most of the time. Good luck! Hopefully, we will only be hearing good news from you
PGHammer said:
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
Click to expand...
Click to collapse
I'd reflash stock.

[Completed] How to remove "Internet connection requirement" from Android apps?

Hi, I have an app which looks like the developer has removed their servers so it always fails the "internet connection" check.
Its IONROAD. A AR driving app.
I paid for the PRO version so its all good. I use an older version not the latest as I hate the latest version.
99% of the app is using the GPS or the camera. It does check the internet for the weather and a few little things.
I've tried it at home while connected to wireless, in the car while connected to Mobile Data, I've uninstalled, reinstalled and updated and all versions fail the internet checks. To me it looks like they closed their servers so the app refuses to work without the internet so it will never work again.
What I want to do is remove that internet check so it will keep working without the need for their servers. If it never connects to the internet it doesn't bother me. I dont care for the current weather in a AR driving app, I care for how close the car in front of me is or if i'm drifting out of the lane I'm in. Absolutely nothing to do with the internet so how do I remove that check?
I have the APK, trying to get it into the Android SDK and not sure how? Even if I do get it there what do I remove?
All I want is that internet check removed. As I said I paid for the app so the licence check always passes as I paid for it.
The dev has abandoned the app, they refuse to reply or update. As they closed their servers I'm guessing they totally abandoned the app.
Any help what to remove and how to remove it? Is it an easy unzip, edit a file then zip and reinstall? Or is it a complete import into SDK, rebuild, test, etc and make a whole new app?
I'm not sure what or how to edit it.
Thanks
BTW, Here is the free version. I have the paid version but I'm guessing its the same.
https://play.google.com/store/apps/details?id=com.picitup.iOnRoad
Here is their website, you can see half the site is down. You cant log in, and every page has a cache/database error.
http://ionroad.com
Nobody knows?
I've tried a few times and cant do it. I've tried out the SDK and a few other apps and cant remove that damn internet check. I thought I removed what was needed but its still not working.
NakedFaerie said:
Hi, I have an app which looks like the developer has removed their servers so it always fails the "internet connection" check.
Its IONROAD. A AR driving app.
I paid for the PRO version so its all good. I use an older version not the latest as I hate the latest version.
99% of the app is using the GPS or the camera. It does check the internet for the weather and a few little things.
I've tried it at home while connected to wireless, in the car while connected to Mobile Data, I've uninstalled, reinstalled and updated and all versions fail the internet checks. To me it looks like they closed their servers so the app refuses to work without the internet so it will never work again.
What I want to do is remove that internet check so it will keep working without the need for their servers. If it never connects to the internet it doesn't bother me. I dont care for the current weather in a AR driving app, I care for how close the car in front of me is or if i'm drifting out of the lane I'm in. Absolutely nothing to do with the internet so how do I remove that check?
I have the APK, trying to get it into the Android SDK and not sure how? Even if I do get it there what do I remove?
All I want is that internet check removed. As I said I paid for the app so the licence check always passes as I paid for it.
The dev has abandoned the app, they refuse to reply or update. As they closed their servers I'm guessing they totally abandoned the app.
Any help what to remove and how to remove it? Is it an easy unzip, edit a file then zip and reinstall? Or is it a complete import into SDK, rebuild, test, etc and make a whole new app?
I'm not sure what or how to edit it.
Thanks
BTW, Here is the free version. I have the paid version but I'm guessing its the same.
https://play.google.com/store/apps/details?id=com.picitup.iOnRoad
Here is their website, you can see half the site is down. You cant log in, and every page has a cache/database error.
http://ionroad.com
Click to expand...
Click to collapse
Greetings and welcome to assist. Unfortunately assist is for guiding new members around the boards only, you really need to ask your question here
https://forum.xda-developers.com/android/help
it should be relatively easy to fix though by decompiling and editing the manifest
Thanks for understanding
Sawdoctor

Tapjoy Seems to Detect Root?

I have 2 phones (same model) one rooted and the other one isn't. I have the same game installed on both phones, but when I open tapjoy on the rooted phone no offers for downloading apps or app actions appear, but on my non-rooted phone they do... So I really believe that tapjoy is somehow detecting root (I did magisk hide and safetynet pass).
All though I'm pretty sure tapjoy isdetecting root I did notice one weird thing on my rooted phone, when I search for "Alarmy" on Google Play it doesn't show up, but on my non-rooted phone it shows up in the play store (again same phone model and same android version! Android 11), this fact makes me uncertain if tapjoy is detecting root or not.
Does anyone know a solution or know what's going on?
Whether a phone's Android got rooted ( tampered in whatever way ) or not can easily be detected by any app.
People shouldn't believe that app developers aren't smart enough to detect it: they simply have to look inside vbmeta files and check for content of 2 bytes on fixed address.
jwoegerbauer said:
Whether a phone's Android got rooted ( tampered in whatever way ) or not can easily be detected by any app.
People shouldn't believe that app developers aren't smart enough to detect it.
Click to expand...
Click to collapse
Yes, but there would still be a workaround.
What explains the Alarmy situation though? Alarmy doesn't show up in the Google Play Store before the app is installed
Zontraz said:
Yes, but there would still be a workaround.
Click to expand...
Click to collapse
If you say so ...
jwoegerbauer said:
If you say so ...
Click to expand...
Click to collapse
It's obvious there would be a workaround, I was just hoping someone here knew it. If you know the exact method that they use to detect root it would be easy to make a workaround depending on the method.
I don't know what method is used in Tapjoy: it would require to decompile the APK and to look into app's source code.
FYI: I will certainly not do that.

Categories

Resources