This is on a generic a23 q8h tablet, I was also getting popups in the form of fake facebook alerts about some stupid drone company.I deleted 2 apps/plugins/whatever they were and the popups went away but my homepage changes between smartdrone.com, vandroidnews.com and kszz.com.I want to put a boot up someones ass for installing this garbage on these tablets and selling them.
What browser do you use ?
Check the browser settings it may have option to set the desired homepage.
Stock browser, there was also baidu browser installed but i uninstalled with titanium backup.I changed the setting but it gets replaced with one of those three pages.
Tried clearing data of the browser?
I just got a Q88 A33 "generic" tablet and I too get the "default" page and the "home page" in the browser changed to "smartdrone.com". This was/is the behavior on delivery so it is probably part of their installed firmware.
If you have made any progress on how to fix this then please let me know, I will be reading up on Android and how to take a look at the files in the ROM and see if I can find a solution but I am not very familiar with Android so some pointers would be great. For example, would this be the result of some .apk that can simply be removed or is it some shell script or file somewhere in the actual ROM files?
It's because theres a factory installed trojan, yes its baked right into the factory firmware and if you remove it with say an anti-virus program the word DEMO in big red letters will be superimposed on the screen making the tablet useless.I've seen manufacturers offering an apk to 'fix' it but that just re-installs the trojan.Here is a fix that I got from another website and uploaded to my Box account.
Instructions from another forum:
A backup will be made before actual modification are made. To restore the backup, rename SystemUI-backup.apk to SystemUI-A20/A23.apk and restart the corresponding function.
HowTo use:
1. Scan for Device: searches and verifies a connected android device.
2. Scan for Trojan: checks if the trojan responsible for the demo lock is active.
3. If 2. is positive, check the Build.prop to see if you have a A20 or A23 model.
4. A20 FIX or A23 FIX, depending on the results from 3., you choose one of these.
5. The script will reboot the device to recovery mode, manually perform a factory reset.
Definition for Cloudservice / DEMO Trojan:
For clarification let me state that Android by "default" or "origin" is not susceptible to virus' and being built on Linux platform it is "open source" so that is where you get some LAME people and large corporations making these virus' encoded into the devices original configuration [ROM] and NOT NATIVE TO ANDROID.
Perfect example for how we the users can infect our own devices would be the small flashlight apps we all use daily and available for free on Google Play Store... these can factually be classified as "Intrusive Adware" that we install for quick access to our devices camera flash for use as a flashlight and yet we tolerate the pop-ups generated by the app.
Again not NATIVE to Android... this is something we the USERS have put on our devices. Harmless but annoying and same principle.
What is the Cloudservice / DEMO Trojan?
My definition based on learned knowledge as no "official" definition is or most likely will ever be available.
Firstly, in some devices it seems to be in a "sleep" mode until one day it simply "shows up" according to some reports. Our new Tool at TechKnow seeks and destroys the hidden files and configs totally eliminating all traces of the Trojan.
[SPECULATION: it could possibly be incorporated into some downloadable apps in the future. The same basic principle as adware is incorporated into the flashlight apps would suffice. However, it being included in downloadable apps is NOT confirmed and if/when it is the confirmed apps will immediately be reported to their distributor whether Google Play or Amazon App Store etc... by your friends at TechKnow]
It is a truly deceptive application that is hardcoded into the must have system dependent "framework-res.apk" on some of the newer Android devices ROM from the factory. The Trojan can track your app content such as Browser and can lock your device into a "demo" mode which will display large red DEMO text in caps across all your screens. The app is also linked to Baidu.
Baidu, Inc., incorporated on January 18, 2000, a Chinese web services company headquartered in the Baidu Campus in Haidian District in Beijing.
ok.... so you are being tracked and monitored by the Chinese?
but that's not all...
The secondary part to the Virus/Trojan is more of a pain in the :wub: imho than tracking and reporting my web history to an unknown Chinese web service company [for who knows what they seek to learn or truly have access to with this Trojan on your device]...
Click to expand...
Click to collapse
Allwinner Demo Fix: https://app.box.com/s/wpbl5nfrxtjdbgvgrwp2tbgvzlt31oqk
I can't remove Trojan virus from my tablet azpen. A739 ?
Sent from my A739 using XDA Free mobile app
Allwinner Demo Fix
This is how I removed the trojan without getting the red "Demo" letters on the screen http://forum.xda-developers.com/android/help/chinese-tablet-demo-mode-t2853062#post64002423
Hi,
I have purchased a Lenovo Vibe Z2 mobile phone from a website but it was shipped from Hong Kong. The phone arrived (here in the UK) all brand new (wrapping still on it) and I'm happy with it (well it works).
On further reading, apparently the Lenovo Vibe Z2 is a model with spyware built into the ROM, and this spyware can lead people to hacking you or spying on your calls/texts/data usage. Clearly, I don't want this.
I have installed Malwarebytes and 360 Security to hopefully detect any malicious content. The scans reported no threats. I guess that doesn't mean there are no threats but just the scans didn't detect any. Maybe if the malware is built into the ROM (so I've read) then the scans will think it is friendly software, or maybe the scans don't scan the ROM.
1) How can I tell if my phone is loaded with spyware or any malicious content?
2) How can I remove this spyware if it is installed?
3) Do I need to use internet security or anti virus with my Lenovo Android phone?
Someone has suggested doing a ROM install with official firmware. I'm lost with this suggestion so it raises a few more questions:
1) Is the suggestion the usual way to remove malicious software?
2) Can I be sure it will actually remove the malicious software, or is it a try and hope scenario?
3) Is there a particular official version of firmware I need for my Lenovo Vibe Z2?
4) Is there a link or video that can show me a) where to download a SAFE version of the official firmware b) and how to do a ROM install?
I'm willing to give a try if it is the standard approach to removing malicious software but I just don't know how to do it at present.
I'm not a phone buff. I simply would like a clean phone (i.e. no malicious content) to make and receive calls/texts and to browse the net without anyone spying on, or recording what I'm doing.
Please advise?
Thanks.
XDA Visitor said:
Hi,
I have purchased a Lenovo Vibe Z2 mobile phone from a website but it was shipped from Hong Kong. The phone arrived (here in the UK) all brand new (wrapping still on it) and I'm happy with it (well it works).
On further reading, apparently the Lenovo Vibe Z2 is a model with spyware built into the ROM, and this spyware can lead people to hacking you or spying on your calls/texts/data usage. Clearly, I don't want this.
I have installed Malwarebytes and 360 Security to hopefully detect any malicious content. The scans reported no threats. I guess that doesn't mean there are no threats but just the scans didn't detect any. Maybe if the malware is built into the ROM (so I've read) then the scans will think it is friendly software, or maybe the scans don't scan the ROM.
1) How can I tell if my phone is loaded with spyware or any malicious content?
2) How can I remove this spyware if it is installed?
3) Do I need to use internet security or anti virus with my Lenovo Android phone?
Someone has suggested doing a ROM install with official firmware. I'm lost with this suggestion so it raises a few more questions:
1) Is the suggestion the usual way to remove malicious software?
2) Can I be sure it will actually remove the malicious software, or is it a try and hope scenario?
3) Is there a particular official version of firmware I need for my Lenovo Vibe Z2?
4) Is there a link or video that can show me a) where to download a SAFE version of the official firmware b) and how to do a ROM install?
I'm willing to give a try if it is the standard approach to removing malicious software but I just don't know how to do it at present.
I'm not a phone buff. I simply would like a clean phone (i.e. no malicious content) to make and receive calls/texts and to browse the net without anyone spying on, or recording what I'm doing.
Please advise?
Thanks.
Click to expand...
Click to collapse
Hi,
Kindly register yourself at XDA post which you can query in http://forum.xda-developers.com/k920/help
Experts there may be able to help you
Hi,
I have purchased a Lenovo Vibe Z2 mobile phone from a website but it was shipped from Hong Kong. The phone arrived (here in the UK) all brand new (wrapping still on it) and I'm happy with it (well it works).
On further reading, apparently the Lenovo Vibe Z2 is a model with spyware built into the ROM, and this spyware can lead people to hacking you or spying on your calls/texts/data usage. Clearly, I don't want this.
I have installed Malwarebytes and 360 Security to hopefully detect any malicious content. The scans reported no threats. I guess that doesn't mean there are no threats but just the scans didn't detect any. Maybe if the malware is built into the ROM (so I've read) then the scans will think it is friendly software, or maybe the scans don't scan the ROM.
1) How can I tell if my phone is loaded with spyware or any malicious content?
2) How can I remove this spyware if it is installed?
3) Do I need to use internet security or anti virus with my Lenovo Android phone?
Someone has suggested doing a ROM install with official firmware. I'm lost with this suggestion so it raises a few more questions:
1) Is the suggestion the usual way to remove malicious software?
2) Can I be sure it will actually remove the malicious software, or is it a try and hope scenario?
3) Is there a particular official version of firmware I need for my Lenovo Vibe Z2?
4) Is there a link or video that can show me a) where to download a SAFE version of the official firmware b) and how to do a ROM install?
I'm willing to give a try if it is the standard approach to removing malicious software but I just don't know how to do it at present.
I'm not a phone buff. I simply would like a clean phone (i.e. no malicious content) to make and receive calls/texts and to browse the net without anyone spying on, or recording what I'm doing.
Please advise?
Thanks.
XDA Visitor said:
Hi,
I have purchased a Lenovo Vibe Z2 mobile phone from a website but it was shipped from Hong Kong. The phone arrived (here in the UK) all brand new (wrapping still on it) and I'm happy with it (well it works).
On further reading, apparently the Lenovo Vibe Z2 is a model with spyware built into the ROM, and this spyware can lead people to hacking you or spying on your calls/texts/data usage. Clearly, I don't want this.
I have installed Malwarebytes and 360 Security to hopefully detect any malicious content. The scans reported no threats. I guess that doesn't mean there are no threats but just the scans didn't detect any. Maybe if the malware is built into the ROM (so I've read) then the scans will think it is friendly software, or maybe the scans don't scan the ROM.
1) How can I tell if my phone is loaded with spyware or any malicious content?
2) How can I remove this spyware if it is installed?
3) Do I need to use internet security or anti virus with my Lenovo Android phone?
Someone has suggested doing a ROM install with official firmware. I'm lost with this suggestion so it raises a few more questions:
1) Is the suggestion the usual way to remove malicious software?
2) Can I be sure it will actually remove the malicious software, or is it a try and hope scenario?
3) Is there a particular official version of firmware I need for my Lenovo Vibe Z2?
4) Is there a link or video that can show me a) where to download a SAFE version of the official firmware b) and how to do a ROM install?
I'm willing to give a try if it is the standard approach to removing malicious software but I just don't know how to do it at present.
I'm not a phone buff. I simply would like a clean phone (i.e. no malicious content) to make and receive calls/texts and to browse the net without anyone spying on, or recording what I'm doing.
Please advise?
Thanks.
Click to expand...
Click to collapse
OP reposted:
http://forum.xda-developers.com/general/xda-assist/lenovo-vibe-z2-spyware-malware-help-t3493067
Thread closed.
model number : lenovo a5500-hv
android version: 4.4.2
baseband version: a5500-hv.v34, 2014/05/08 22:28
kernel version: 3.4.67
build number: a5500hv_a442_000_011_140508_row
As shared in subject, my tab ANDROID is infected by malware where multiple issues have starting lately
a) Constant popup message stating" Unfortunately, com.system.update has stopped"
b) Constant popup message stating" Unfortunately, org.snow.down.update has stopped"
c) Constant popup displaying to INSTALL application" com.android.keyguard"
d) Automatic checking (on) in Settings> Security> Allow installation of apps from unknown sources, despite my regular check off( its gets reactivated again). Device Administrators viewed are Android Device Manager (ticked), Daemon Service( twice listed- unchecked).
e) Installed Malwarebytes Anti-malware, upon scanning detected these 11 malwares, which it is unable to delete ( Norton is unable to detect those even). Any open app which I try to use after some seconds are abruptly closed.
Malware name- Path
Android/ Backdoor.Triada.c - /system/priv-app/higher.apk ( File linked to be uninstalled- AppManage)
Android/ Backdoor.Triada.js - /system/priv-app/BCTService.apk ( File linked to be uninstalled- bcct_service)
Android/ Trojan.Rootnik.I - /system/priv-app/Bseting.apk ( File linked to be uninstalled- com.android.sync)
Android/ Trojan.SMSSend.ge - /system/app/com.android.token.apk ( File linked to be uninstalled- com.android.taken)
Android/ Trojan.OveeAd.F - /system/priv-app/com.mws.tqy.vsdp.apk ( File linked to be uninstalled- com.system.update)
Android/ Backdoor.Triada.J - /system/priv-app/com_android_goglemap_services.apk ( File linked to be uninstalled- GoogleMapService)
Android/Trojan.Dropper.Shedun.dc - /system/priv-app/parlmast.apk ( File linked to be uninstalled- GuardService)
Android/Trojan.Dropper.Agent.MJ - /system/priv-apk/Sooner.apk ( File linked to be uninstalled- PhoneService)
Android/Trojan.OveeAd.J - /system/priv-apk/com.tsr.eny.hyu.apk ( File linked to be uninstalled- system.bin)
Android/Trojan.Guerrilla.Q - /system/priv-apk/NAT.apk ( File linked to be uninstalled- SysTool)
Android/Trojan.Triada.m - /system/priv-apk/com.glb.filemanager.apk ( File linked to be uninstalled- UPDATE)
PS: If I try to connect to Internet, app icons are downloaded and auto open displaying porn images.
Please assist to REMOVE the MALWARE INFECTION. Tried FACTORY DATA RESET from Settings, but no help. Tab not rooted.
Solution
Last night i got some pesky malwares. For now i think i removed them. Get Avast and see what it can find. After that try to remove the files from file explorer and the most important thing - go to Settings-Security-Device Administrators. From there remove everything and now from Avast you should be able to remove the infected apps. Hope i helped
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Tried cm's stubborn Trojan remover from play store and it did the trick- as in disabled the infected processes but at end took my mail ID with followup request if raised to get the device cleaned from malware. Cross checked from Malwarebytes and kaspersky, and looks seemingly clean with no active culprits. Though not checked with WiFi or data connection through sim.
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
The apps require extensive access to the devices on which they run, and they are able to harvest a great deal of data about users’ interests, demographics and location. Cheetah Mobile’s business model is not significantly different from the way in which some major American tech companies such as Facebook monetise their free products. However, Cheetah Mobile is different from American tech companies in that its headquarters are located in China and its data servers are primarily located there as well, and its main business partners are major Chinese tech firms. The Chinese government, according to sources, accesses its companies’ data for internal security, economic competitiveness or other purposes. Cheetah Mobile, and similar companies, represents a major point of entry for China to access American app marketplaces and their users to gather information. However, U.S. government officials in national security and intelligence agencies are highly aware of surveillance and hacking both inside and outside China, presumably coming from actors affiliated with the Chinese state.
Click to expand...
Click to collapse
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Ashish1+1 said:
Thanks, No I did not root my phone but judging by the way removal came (easy) I too was bit surprised with outcome. No sooner I decided to remove the cm app Trojans and malware again became evident meaning it was just being suppressed in a way not removed and now again came back (when removed).
Sent from my A0001 using XDA-Developers mobile app
Click to expand...
Click to collapse
Sorry to hear this. However I think it is possible that the CM app did its job as those malicious apps have probably already rooted your phone, so CM may have just used that root access without informing you, though whether or not other apps like CM app can still use that root, I'm not sure, it depends if its been left "on". I did watch a video on youtube for CM Stubborn Trojan app and the guy had to root his phone first. (You could try some/several of the root checker apps, if you want to know). So lets assume the CM app worked properly and removed trojan as it could get root without giving you a root request notification.
It's entirely possible that your reinfection is from your external SD card or via some other means eg. your router has had some ports opened or some other means. (Sorry I should have said reset router when I said change router password [do this for all routers you use & update firmware & ensure remote access is off (ref. dirty cow) while you are about it too!]
So I would reinstall CM Stubborn Trojan (lets assume it removes malware as it has root, even if it just blocks them it helps us) so you can then reflash official stock ROM for your country (& update to newest version if available), you must flash the FULL stock ROM so all partitions are reflashed. partial stock or custom ROM will not do this & potentially leave you open to reinfection! Reflash the FULL STOCK ROM is the only way to "easily" be sure you have cleaned the malware from your phone. NOTE: just doing a factory reset will NOT remove the malicious apps if they are in operating system folders, this only works for malicious apps in user data areas! Then you must make sure all possible ways you can be reinfected eg via sync, external SD cards or storage, your PC, router etc are cleaned/blocked/reset/updated
If you are not getting updates for your ROM you might want to consider installing a custom ROM (AFTER you have flashed the stock ROM!) from a reliable & trustworthy source, if available for your model, so that you get security patch updates. But you need to research and consider the risks of things like bricks, security etc for yourself first.
Hope this helps you clean your phone
Sometimes, it's times, it's the firmware itself that is infected
IronRoo said:
Did it root your phone first? Else I can't see how it would be able to get to those apps installed as system. If so, if it was me, I'd unroot my phone at the very least & uninstall the CM apps since they do not have a good reputation so far as data snooping goes and excessive app permissions etc goes.
eg (from The Capitol Forum)
see the alteco report (about investment risks but they ran tests on other apps that didn't do anything, what battery savers don't help!!! :silly: )
https://drive.google.com/file/d/0B_zW4GWDn5wpVDBiLUpDcE9IS0E/view
Now I haven't used the app you quote but if it didn't root your phone then it can't have removed the malware and they are likely up to their old tricks ie the app doesn't really work, they have just been blocked or something. (Ask yourself why aren't there other apps from well known companies that can remove trojans in system on play store?) ANd with their dodgy reputation for ads, & selling user data if it did root your phone you may only be slightly better off!!?? But at least it should only be your user data they are gathering and not your bank account number to try and get ya money like the malware guys!
Anyhow happy for you if you really are free of malware and don't forget to change all your passwords for all accounts, your routers etc else you could be reinfected by the time you read this!
I would reflash the stock ROM to be sure (backup ALL your pics, txts address, whatsapp etc etc)
I would also be interested to know how the app worked, if you can explain it. Did it say it would ROOT your phone? (there is nothing in their write up to say it will, Google would not allow an app that can root on play store, as far as I know) Do you have an app that can read what system apps are installed, like Link2sd? Does that show any of the malicious apk?
Click to expand...
Click to collapse
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Josh Ross said:
In this case, I would agree with just a complete factory reset or ROM reflash. Like it is simply too much of an issue to try removing and recovering everything. Especially, once it's deep within your system....
Click to expand...
Click to collapse
This was what I did finally, I went to service centre and spent bucks. They reloaded the firmware I suppose ( not flashing it) and instantaneously it was as good as new. I think, malware was itself part of original installation like uc browser- it was there. It just activated after some time or may be I clicked on some advertisement while running app and then the hell happened.
Any ways, its working fine, added an adblocker, restricted usage to few apps and keeping my fingers crossed for future.
Sent from my A0001 using XDA-Developers Legacy app
Yeah, the bloatware that you get with some phones nowadays is unbearable. If there is an option, go with a rooted phone, custom ROM, some couple custom solutions for protection and you will be good to go. And they work better than defaults most of the time. Good luck! Hopefully, we will only be hearing good news from you
PGHammer said:
In my case, I have a similar issue - however, it's an infected SYSTEM file - which Malwarebytes spotted (but is unable to remove), and is NOT related to the KingRoot dodgy file. It's actually two different Trojans - both in /system/priv-app (settings.apk and smsservices.apk) - the first is the more problematical. (It's problematical because it's a critical system file/app/service - killing it without a replacement is NOT an option.) How the heck do you replace such a critical system file when it got itself hijacked?
Click to expand...
Click to collapse
I'd reflash stock.
When you install an app from third-party, your phone may pops up a message like “For security, your phone is set to block installation of apps obtained from unknown sources.” So you may doubt about the safety of the app. Is it safe? Does it contains virus?
Actually, app from unknown source does not mean it is unsafe. But equally we can not trust it completely. The app is not allowed to publish on official site like Google Play Store because it infringe its policy. Facing the situation, the best solution is to find an alternative app on official app store. If you fail to find and really need the app, here is what you need to do:
Check if the app has virus. Go to the official to see whether the app has verified by any anti-virus software. Take InsTube as an example, you know it is verified by CM Security, Lookout Security and McAfee on instube dot com.
Read some decent reviews or comments. Though the app has passed through some safety verification software, the app may still harmful. For example, I want to download SnapTube, which has passed through safety verification, to my Android phone last year. I thought it is safe previously, but I changed my mind after reading some decent reviews. The reviews show that InsTube apk requires many important permissions from my phone, which let me worry about my privacy.
Anyway, consider carefully before installing an app from unknown sources. If you haven’t other option, just download it from its official site.
You can read a review to know why the apps may not that safe;
https://blog.instube.com/is-snaptube-apk-safe/
To check for a Virus drop the app into https://www.virustotal.com or in https://androidobservatory.org/
on open source apps you can look at the permissions being used from the AndroidManifest.xml file
You can run the app on a virtual machine if needed