mbam_mtbr

Hi @HarryZ, If you send me an Apps Report, I can see if I can find any Adware. To send an Apps Report with Malwarebytes for Android use the following instructions. 1.Open the Malwarebytes for Android app. 2.Tap the Menu icon. 3. Tap Your apps. 4. Tap three lines icon in upper right corner. 5. Tap Send to support Choose an email app to send Apps Report. Your email app will open with the Apps Report included. At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum. This allows our support staff to know where to direct it. By sending the Apps Report, you will create a ticket in our support system. Private Message (PM) me the email used and/or the ticket number assigned. Nathan

Hi @TommyR, You can use this method to uninstall com.android.system.ups for current user (details in link below): https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/ Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app. Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove: adb shell pm uninstall -k --user 0 <com.android.system.ups> @Chamorrogirl No, you do not have to worry about the malware carrying over with the SIM card. It's only an issue with the device itself. If you considering buying a new phone, I'd personally suggest a refurbished/renewed Google phone. I personally bought a renewed Pixel 2 off of Amazon a couple of weeks ago, and it works great. Just make sure it will work with your carrier. Nathan

Hi @SiddharthDubey, It's a tricky one, but it is indeed in App Info. See the red box below: That floating 14.12 MB with no icon at the bottom of the App Info list is it. If you click on it, you get to it's info page: Thanks for the support! Nathan

Hi @Bigdaddygrant, These types of ads are browser related. This is caused by the way most browsers handle redirections executed by javascript code. Most browsers don't do a great job of preventing these redirects, which also cause ad pop-ups. Advertising affiliates are aware of this, and exploit this weakness. Even if an advertising affiliate is shut down for using this exploit, they just come back with a different affiliate id and are right back at it. The best way to block these pop-ups are to try a different browsers, disable javascript, install a browser with ad blocking (like Opera), and/or install Ad-block Plus. If you encounter these pop-ups again, back out of them using Android's back key. Also, clearing your history and cache will help stop the ads from reoccurring. Thanks for reaching out, Nathan

Hi @Facebook123, Fake Facebook accounts are not uncommon. However, they are not created via any malware app. Thus, there is nothing to detect by a malware scanner. If you like to protect your personal Facebook account, it's a good idea to change your password using a strong password and use a password manager. Also, set up two-factor authentication. Nathan

AdvancedSetup is right. My Pixel does the same thing when I authenticate. As long as the location is correct and you know it was 'you' signing in, then nothing to worry about. Nathan

Hi @Coco456, If you're okay with it, lets start with an Apps Report. I'll be able to see if there is anything malicious on your device. To send an Apps Report with Malwarebytes for Android use the following instructions. 1.Open the Malwarebytes for Android app. 2.Tap the Menu icon. 3. Tap Your apps. 4. Tap three lines icon in upper right corner. 5. Tap Send to support Choose an email app to send Apps Report. Your email app will open with the Apps Report included. At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum. This allows our support staff to know where to direct it. By sending the Apps Report, you will create a ticket in our support system. Private Message (PM) me the email used and/or the ticket number assigned. Nathan

Hi @Concerned_Citizen, Nice find there! Yes, small.tff appears to be a library to be loaded at runtime. I have seen it in several related malware as well. There is even more obfuscated code in there I noticed. If you are decent with coding, you can sometimes successfully write your own small java program replicating the code found to decompile some of the strings. Also, sometimes it's easier to just run the malware in an emulator and see what it's doing via analysis software. Trust me, I'd love to have the time to dig deeper into things like these. But with new variants of HiddenAds coming in daily along with thousands of other mobile malware the higher priority is to get these detected by our client. You find anything else, keep them coming! com.fota.wirelessupdate.apk is a tough one as there are clean variants as well. You have to remember that it's sole purpose is to update the mobile device. Thus, it needs quite a bit of privileges to due so. But yes, you are probably right that it could be called blatant malware with Trojan categorization. I've nearly changed the name several times. Once again though, users are still reliant on it to update the OS with critical updates. Thus, we keep it as a PUP Riskware. You have to realize that most users don't know that PUP isn't straight malware anyway. Once again, thanks for all the feedback, Nathan

Hi @Concerned_Citizen, Thanks for all the info! Not at this time, but I'll look into it. It takes a lot of resources to do deep dives on malware. Also, here are the detections we have in place for mentioned APKs: Android/Trojan.HiddenAds.ForeSpot com.journalism.newspaper-1.apk a7ad96619ff91426b04088d3ca75de24 Android/Trojan.HiddenAds.POT com.hinedey.empoy-1 c6985f3e451912f1b0bafe0078587f79 Android/Trojan.HiddenAds.CIT com.abbreviation.civilization-1 aa87825bfc905965fb1751dd6ac82ab5 Android/Trojan.Dropper.Agent.DBW Plays_com.android.eo.plays.apk 432feebad71938963100e4571be0a6ed Nathan

Hi @Concerned_Citizen, Sounds like you've done some deep research on this. Which model was the phone? I assume you had the UMX (Unimax)? Yes, that sounds like the same behavior I observed for "CleanMaster" myself. Base64 and emulator/VM aware is also common among Android/Trojan.HiddenAds variants. These are also HiddenAds: com.concreteroom.thenorthpole-1.apk 26333a6d48deddd3305c07b5ee00bb6e com.democratizing.casualness-1.apk 82ecf170914d360992e230e0929fc0b8 com.spidmes.peaus-1.apk fde7346273d4561b306828615412899d There are many, many variants of HiddenAds being cycled and downloaded/installed by pre-installed malware. These are just a few samples you listed. This appears to be Android/Trojan.Dropper.Agent.hfn: com.bird.aa01.apk 3f9cb3284cfb560ea59f6a4d895ee0a5 I have also observed com.android.gallery3d infected with pre-installed malware. In fact, I'm seeing two other variants of com.android.gallery3d using the same teleepoch digital certificate infected with malware similar to Android/Trojan.Downloader.Wotby.SEK found in the com.android.settings I wrote about. I'll look deeper into this. Keep in mind though that not everything signed with teleepoch is necessarily pre-installed malware. They make/sign many legitimate system apps as well. You are also correct on com.tesla.eo.xsdfa. It appears we've been detecting it as Android/Trojan.Agent.AXW for nearly a year. I hear your frustrations along with all the other Lifeline customers. Luckily there are patrons like you that are tech savvy enough to grasp what's going on here more thoroughly. Our hope is that through our writings we can advocate change in these companies. We were successful in doing so with UMX (Unimax) on the U683CL. We are hoping ANS/TeleEpoch will do the same. Nathan

Hi @cfowler, If you could sen an Apps Report, I can look further into this issue. To send an Apps Report with Malwarebytes for Android use the following instructions. 1.Open the Malwarebytes for Android app. 2.Tap the Menu icon. 3. Tap Your apps. 4. Tap three lines icon in upper right corner. 5. Tap Send to support Choose an email app to send Apps Report. Your email app will open with the Apps Report included. At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum. This allows our support staff to know where to direct it. By sending the Apps Report, you will create a ticket in our support system. Private Message (PM) me the email used and/or the ticket number assigned. Nathan

Hi @gero242000, Android/Trojan.Rootnik.sno is a variant of Rootnik which has the ability to root mobile devices without user's permission. If you like to send an Apps report, we can see if your device was rooted and look more into the exact app causing this. To send an Apps Report with Malwarebytes for Android use the following instructions. 1.Open the Malwarebytes for Android app. 2.Tap the Menu icon. 3. Tap Your apps. 4. Tap three lines icon in upper right corner. 5. Tap Send to support Choose an email app to send Apps Report. Your email app will open with the Apps Report included. At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum. This allows our support staff to know where to direct it. By sending the Apps Report, you will create a ticket in our support system. Private Message (PM) me the email used and/or the ticket number assigned. Nathan

Hi @Daboomie, Just looks like a website that is a phone directory in Dutch. Unless you agreed to install something, very low chances you infected yourself with anything. Nathan

Hi @AndroidS9User, Have you tried uninstalling and reinstalling? Nathan

Hi @MitKit Anyway you could get me a screen shot of the Malware Database version, and the detection? Nathan