Jump to content

mbam_mtbr

Staff
  • Content Count

    851
  • Joined

  • Last visited

Posts posted by mbam_mtbr

  1. Hi @ettore,

    If you could send an Apps Report, I can see if there isn't unusual.

    To send an Apps Report with Malwarebytes for Android use the following instructions.

    1.Open the Malwarebytes for Android app.

    2.Tap the Menu icon.

    3. Tap Your apps.

    4. Tap three lines icon in upper right corner.

    5. Tap Send to support

    Choose an email app to send Apps Report.

    Your email app will open with the Apps Report included.

    At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

    By sending the Apps Report, you will create a ticket in our support system.

    Private Message (PM) me the email used and/or the ticket number assigned.

    Nathan

  2. Hi @HarryZ,

    If you send me an Apps Report, I can see if I can find any Adware.

    To send an Apps Report with Malwarebytes for Android use the following instructions.

    1.Open the Malwarebytes for Android app.

    2.Tap the Menu icon.

    3. Tap Your apps.

    4. Tap three lines icon in upper right corner.

    5. Tap Send to support

    Choose an email app to send Apps Report.

    Your email app will open with the Apps Report included.

    At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

    By sending the Apps Report, you will create a ticket in our support system.

    Private Message (PM) me the email used and/or the ticket number assigned.

    Nathan

  3. Hi @TommyR,

    You can use this method to uninstall com.android.system.ups for current user (details in link below):

    https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

    Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.

    Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

    adb shell pm uninstall -k --user 0 <com.android.system.ups>

    @Chamorrogirl No, you do not have to worry about the malware carrying over with the SIM card.  It's only an issue with the device itself.  If you considering buying a new phone, I'd personally suggest a refurbished/renewed Google phone.  I personally bought a renewed Pixel 2 off of Amazon a couple of weeks ago, and it works great.  Just make sure it will work with your carrier.

    Nathan

  4. Hi @Bigdaddygrant,

    These types of ads are browser related. This is caused by the way most browsers handle redirections executed by javascript code.  Most browsers don't do a great job of preventing these redirects, which also cause ad pop-ups.  Advertising affiliates are aware of this, and exploit this weakness.  Even if an advertising affiliate is shut down for using this exploit, they just come back with a different affiliate id and are right back at it.

    The best way to block these pop-ups are to try a different browsers, disable javascript, install a browser with ad blocking (like Opera), and/or install Ad-block Plus.

    If you encounter these pop-ups again, back out of them using Android's back key. Also, clearing your history and cache will help stop the ads from reoccurring.

    Thanks for reaching out,

    Nathan

  5. Hi @Coco456,

    If you're okay with it, lets start with an Apps Report.  I'll be able to see if there is anything malicious on your device.

    To send an Apps Report with Malwarebytes for Android use the following instructions.

    1.Open the Malwarebytes for Android app.

    2.Tap the Menu icon.

    3. Tap Your apps.

    4. Tap three lines icon in upper right corner.

    5. Tap Send to support

    Choose an email app to send Apps Report.

    Your email app will open with the Apps Report included.

    At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum. This allows our support staff to know where to direct it.

    By sending the Apps Report, you will create a ticket in our support system.

    Private Message (PM) me the email used and/or the ticket number assigned.

    Nathan

  6. Hi @Concerned_Citizen,

    On 7/16/2020 at 7:19 PM, Concerned_Citizen said:

    The "Plays_com.android.eo.plays.apk" is very time consuming indeed as it appears to be much more obfuscated than the other samples.

    The Java class names are specifically designed to confuse someone trying to make heads or tails of it and it uses several techniques to hide it's functions.

    For instance, the  public class Ol1Q0l contains:

    public static final byte[] QOIlQ1 = { 76, 121, 53, 108, 99, 110, 73, 52, 76, 109, 120, 118, 90, 121, 119, 118, 76, 109, 85, 53, 76, 109, 112, 104, 99, 105, 119, 118, 76, 109, 85, 53, 76, 109, 82, 108, 101, 67, 120, 106, 98, 50, 48, 117, 101, 106, 69, 117, 89, 50, 70, 115, 98, 67, 120, 115, 98, 50, 70, 107, 81, 50, 120, 104, 99, 51, 77, 115, 97, 109, 70, 50, 89, 83, 53, 115, 89, 87, 53, 110, 76, 107, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 82, 71, 86, 52, 81, 50, 120, 104, 99, 51, 78, 77, 98, 50, 70, 107, 90, 88, 73, 115, 76, 71, 100, 108, 100, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 71, 70, 117, 90, 72, 74, 118, 97, 87, 81, 117, 89, 50, 57, 117, 100, 71, 86, 117, 100, 67, 53, 68, 98, 50, 53, 48, 90, 88, 104, 48, 76, 71, 82, 108, 101, 69, 86, 115, 90, 87, 49, 108, 98, 110, 82, 122, 76, 71, 82, 104, 98, 72, 90, 112, 97, 121, 53, 122, 101, 88, 78, 48, 90, 87, 48, 117, 81, 109, 70, 122, 90, 85, 82, 108, 101, 69, 78, 115, 89, 88, 78, 122, 84, 71, 57, 104, 90, 71, 86, 121, 76, 72, 66, 104, 100, 71, 104, 77, 97, 88, 78, 48, 76, 71, 120, 112, 89, 106, 73, 115, 98, 71, 108, 105, 99, 121, 119, 118, 76, 109, 56, 117, 97, 109, 70, 121, 76, 72, 78, 116, 89, 87, 120, 115, 76, 110, 82, 48, 90, 103, 61, 61 };
     
    Which is a decimal representation of the ASCII string of:

    Ly5lcnI4LmxvZywvLmU5LmphciwvLmU5LmRleCxjb20uejEuY2FsbCxsb2FkQ2xhc3MsamF2YS5sYW5nLkNsYXNzTG9hZGVyLGRhbHZpay5zeXN0ZW0uRGV4Q2xhc3NMb2FkZXIsLGdldENsYXNzTG9hZGVyLGFuZHJvaWQuY29udGVudC5Db250ZXh0LGRleEVsZW1lbnRzLGRhbHZpay5zeXN0ZW0uQmFzZURleENsYXNzTG9hZGVyLHBhdGhMaXN0LGxpYjIsbGlicywvLm8uamFyLHNtYWxsLnR0Zg==

    Which is Base64 which decodes to:

    /.err8.log,/.e9.jar,/.e9.dex,com.z1.call,loadClass,java.lang.ClassLoader,dalvik.system.DexClassLoader,,getClassLoader,android.content.Context,dexElements,dalvik.system.BaseDexClassLoader,pathList,lib2,libs,/.o.jar,small.ttf

    Which is very interesting indeed as it mentions the fake True Type font "small.ttf" found in the assets of the Gallery3D app which is signed by Teleepoch and shows that all these malicious apps work in unison with each other to completely compromise the device.

    Nice find there!  Yes, small.tff appears to be a library to be loaded at runtime.  I have seen it in several related malware as well.  There is even more obfuscated code in there I noticed.  If you are decent with coding, you can sometimes successfully write your own small java program replicating the code found to decompile some of the strings.  Also, sometimes it's easier to just run the malware in an emulator and see what it's doing via analysis software.  Trust me, I'd love to have the time to dig deeper into things like these.  But with new variants of HiddenAds coming in daily along with thousands of other mobile malware the higher priority is to get these detected by our client.  You find anything else, keep them coming!

     

    On 7/16/2020 at 7:19 PM, Concerned_Citizen said:

    I took another look at the "com.fota.wirelessupdate.apk" and it appears that the researcher "Niji" I linked to in my other post is correct on all counts.

    I believe that the "com.fota.wirelessupdate.apk" should be detected by AV apps as something worse than just a PUP and should be flagged for what it is, a Trojan RAT Backdoor.

    I would also go as far as saying that I believe any accounts or apps the user has signed on to has been compromised as well given the capabilities and from Niji's own tests. 

    com.fota.wirelessupdate.apk is a tough one as there are clean variants as well.  You have to remember that it's sole purpose is to update the mobile device.  Thus, it needs quite a bit of privileges to due so.  But yes, you are probably right that it could be called blatant malware with Trojan categorization.  I've nearly changed the name several times.  Once again though, users are still reliant on it to update the OS with critical updates.  Thus, we keep it as a PUP Riskware.  You have to realize that most users don't know that PUP isn't straight malware anyway.

    Once again, thanks for all the feedback,

    Nathan

  7. Hi @Concerned_Citizen,

    Thanks for all the info!  

    8 hours ago, Concerned_Citizen said:

    I was wondering if anyone at MalwareBytes is going to do an in-depth breakdown of the fake CleanMaster app?

    Not at this time, but I'll look into it.  It takes a lot of resources to do deep dives on malware.

    Also, here are the detections we have in place for mentioned APKs:

    Android/Trojan.HiddenAds.ForeSpot
    com.journalism.newspaper-1.apk
    a7ad96619ff91426b04088d3ca75de24

    Android/Trojan.HiddenAds.POT
    com.hinedey.empoy-1
    c6985f3e451912f1b0bafe0078587f79

    Android/Trojan.HiddenAds.CIT
    com.abbreviation.civilization-1
    aa87825bfc905965fb1751dd6ac82ab5 

    Android/Trojan.Dropper.Agent.DBW
    Plays_com.android.eo.plays.apk
    432feebad71938963100e4571be0a6ed

    Nathan

  8. Hi @Concerned_Citizen,

    Sounds like you've done some deep research on this.  Which model was the phone?  I assume you had the UMX (Unimax)?

    Yes, that sounds like the same behavior I observed for "CleanMaster" myself.  Base64 and emulator/VM aware is also common among Android/Trojan.HiddenAds variants.  These are also HiddenAds:

    com.concreteroom.thenorthpole-1.apk
    26333a6d48deddd3305c07b5ee00bb6e  

    com.democratizing.casualness-1.apk
    82ecf170914d360992e230e0929fc0b8

    com.spidmes.peaus-1.apk
    fde7346273d4561b306828615412899d 

    There are many, many variants of HiddenAds being cycled and downloaded/installed by pre-installed malware.  These are just a few samples you listed.

    This appears to be Android/Trojan.Dropper.Agent.hfn:

    com.bird.aa01.apk
    3f9cb3284cfb560ea59f6a4d895ee0a5 

    I have also observed com.android.gallery3d infected with pre-installed malware.  In fact, I'm seeing two other variants of com.android.gallery3d using the same teleepoch digital certificate infected with malware similar to Android/Trojan.Downloader.Wotby.SEK found in the com.android.settings I wrote about.  I'll look deeper into this.  Keep in mind though that not everything signed with teleepoch is necessarily pre-installed malware.  They make/sign many legitimate system apps as well. 

    You are also correct on com.tesla.eo.xsdfa.  It appears we've been detecting it as Android/Trojan.Agent.AXW for nearly a year.

    I hear your frustrations along with all the other Lifeline customers.  Luckily there are patrons like you that are tech savvy enough to grasp what's going on here more thoroughly.  Our hope is that through our writings we can advocate change in these companies.  We were successful in doing so with UMX (Unimax) on the U683CL.  We are hoping ANS/TeleEpoch will do the same.

    Nathan

  9. Hi @cfowler,

    If you could sen an Apps Report, I can look further into this issue.

    To send an Apps Report with Malwarebytes for Android use the following instructions.

    1.Open the Malwarebytes for Android app.

    2.Tap the Menu icon.

    3. Tap Your apps.

    4. Tap three lines icon in upper right corner.

    5. Tap Send to support

    Choose an email app to send Apps Report.

    Your email app will open with the Apps Report included.

    At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

    By sending the Apps Report, you will create a ticket in our support system.

    Private Message (PM) me the email used and/or the ticket number assigned.

    Nathan

  10. Hi @gero242000,

    Android/Trojan.Rootnik.sno is a variant of Rootnik which has the ability to root mobile devices without user's permission.  If you like to send an Apps report, we can see if your device was rooted and look more into the exact app causing this. 

    To send an Apps Report with Malwarebytes for Android use the following instructions.

    1.Open the Malwarebytes for Android app.

    2.Tap the Menu icon.

    3. Tap Your apps.

    4. Tap three lines icon in upper right corner.

    5. Tap Send to support

    Choose an email app to send Apps Report.

    Your email app will open with the Apps Report included.

    At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

    By sending the Apps Report, you will create a ticket in our support system.

    Private Message (PM) me the email used and/or the ticket number assigned.

    Nathan

  11. Hi @MitKit,

    You can force the malware database to update in Malwarebytes for Android doing the following:

    1. In the upper-left corner of your screen, tap the Menu icon.
    2. Scroll down and tap Settings.
    3. Tap Other.
    4. Tap Force update.

    You can then check the malware database by:

    1. In the upper-left corner of your screen, tap the Menu icon.
    2. Scroll down and tap About.
    3. Tap the down arrow by App version.

    Nathan

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.