khambrecht

After flashing the phone in February, I have use the phone now last week during holidays. Looks fine so far. The phone has a very bad performance (e.g. GPS navigation via Google Maps is quite unusable). But no nags, no pupups, no unwanted software.

I have updated firmware some weeks ago. But honestly, I do not use the phone at all, exept from some rare occasions when I need to check something with an android phone. So far, I did not recognize an unusual behaviour.

Cubot has released an updated ROM: http://forum.cubot.net/viewtopic.php?f=21&t=1562 Didn't installed this yet on the phone, but downloaded the ROM and "diffed" this with the previously release ROM from 2017-05-26 (the one with that "surprising" com.android.telephone app). Most of the .apk and .odex files do binary-differ. However, it look like the app packages are just re-packed. At least they are packaged now with a JVM 1.7.0_121 (compared to 1.7.0_79). But the real change is, that the newer ROM now has some apps missing. In the /priv-app directory this is the malicious com.android.telephone.apk, and in the /app directory these are com.sherlock.news.apk and webcore.apk (not sure what the first one is, but the latter one looks like just an opera-mini downloader/launcher). The new ROM does not include any new apps (just lots of more linux cmdline tools which are actually all symlinks to " toybox" utility) So, the known malicious app com.android.telephone has gone. But who knows? Is the next round of malware now just hidden elsewhere?

<ironic> sure. with an even more sophisticated malware </ironic> @Olivia: joking aside, some more information would be appreciated. Also why and how this could happen in the past.To be honest, I lost confidence a little bit.

@gradinaruvasile: great job! Thanks. I have uninstalled the malicious app from user 0 (did not have user 10 or any other). Do I have any chance to prove if the phone now behaves as desired?

they just requested some detailed informations about the phone and told me that this will be analysed by their engineering. But no comment about why and how this could happen (but to be honest, I also did not really expect any explanations or apology). And a couple of days later, I got a message about the OTA update.

@jaimepn I assume, they fixed only the Rainbow firmware. I had an email conversation with Cubot about the infected Rainbow firmware and they fixed this upon my request. So it would be worth a try for you to also complain about your phone. Send me a PM so I will forward my conversation with Cubot to you, as a reference.

I also did update the phone and extracted the SystemUI app from the phone via adb for checking with desktop AV scanners. Previously both scanners (ClamAV and Sophos) did report SystemUI (the known infected one) as Virus. Now, both did not find an issue anymore. However, McAfee Mobile Security on the phone still reports SystemUI as suspicious app (like before). So not sure if should care about this ....

right now, Malwarebytes does not detect the infected SystemUI.apk anymore, as it did a couple of days before. However, it's still the same phone software, and other tools like McAfee Mobile still detect this. Malwarebytes DB Version 2017.05.19.01 Malicious URL DB Version 2017.05.21.02 Last positive scan was 20/May/2017 - 00:21:32

meanwhile this is found by Malwarebytes. However, there is less hope for getting a "clean" ROM image from vendor. See this post about malware found in another device from Cubot: http://forum.cubot.net/viewtopic.php?f=30&t=567&start=20