Malware found: Android Trojan Dropper - can't be removed

[Gibbo]

Hello All,

 

Just updated my mobile Malwarebytes today and it instantly flagged up that it found 1 malware.  I selected it to be deleted and the message said that the removal was unsuccessful.

 

I have found that the App sits under settings 'About Phone' and is the Wireless update. I'm not sure if it's a false positive or embedded malware.  If it's malware, what options are available to me?

 

Details:

 

Malwarebytes Version: 1.04.3.5

 

Malware found:  Android/Trojan.Dropper.Agent.w

 

File:  /system/app/AdupsFota.apk

 

App name:  Wireless update

 

 

About Phone info

'Wireless update' details:    Current: CUBOT S108_4600K0P2_CQ10_4031C_V005

Phone manufacturer / make:   Cubot S108

Android version:   4.2.2

 

Phone isn't rooted

 

Thank you for any feedback / help

 

Regards,

 

Gibbo

[a_Mbam]

Hi Gibbo,

 

This has become a big problem with cheaper priced Devices coming from China, they come preinstalled with malicious apps and the apps cannot be removed using Android's uninstaller.

 

These apps on your device should not be trusted, there are a few things you can do.

 

- Disable the app – Can be done via Android Settings -> Apps -> bad app -> Force stop/disable

        This will prevent the app and any associated services from running.

 

- Root your device and uninstall the malicious apps. Usually reserved for advanced users, please do at your own risk.

 

- Install different, trusted, ROM to replace infected one. Usually reserved for advanced users, please do at your won risk.

 

- Return device where purchased.

 

I wish there were more options but where Android's openness and built in security collide; openness, anyone can flash a device with a custom ROM, security, you can't uninatll system apps.

 

Regards,

 

-Armando

[usalyn827]

_{Last week I had the same problem as Gibbo !!!  I also had the same Malwarebytes Version: 1.04.3.5.   I have a Landvo L900 phone and I've had it for over a year.  It has been an extremely reliable phone and I have never had any problems with it.  I've also had from the start Malwarebytes and a variety of other paid anti-malware and anti virus software installed so I had a good layer of security, none of those picked anything up.   This was the first time ever.}   

 

_{I unistalled Malwarebytes and reinstalled the lastest version 1.05.1.1000 after nothing else seemed out of place.  After the new version of Malwarebytes  was reinstalled I then shut off my phone and rebooted.  I ran the Malwarebytes and it picked up nothing!!!  I ran all my other security features and picked up nothing.   The next couple of days I ran everything again and again and whatever the Version 1.04.3.5 was showing is now gone.  A false positive?? don't know but whatever it was picking up is not there.  I have 4.2.2 Jelly Bean OS on the phone.}

 

_Lyn

[a_Mbam]

Hi Usalyn827,

 

Thanks for the updated information, yes that was an FP. We did make changes to that definition, so it wasn't so aggressive, and should not detect all versions of Fota. No detection on the legitimate Fota app is what you should be seeing.

 

Regards,

 

-Armando

[Gibbo]

Hi Armando,

 

Following Usalyn827 post above, I too deleted version 1.04.3.5 and installed version 1.05.1.1000 and the scan doesn't pick up Fota as a problem anymore. The scan came back clean.

 

Thank you for your help and feedback,

 

Gibbo

[smundye]

Hello folks, I too am getting this problem.

 

Scan results in "Android/Trojan.Dropper.Agent". Says it is in "/system/app/hx6_ld_filemanager_20141008.apk"

 

Removal doesn't work.

 

Am running MB Ver v1.05.1.1000 (151) with Android version 4.4.2 on a SWEES X534 phone.

 

Any advice appreciated.

 

Regards

 

Stuart.

[a_Mbam]

Hi Smundye,

 

Are you able to find out the package name for this app? There are few detections that match this scan result and I am unable to track down any SWEES roms or files to check against.

 

If you are unable to locate with tools available on your phone you can download an app like https://play.google.com/store/apps/details?id=com.gijoon.pkgnameviewerwhich provides more info about an app.

 

Regards,

 

-Armando

[smundye]

Hello Armando and thanks for reply.

 

You asked me for the package name of this app and said "If you are unable to locate with tools available on your phone ..."

 

I admit to being a total newbe to Android. What tools should I have available to help me?

 

Regards,

 

Stuart.

[a_Mbam]

Hi Stuart,

 

Have you recently scanned with MBAM Mobile to see if the app is still being detected? Does that detection name have a ".letter" at the end or look like it might be cut off, eg. Trojan.Dropper.Agent.d

 

You can use a third party tool from the Play Store to find package names of apps.

 

    Package Name Viewer:   https://play.google.com/store/apps/details?id=com.gijoon.pkgnameviewer

 

-Armando

[smundye]

Hello Armando.

 

MBAM rescan still detecting the app. No letter after Trojan.Dropper.Agent

 

Have installed the Package Name Viewer. However, when I run it I cannot find any app name that resembles the problem one.

 

What should I be looking for?

 

Regards

 

Stuart.

 

 

[a_Mbam]

Hi Stuart,

 

I made a change to database, hopefully this resolves your issue. I think this was the result of an aggressive signature.

 

Let me know if your app is still being detected.

 

-Armando

[smundye]

Hello Armando.

 

Yes, it is still being detected.

 

Regards

 

Stuart.

 

[Mouaad]

 

Hi Gibbo,

 

This has become a big problem with cheaper priced Devices coming from China, they come preinstalled with malicious apps and the apps cannot be removed using Android's uninstaller.

 

These apps on your device should not be trusted, there are a few things you can do.

 

- Disable the app – Can be done via Android Settings -> Apps -> bad app -> Force stop/disable

        This will prevent the app and any associated services from running.

 

- Root your device and uninstall the malicious apps. Usually reserved for advanced users, please do at your own risk.

 

- Install different, trusted, ROM to replace infected one. Usually reserved for advanced users, please do at your won risk.

 

- Return device where purchased.

 

I wish there were more options but where Android's openness and built in security collide; openness, anyone can flash a device with a custom ROM, security, you can't uninatll system apps.

 

Regards,

 

-Armando

 

yes you are totally Right, that's exactly what i found, i bought an cheap tablet named ; z7i from ZYNC from morocco, and it come with pre installed trojan, i found that before i read your comment, here it is the trojan and the installation date shows that we are saying the truth 

 

 

Thank's to malwarebyte i finally found this trojan ( i was seing it connectign to servers using wireshark, the server is (rstep.xbkptek.com ).  i installed a lot of security programs before ( eset, avast ..) and none of them found this

i think now i need to root the device, i'm afraid of losing it if something went wrong ....

[Mouaad]

analyze : https://www.virustotal.com/en/file/543e9c4746cf6690f42c376d084278dc528a5175485d374ebc6ea20d898e2ab7/analysis/1450527296/

[Mouaad]

aaaaaaand i removed it, by rooting the device using iroot(kingroot)  

[buddha1313]

I recently experienced similar issues with a BLU 6 HD phone from amazon. I guess the allure of the "cheap" phones from china now comes home to roost. Problem is even the expensive phones are made in China. Whomever is benefiting from the hijacking of my phone - the affiliates or manufactures via relationships with the software app install firms is the culprit here. Let the fury of hell rain down upon them for such pathetic behavior.

 

Steps I have taken to resolve is download and run Malware-bytes mobile app...

 

Found 14 pups and other infections - ALL non removable by the software. (The software is great - would be even better if it provided a step by step guide on what to do to remove these... - hint hint for more raving fans and millions (billions perhaps) of paper reserve notes...

 

Installed again AVG - which also can see these infections (not as many however) - but tells me they are hard written and cannot be removed.

 

I am currently out of the country where the phone was purchased so cannot just walk in to amazon and return it.

 

I have rooted the phone.

 

Can someone please provide a step by step procedure to get the device cleaned?

 

It is in essence a paper weight at this point as every time I pick it up to use it - it hijacks whatever I'm doing and begins installing more apps, porn, etc.

 

I must say the Chinese or CIA operatives who arranged this little plot need to be commended and perhaps be given a pinata... if that is what these types respond to these days...

 

Peace to you while we still have some shreds remaining

[Mrczrc]

On 28/05/2015 at 9:46 PM, a_Mbam said:

Hi Gibbo,

 

 

 

 

This has become a big problem with cheaper priced Devices coming from China, they come preinstalled with malicious apps and the apps cannot be removed using Android's uninstaller.

 

 

 

 

 

These apps on your device should not be trusted, there are a few things you can do.

 

 

 

 

 

- Disable the app – Can be done via Android Settings -> Apps -> bad app -> Force stop/disable

 

 

        This will prevent the app and any associated services from running.

 

 

 

 

 

- Root your device and uninstall the malicious apps. Usually reserved for advanced users, please do at your own risk.

 

 

 

 

 

- Install different, trusted, ROM to replace infected one. Usually reserved for advanced users, please do at your won risk.

 

 

 

 

 

- Return device where purchased.

 

 

 

 

 

I wish there were more options but where Android's openness and built in security collide; openness, anyone can flash a device with a custom ROM, security, you can't uninatll system apps.

 

 

 

 

 

Regards,

 

 

 

 

 

-Armando

 

This helped me so much thank you very very much for this info. Keep us safe arma

[HaveBlue]

Just had the v version come up on hungry shark base.apk that was installed from Google play. False positive maybe?

[DBol]

 I got a Trojan Malware file on my phone and it imbedded itself in my voice-mail app. I tried to use King Root to root my phone, but it said it was great unable to. I have a BlackBerry PRIV. 

 

 My question is this: I disabled the voice-mail app. Will this at least make it so my personal information is safe, or is it time to throw out the phone and get a replacement? 

[HaveBlue]

Go into settings - apps and find the voicemail app (same screen where you disabled it) and try to uninstall any updates 

[saidshow]

Hi Guys,

I had the same issue. I used 'package name viewer' to identify a second name for the package. I then used the steps below to remove:

 

mobile@ubuntu:~/android/sdk/platform-tools$ adb shell

shell@klte:/ $ su

root@klte:/ # mount -o rw,remount /system

root@klte:/ # rm -rf /system/priv-apps/com.android.push.alarm.apk

root@klte:/ # rm -rf /system/priv-apps/com.android.dserw.ds.apk               

root@klte:/ # rm -rf /data/data/com.android.push.alarm                        

root@klte:/ # rm -rf /data/data/com.android.dserw.ds                          

root@klte:/ # mount -o ro,remount /system

root@klte:/ # exit

shell@klte:/ $ exit

[bobthebuilder181]

Android K100 Pad from China ?? 
Anyone who has a pad Model number (K1001) Android version 4.4.2
Baseband version MOLY.WR8.W1315.MD.WG.MP.V39,2016/02/2519:45
Kernel version 3.4.67 
Build number K1001_170104
You should be aware that it has a Trojan embedded into the system.
(Android/ TrojanDropper.Agent.APW) 
The pad is almost un-useable with the Trojan.
After much ado bricking the pad two days on I discovered an amazing easy fix. 
The pad has to be rooted. The only root that worked for me is iroot. 
http://www.iroot.com/
Once rooted go to systems settings apps. View all you will find two (2)⃣️ SETTING icons. 
One is the gray cog the other is a green droid. 

I disabled the green droid this stops the (Android/ TrojanDropper.Agent.APW) from working. 
I also tried to freze it, delete , rename all bad ideas all bricked the pad. 
The only thing that worked for me was DISABLED IT. 
Try at own risk I'm so pleased the problem (Android/ TrojanDropper.Agent.APW)  is stopped. 
The other thing I discovered while turning to unbrick the pad is: 
Power button ? and volume down brings up the recovery in chinese and only one way out. 
That's the pin hole off. 
With the power button ? and volume up the recovery is in english. 
Now working great after several reboots no further problems. I installed adaway and lucky patcher as added security. Malwarebites still finds (Android/ TrojanDropper.Agent.APW) So I white listed it in malwarebites only. 
I hope sharing my findings will help others. I found that since I've prevented (Android/ TrojanDropper.Agent.APW) from working the phone ? pad is very good value for $119 au$

[Rozapk]

Glad to know it

[MAM]

Hello, be carefull:

I would say now a great WARNING, until everything is told in this matter!

MAM

[moo4x]

I've had a Blu Xl8 for a little less than 2 years. Mbam just found this Malware today. How dangerous is it? Mbam can't kill it, & the solutions I've found online are over my head. I don't do any financial transactions on the phone. Do I need to throw the phone away? Or............?