Jump to content

Trojan.Triada

AlexFr
 Share

Recommended Posts

MonsieurD

MonsieurD

Posted
Posted

Alexfr j'ai aussi un mtt ideal, et aussi cette saleté de triada.EU et ses petits depuis 1 semaine, qui reviennent toujours malgré Malwares très, Kaspersky, Avast etc... J'ai aussi prévenu le sav de mtt/adar et j'attends...idem concernant le renvoi de l'appareil: Si le système est pourri à la base, pas la peine de perdre du temps...Aromino au cas où je te contacterai peut-être... Je laisse un peu de temps à Adar/Mtt/Nomu, mais sans réponse ou solution je serai bien déçu... choper des saletés en prenant des risques, c'est la vie; mais là dans ce cas ça voudrait vraiment dire que malgré leurs qualités apparentes les premières semaines, ces appareils sont à éviter (surtout dans un cadre professionnel!).

À suivre...

Link to post
Share on other sites
  • Replies 90
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Posted Images

HansSunn

HansSunn

Posted
Posted

Dear all,

Sorry but my French writing is not that great so I reply in English.

I did by a Evolveo StrongPhone G4 a while ago and have the same problem. I have Fsecure Safe and this AV does not or did not detect the malware. Setting is Safe he said. Malware byte detect it and ask to remove these file. Once they are reinstalled.

I had contact with the support, but for a new firmware I have to send my phone to there support center in the Czech Republic. They say that this was not installed on the firmeware coming out of the factory not sure if this is true …

I also cannot find anything to root this device.  For now Malwarebytes does the trick but I am not sure if my cell is 100% safe now.

Factory reset did not help.

If somebody has a def. solution please share.

Kind regards,

Hans

Link to post
Share on other sites
HansSunn

HansSunn

Posted
Posted

Bouby,

The phone I have is a Evolveo StrongPhone G4 it is rebranded but I don't know what the exact model of phone with the same firmware that should work.

I created a ticket at Evolveo and thay say they will provide a new firmware but don't know when. Just great ...

Link to post
Share on other sites
NomuS20-victim

NomuS20-victim

Posted
Posted

From what i know so far, the malware first creates a folder ".SDAndroid" , Malwarebytes Scanner does not recognize that. In that folder, there seem to be different Spy files, like contacts, facebookstuff etc ... If you delete it, it will come back after ~12 hrs. If you do not delete it. a 2nd folder is created ".jm", once that happened malwarebytes recognizes the trojan as displayed in the initial post. disguised as "Settings" App for me.

 

I hope i can find a Stock Rom for the S20, and then i have to get into flashing my phone. I hope i can get this working, i dont feel like fighting Nomu or the reseller gearbest for a working phone without spy ware.

 

 

 

Link to post
Share on other sites
nohara

nohara

Posted
Posted

Hi I'm having exactly the same issue.
Contacted reseller but unsure if they are willing to do anything.
Having some trouble flashing the ROM of my phone, as I'm on a mac and don't have SP-flash available to me.

Is there anyone willing to point me in the direction of a good ROM flashing tutorial for an entry-level android user? (Noob)

Or perhaps someone would make a walkthrough themselves? 

Many thanks;
-Ned

Link to post
Share on other sites
HansSunn

HansSunn

Posted
Posted

The same at evolveo. 

The support person say's it wil be solved at the next update.  But these are rebranded smartphones : Evolveo, MTT, ADAR ,... they are coming form the same Chinese factory. So they have to ask the Chinese friendly : Please send us a new firmware with no malware.

If the chineese are willing to do that, then they will remove the triada Malware and put a new one in, that is what I think.

Not sure how we can do this but we should try to united us and put some pressure on these rebranded companies.

This is a major security issue and they are doing nothing

Link to post
Share on other sites
nohara

nohara

Posted
Posted

What can we realistically do at this point?
Can flashing guarantee that the phone is cleared of the malware?

I'm a mac user (shun me) and cannot find a mac alternative for SP fastboot.
Tried downloading Android SDK, but tutorials are outdated and nothing is working.
Also whilst trying with fastboot and android adb, my device was not found.

Really unsure what's going on in this space.
Will see if I can borrow a PC to try getting through this flashing process. 

Helllllpppppp!!!

Link to post
Share on other sites
Aromino

Aromino

Posted
Posted
On 08/05/2017 at 1:38 PM, HansSunn said:

If the chineese are willing to do that, then they will remove the triada Malware and put a new one in, that is what I think.

Not sure how we can do this but we should try to united us and put some pressure on these rebranded companies.

This is a major security issue and they are doing nothing

Sure !

That's why i use a firmware from a french phone.

Nomu don't care about us. Maybe journalist or consumer organism will be interested about that global problem.

Link to post
Share on other sites
Andronik

Andronik

Posted
Posted

I had the mentioned malware on rebranded Chinese Gotron/Ulefone smartphone, don't know exactly what model if any. What I did this Monday was to delete the .SDAndroid and .jm hidden folders altogether after the malware was deinstalled from settings and set the update settings to disallow automatic download over WI-FI network (of course the updates via WI-FI only is on). Two days passed with no malware detection and regular app updates. Hope it lasts, or that the problem was addressed by the manufacturer.

Link to post
Share on other sites
NomuS20-victim

NomuS20-victim

Posted
Posted (edited)

the malware changed for me now. .jm folder is no longer created and malwarebytes  wont find the trojan anymore. ads still pop up.

i installed "addon detector", which displays the "settings" app installed as an addon. from there you can uninstall or deactivate it. as it reinstalls, i just stopped the app for now. no more ads for 3 days. no final solution, but at least a temporary one.

 

Edited by NomuS20-victim
Link to post
Share on other sites
riko13

riko13

Posted
Posted

Hi NomuS20-victim, that was the same for me after some app update. I will try addon detector ad you say, thanks

1 hour ago, NomuS20-victim said:

the malware changed for me now. .jm folder is no longer created and malwarebytes  wont find the trojan anymore. ads still pop up.

i installed "addon detector", which displays the "settings" app installed as an addon. from there you can uninstall or deactivate it. as it reinstalls, i just stopped the app for now. no more ads for 3 days. no final solution, but at least a temporary one.

 

Link to post
Share on other sites
nohara

nohara

Posted
Posted
On 12.5.2017 at 8:17 AM, NomuS20-victim said:

the malware changed for me now. .jm folder is no longer created and malwarebytes  wont find the trojan anymore. ads still pop up.

i installed "addon detector", which displays the "settings" app installed as an addon. from there you can uninstall or deactivate it. as it reinstalls, i just stopped the app for now. no more ads for 3 days. no final solution, but at least a temporary one.

 

This usually works until a reboot, but we really need a more permanent fix. Could someone create a small walkthrough on how to flash the Saphire ROM?

My bootloader menu is in Chinese and I have no way of reading it!

Link to post
Share on other sites
  • 2 weeks later...
AlexFr

AlexFr

Posted
  • Author
Posted

pour info, sur mon MTT IDEAL (NOMU S20 rebranding) l'infection à changé de nom, ce n'est plus com.petsfamily-1 mais maintenant via com.chunmei.calculator-1 que le trojan tente de passer, toujours en executant l'appli  base.apk  se faisant passer pour l'appli settings du systeme !

L'outils Malwarebyte l'intercepte (voir captures) bien mais toujours impossible de le supprimer definitivement !

 

 

capture_base.apk.jpg

Blocage appli settings.png

MT IDEAL.png

Link to post
Share on other sites
Totorico

Totorico

Posted
Posted

Des nouvelles de mon cas (MTT ideal) : je l'ai renvoyé au SAV (très rapide).

Une fois le téléphone récupéré en build 1.08, après avoir mis la SIM et laissé reposer, les pubs sont de retour ! Et l'application settings et les dossiers cachés etc. Par contre Malwarebyte ne le détecte plus, donc j'ai eu droit à un update du firmware ET du troyen, la classe ;)

 

Bref, j'attends des explications de MTT. Je posterai si j'ai des news.

Link to post
Share on other sites
AlexFr

AlexFr

Posted
  • Author
Posted (edited)

Merci pour cette info Totorico!

de mon coté, je n'ai toujours pas envoyé mon MTT IDEAL (NOMU S20) au SAV car vu leur réponses à nos demandes je doutais de leur compétence à remédier à ce pb par eux même...ils semblent être complètement dépendants de NOMU car sinon ils auraient déjà réagit techniquement en proposant une mise à jour OTA solutionnant ces problèmes de malwares et Trojan in situ dans le systeme, d'autant plus que le signalement de la faille de sécurité et compromis des données personnelles est maintenant largement diffusé sur les forums quand quelqu'un cherche à se procurer un modèle du constructeur (NOMU S10 ou NOMU S20) ou n'importe quel modèle "rebrandé" via distributeur (MTT IDEAL, EVOLVEO STRONGPHONE etc..). Leur comportement de rester muets et faire la politique de l'autruche confirme qu'ils sont pris au piège et seront incapables d'assumer leur responsabilité quand il sera question de répondre aux plaintes qui commencent à s’initier...

A suivre....

 

 

Edited by AlexFr
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.