Gajendra Posted January 13, 2018 ID:1199401 Share Posted January 13, 2018 I managed to grab apk file of beautymake malware from /system/priv-app location in my android phone. When I scanned using Google Play Protect it shows that one harmful app detected. After this, I uploaded this apk file to virustotal and 25 antivirus detect it as malicious app. Please find a way to remove it from mobile. It can't be removed directly because it is system-app. password is infected. Thanks Makeup.zip Link to post Share on other sites More sharing options...
Gajendra Posted January 13, 2018 Author ID:1199455 Share Posted January 13, 2018 Sorry, I wrote wrong name. Real name is BeautyMakeup. Link to post Share on other sites More sharing options...
MAM Posted January 13, 2018 ID:1199504 Share Posted January 13, 2018 Hello, you mean this https://www.virustotal.com/#/file/4e9bb0eed19f606ed262e8c3359262d2caffe7dd2c013d1cce2a9b88677636b0/detection crap here? Is this right so, I guess your sample is too old. The example should not be older than 3 months, otherwise, it will not be included in the updates, by Malwarebytes for Mobile. Sorry. And please read this too, I hope that helps you. MAM Link to post Share on other sites More sharing options...
mbam_mtbr Posted January 15, 2018 ID:1200080 Share Posted January 15, 2018 Hi @Gajendra, Thanks for bringing this to our attention. This is already detected as Android/Adware.Xinyinhe. Nathan Link to post Share on other sites More sharing options...
MAM Posted January 15, 2018 ID:1200200 Share Posted January 15, 2018 @mbam_mtbr Hello, sorry that can I not believe. I have also installed this App, Malwarebytes for Mobile cannot those nasty to recognize my smartphone. Well, that is odd to me. MAM Link to post Share on other sites More sharing options...
MAM Posted January 15, 2018 ID:1200280 Share Posted January 15, 2018 Hello, well well well hours later, pictures say more than a thousand words. Please have a deeper look at this pictures, I cannot found this nasty on my Smartphone. Sorry don´t know whats going on by me. MAM Link to post Share on other sites More sharing options...
MAM Posted January 15, 2018 ID:1200302 Share Posted January 15, 2018 Hello, for all on the first screenshot, you can see the supposed app Makeup.apk. ----> https://www.virustotal.com/#/file/4e9bb0eed19f606ed262e8c3359262d2caffe7dd2c013d1cce2a9b88677636b0/detection MAM Link to post Share on other sites More sharing options...
mbam_mtbr Posted January 15, 2018 ID:1200303 Share Posted January 15, 2018 @MAM, I checked again, and for sha256 4e9bb0eed19f606ed262e8c3359262d2caffe7dd2c013d1cce2a9b88677636b0, it is detected. You may have another version installed that is not detected. Nathan Link to post Share on other sites More sharing options...
MAM Posted January 15, 2018 ID:1200305 Share Posted January 15, 2018 Wait I upload it to the other section... MAM Link to post Share on other sites More sharing options...
MAM Posted January 15, 2018 ID:1200309 Share Posted January 15, 2018 @mbam_mtbr I have uploaded this sample over https://forums.malwarebytes.com/forum/133-newest-mobile-threats/ here. You mean that is different as from the thread starter? Or what? MAM Link to post Share on other sites More sharing options...
Gajendra Posted January 16, 2018 Author ID:1200385 Share Posted January 16, 2018 (edited) Package name of this BeautyMakeup is com.gangyun.makeup. I think you install beauty makeup.apk from Google Play Store because in screenshot you uploaded has same icon as in Play Store. Please check this link https://www.apkmonk.com/app/com.gangyun.makeup.thailand/ it has same package name but it contains thailand (com.gangyun.makeup.thailand) at the end. What I post original apk has this icon. Edited January 16, 2018 by Gajendra Link to post Share on other sites More sharing options...
mbam_mtbr Posted January 16, 2018 ID:1200484 Share Posted January 16, 2018 @Gajendra You are correct. @MAM was mistakenly referencing package name com.tudasoft.android.BeMakeup found on Google Play which is clean: https://www.virustotal.com/#/file/ef2ee63b1c9f130c4ee0505fe59b348121966da383daf22958e8995fd3c1a24a/detection As stated before, we detect the sample you provided in the first post. However, I added detection for com.gangyun.makeup.thailand found on apkmonk as Android/Adware.Boyad in future database versions. This may be helpful on why you didn’t see a Malwarebytes mobile detection in VirusTotal in the first post -> Malwarebytes VirusTotal Results Does NOT Reflect Mobile Detections Nathan Link to post Share on other sites More sharing options...
Gajendra Posted January 16, 2018 Author ID:1200492 Share Posted January 16, 2018 @mbam_mtbr I can't use android emulator. What should I do to remove this adware? Link to post Share on other sites More sharing options...
mbam_mtbr Posted January 16, 2018 ID:1200495 Share Posted January 16, 2018 Hi @Gajendra, You mean com.gangyun.makeup.thailand? It will be in our database this afternoon for detection and removal. Nathan Link to post Share on other sites More sharing options...
Gajendra Posted January 16, 2018 Author ID:1200496 Share Posted January 16, 2018 It would be great you are adding this in database. I want to remove com.gangyun.makeup from my android phone. Link to post Share on other sites More sharing options...
mbam_mtbr Posted January 16, 2018 ID:1200498 Share Posted January 16, 2018 Hi @Gajendra, Sorry, I forgot you mentioned it was located in /system/priv-app. This is preinstalled malware, which is becoming more of an issue -> Mobile Menace Monday: Preinstalled adware and sometimes worse Preinstalled malware cannot be removed, only disabled. Instructions to disable are in the blog post linked above. Nathan Link to post Share on other sites More sharing options...
Gajendra Posted January 16, 2018 Author ID:1200501 Share Posted January 16, 2018 Thank you. Rooting phone or factory reset will remove it? Link to post Share on other sites More sharing options...
mbam_mtbr Posted January 16, 2018 ID:1200549 Share Posted January 16, 2018 Hi @Gajendra, If it's a system app, it will most likely still be there after a factory reset. Yes, rooting would work to remove, but that is a risky endeavor just to remove a simple Adware app. I suggest just disabling it and whitelisting in Malwarebytes for Android so the detection doesn't' keep popping up. Nathan Link to post Share on other sites More sharing options...
Gajendra Posted January 16, 2018 Author ID:1200551 Share Posted January 16, 2018 Thanks once again Link to post Share on other sites More sharing options...
MAM Posted January 16, 2018 ID:1200736 Share Posted January 16, 2018 Hello, that was my fault, sorry for confusing in this matter. I probably confused two "avoidable" apps, I apologize for that, doho waho. MAM Link to post Share on other sites More sharing options...
Patrick007 Posted February 19, 2019 ID:1299360 Share Posted February 19, 2019 I also have BeautyMakeup present. As stated above, it appears to have become a system app. It was not there when I got my phone earlier in January. About the same time that BeautyMakeup appeared, I also got infected by www.aiboo.cc Most of the sites advise us to use Malwarebytes to remove it but it does not work. So, what can we do? Link to post Share on other sites More sharing options...
mbam_mtbr Posted February 19, 2019 ID:1299413 Share Posted February 19, 2019 Hi @Patrick007, Well the good news is that since this original post, we have discovered a work around. You can use this method to uninstall for current user (details in link below): https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/ Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app. First thing is to see which version of BeautyMakeup you have installed. Run command the following command and look for com.gangyun.makeup or com.gangyun.makeup.thailand: adb shell pm list packages -f Use one of these command(s) during step 7 under Uninstalling Adups via ADB command line to remove: adb shell pm uninstall -k --user 0 com.gangyun.makeup.thailandORadb shell pm uninstall -k --user 0 com.gangyun.makeup Also, it may be a good idea to send me an Apps Report so I can check for any other infections on your device. To send an Apps Report with Malwarebytes for Android use the following instructions. 1.Open the Malwarebytes for Android app. 2.Tap the Menu icon. 3. Tap Your apps. 4. Tap three lines icon in upper right corner. 5. Tap Send to support Choose an email app to send Apps Report. Your email app will open with the Apps Report included. Send the Apps Report to create a ticket. PM me the email used and/or the ticket number assigned. Nathan Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now