Jump to content

Trojan reinstalls after factory reset on phone.

Recommended Posts

I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:

It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/

And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.

The file running on the phone as a system app is called "ad_surface"

I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:

Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)

Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)

That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...

Link to post
Share on other sites


well, you can try this also:

V3 Mobile Security, ----> https://play.google.com/store/apps/details?id=com.ahnlab.v3mobilesecurity.soda

Zemana Antivirus & Security, -----> https://play.google.com/store/apps/details?id=com.zemana.msecurity

And you have also tried Malwarebytes for mobile? Results? ----> https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware

And you can also try Line Antivirus, ----> https://play.google.com/store/apps/details?id=jp.naver.lineantivirus.android

Emsisoft Mobile Security, ------> https://play.google.com/store/apps/details?id=com.emsisoft.security

Zoner Antivirus, -----> https://play.google.com/store/apps/details?id=com.zoner.android.security

pay version, you can also use a free version of it.

You can also try this, https://support.virustotal.com/hc/en-us/articles/115002146549-Mobile-apps

Well, maybe it helps you.

Good Luck!



Edited by MAM
Link to post
Share on other sites

  • Staff

Hi @SecretSociety68,

It sound like preinstalled malware, which is becoming more of an issue -> Mobile Menace Monday: Preinstalled adware and sometimes worse

Preinstalled malware cannot be removed, only disabled.  Instructions to disable are in the blog post linked above.

However, we can take a deeper look if you send an Apps Report.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.


Link to post
Share on other sites

Thanks MAM and mbam_mtbr. I sent a report using the mbam mobile app. You will see the culprit is ad_surface. mbam you mentioned it might be preinstalled malware. I  was thinking the same thing, but it has a later date than all the other files in the root folders. All the other files in the system folder are dated 10-10-17 while the two files ads_popup-release.apk  and 8e710bb7.0  are dated 3-12-18. But then again, I don't see how it installed itself like that as a super user. That means it would have had to root then unroot to work its magic. The report I sent is under the  name secretsociety68. Again, thanks for the help. 

Link to post
Share on other sites

On 21.3.2018 at 12:04 AM, SecretSociety68 said:

Yes. But nothing was found. Do antivirus programs have access to root areas as super user? 


Hello, sorry for this issue have I not an idea. I do not know if that's what you mean.



Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.