Jump to content
SecretSociety68

Trojan reinstalls after factory reset on phone.

Recommended Posts

Hi,
I'm new to XDA. I think I'm in the right forum for my issue. My phone was infected with what I think is a type of auto rooting trojan. I was looking for info on an app I'm using called Duraspeed. I came across this website that started throwing popups at me saying my phone had tons of viruses, which was a lie. By the time I could break free from the drive by attacks, it was too late. I started getting sluggish performance on my phone and popup ads randomly. Even though it somehow gained root access, my phone is not rooted. Never was. Its still not! Because I checked with several apps off the playstore to confirm this. Long story short:

It put a file called "ads_popup-release.apk"
in my root folder /system/priv-app/

And modified a file called "8e710bb7.0"
in root folder /system/etc/security/cacerts/
or put (installed) the file there I'm not sure.

The file running on the phone as a system app is called "ad_surface"

I can only force stop and disable ad_surface without the ability to uninstall. I have to repeat this process every time I reboot. This stops the ads from popping up. Funny thing is, even though the force stop button in app settings is greyed meaning it was stopped and disabled, my OS Monitor app that shows running processes shows ad_surface is still running. Yet, it does stop the random popup ads by doing it this way. I've tried 360 AV, Avast, AVG, Malwarebytea, Kaspers, stubborn rootkit remover, a lot of antivirus programs but nothing detects it. I'm using Total Commander File Manager to view the device system partitions. I even copied the two trojan files to a folder on the user partition to see if any of the antivirus programs could check them there away from the root areas. But nothing. My guess is that I need to root my phone so I can gain access to the apk file and delete it. I've never rooted a phone before, but I have Kingroot installed. I downloaded it from XDA. I just don't have the guts to use it in fear of bricking. Do you think it would work with my phone? Does it abort the root procedure if it can't do it? Here are my phone specs:

Vortex Beat 8
Software build: 8_V1.5_20171011
Chipset: MT6580M Cortex-A7
CPU Architecture: ARMv7 Processor Rev 3(V71)

Cores: 4 1300MHz
Kernal Version: 3.18.19
Total Ram: 459MB
Internal ROM: 8GB (4GB for user)

That's about it. If there's anything anybody who could recommend how to go about this I would greatly appreciate the help. Thank you...
 

Share this post


Link to post
Share on other sites

Hello,

well, you can try this also:

V3 Mobile Security, ----> https://play.google.com/store/apps/details?id=com.ahnlab.v3mobilesecurity.soda

Zemana Antivirus & Security, -----> https://play.google.com/store/apps/details?id=com.zemana.msecurity

And you have also tried Malwarebytes for mobile? Results? ----> https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware

And you can also try Line Antivirus, ----> https://play.google.com/store/apps/details?id=jp.naver.lineantivirus.android

Emsisoft Mobile Security, ------> https://play.google.com/store/apps/details?id=com.emsisoft.security

Zoner Antivirus, -----> https://play.google.com/store/apps/details?id=com.zoner.android.security

pay version, you can also use a free version of it.

You can also try this, https://support.virustotal.com/hc/en-us/articles/115002146549-Mobile-apps

Well, maybe it helps you.

Good Luck!

MAM

 

Edited by MAM

Share this post


Link to post
Share on other sites

Hi @SecretSociety68,

It sound like preinstalled malware, which is becoming more of an issue -> Mobile Menace Monday: Preinstalled adware and sometimes worse

Preinstalled malware cannot be removed, only disabled.  Instructions to disable are in the blog post linked above.

However, we can take a deeper look if you send an Apps Report.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.

Nathan

Share this post


Link to post
Share on other sites

Thanks MAM and mbam_mtbr. I sent a report using the mbam mobile app. You will see the culprit is ad_surface. mbam you mentioned it might be preinstalled malware. I  was thinking the same thing, but it has a later date than all the other files in the root folders. All the other files in the system folder are dated 10-10-17 while the two files ads_popup-release.apk  and 8e710bb7.0  are dated 3-12-18. But then again, I don't see how it installed itself like that as a super user. That means it would have had to root then unroot to work its magic. The report I sent is under the  name secretsociety68. Again, thanks for the help. 

Share this post


Link to post
Share on other sites

Hello, have you tried any Av programs for Android that I suggested to you? Have they not found nothing!?

MAM

Share this post


Link to post
Share on other sites
1 hour ago, MAM said:

Hello, have you tried any Av programs for Android that I suggested to you? Have they not found nothing!?

MAM

Yes. But nothing was found. Do antivirus programs have access to root areas as super user? 

Share this post


Link to post
Share on other sites

Hello, you give him your e-mail, over a PM, ( Personal Massage) not public here in the forum.

MAM

 

 

Share this post


Link to post
Share on other sites
On 21.3.2018 at 12:04 AM, SecretSociety68 said:

Yes. But nothing was found. Do antivirus programs have access to root areas as super user? 

 

Hello, sorry for this issue have I not an idea. I do not know if that's what you mean.

MAM

 

Share this post


Link to post
Share on other sites
17 minutes ago, MAM said:

 

Hello, sorry for this issue have I not an idea. I do not know if that's what you mean.

MAM

 

That's ok. Thanks for the help...

Share this post


Link to post
Share on other sites
21 hours ago, SecretSociety68 said:

Hi, its:

<REDACTED>

 

 

Please remove here your email.

MAM

Edited by dcollins

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.