cjvmoore Posted October 20, 2018 ID:1276562 Share Posted October 20, 2018 I have a THL T9 Pro Android telephone. One of the following malware apps keeps getting reinstalled automatically:- Devices, Coordinator, Moosteel, Quotecite, com.android.security, HotKnotBean The name changes but all have the symptoms that they lock themselves in the foreground on screen and consume a lot of data. I think the origin of the problem is in the stock system ROM. Malwarebytes detects a problem (PUP.Riskware.Autoins.Fota.INS) but does not eradicate it. Your "real time protection" does not prevent the malware apps being reinstalled. Malware support ticket 2439765 was opened and it was requested that I post in this forum. Any suggestions you have would be most helpful. Link to post Share on other sites More sharing options...
MAM Posted October 20, 2018 ID:1276723 Share Posted October 20, 2018 Hello, A step can you do or read this. I hope that helps you. Good Luck! MAM Link to post Share on other sites More sharing options...
MAM Posted October 20, 2018 ID:1276729 Share Posted October 20, 2018 (edited) Hello, you can read and try this carefully, ---> https://www.getdroidtips.com/stock-rom-on-thl-t9-pro/ Please be careful, what you do do. Or, you wait here for the experts here. MAM Censored by myself! Edited October 20, 2018 by MAM Link to post Share on other sites More sharing options...
mbam_mtbr Posted October 22, 2018 ID:1276942 Share Posted October 22, 2018 (edited) Hi @cjvmoore, As far as PUP.Riskware.Autoins.Fota.INS, @MAM is correct that the method to remove is via the provided link In regards to reinstalled apps, if you could send me an apps report, that would be very helpful! To send an Apps Report with Malwarebytes for Android use the following instructions. 1.Open the Malwarebytes for Android app. 2.Tap the Menu icon. 3. Tap Your apps. 4. Tap three lines icon in upper right corner. 5. Tap Send to support Choose an email app to send Apps Report. Your email app will open with the Apps Report included. Send the Apps Report to create a ticket. PM me the email used and/or the ticket number assigned. Nathan Edited October 23, 2018 by mbam_mtbr Link to post Share on other sites More sharing options...
Akos Posted October 26, 2018 ID:1277780 Share Posted October 26, 2018 I have same issue. I followed these steps too and sent you PM with ticket info. Link to post Share on other sites More sharing options...
cjvmoore Posted October 27, 2018 Author ID:1277917 Share Posted October 27, 2018 Thank you very much for your help. I successfully uninstalled com.adups.fota and com.adups.fota.sysoper using the procedure described above. However Malwarebytes still detects a problem (PUP.Riskware.Autoins.Fota.INS) apparently while analysing com.android.systemui. Is it safe to uninstall com.android.systemui or will I brick my telephone? In the meantime I shall wait and see whether my problem has been solved. Link to post Share on other sites More sharing options...
cjvmoore Posted October 27, 2018 Author ID:1277919 Share Posted October 27, 2018 Just to underline that this is exactly the same problem as in my original post. (Sorry, I haven't found out how to edit my post.) Link to post Share on other sites More sharing options...
cjvmoore Posted October 28, 2018 Author ID:1277993 Share Posted October 28, 2018 Unfortunately Coordinator was installed overnight It seems to be in the com.peony.mochi package. I have sent the Apps Report you requested and I received the ticket 2457510. If you wish I could also send a screenshot and even possibly the apk. So uninstalling com.adups.fota and com.adups.fota.sysoper is not sufficient. Is it safe to uninstall com.android.systemui or will I brick my telephone? Link to post Share on other sites More sharing options...
Akos Posted October 28, 2018 ID:1277999 Share Posted October 28, 2018 I got same as infected app: com.android.systemui, named System UI. I also tried to reinstall with a custom ROM from https://www.needrom.com/ , but this new ROM contains this infection too. Link to post Share on other sites More sharing options...
cjvmoore Posted October 28, 2018 Author ID:1278005 Share Posted October 28, 2018 1 hour ago, Akos said: I got same as infected app: com.android.systemui, named System UI. I also tried to reinstall with a custom ROM from https://www.needrom.com/ , but this new ROM contains this infection too. The download on the THL website has the same version as that on my telephone. So I guess it also has the malware Link to post Share on other sites More sharing options...
cjvmoore Posted October 28, 2018 Author ID:1278006 Share Posted October 28, 2018 3 hours ago, cjvmoore said: Unfortunately Coordinator was installed overnight Actually there does seem to be an improvement: Coordinator was installed but seems to be dormant. It no longer locks itself full screen in the foreground and hasn't yet consumed any data Malwarebytes detects it as malware (Android/Trojan.HiddenAds.Moo). In that case shouldn't Malwarebytes have prevented its installation? Link to post Share on other sites More sharing options...
mbam_mtbr Posted October 29, 2018 ID:1278072 Share Posted October 29, 2018 @cjvmoore & @Akos, PM sent to both of you. Nathan Link to post Share on other sites More sharing options...
cjvmoore Posted October 29, 2018 Author ID:1278082 Share Posted October 29, 2018 Thank you for your PM. The situation is much better after uninstalling com.adups.fota and com.adups.fota.sysoper I watched Coordinator for a while and it did start using a small quantity of data So I uninstalled it yesterday. Since then no new malware has been installed I shall avoid messing with com.android.systemui unless the situation deteriorates. I notice that "pm uninstall -k --user 0" doesn't actually uninstall the package but just seems to disable its use, I suppose by user 0 (I guess 0 is system or root). There is also a "pm disable" command. What is the difference? (Sorry, I am not very familiar with the Android SDK.) Thank you very much for your help. Link to post Share on other sites More sharing options...
mbam_mtbr Posted October 29, 2018 ID:1278088 Share Posted October 29, 2018 Hi @cjvmoore, Great question! We used to use pm hide originally, which is similar to pm disable. The difference is pm hide doesn't allow the app to be loaded into memory again, thus re-enabling. However, many users were getting the this error with command pm hide: Error: java.lang.SecurityException: Neither user 2000 nor current process has android.permission.MANAGE_USERS It was brought to my attention there was another method: https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/ I first attempted using adb shell pm hide -k --user 0, but that produced the same error. Instead, by using adb shell pm uninstall -k --user 0, I was able to successfully remove apps from the app information list on a BLU Studio XL. As noted in the article, --user 0 is the current user. So technically yes, it's only uninstalling for the current user, and not all the users. Thus, it still resides on the device. I found the APKs on my test device using Android Device Monitor, another tool provided by Android Studio, via its File Explorer. Interesting that it only shows up as just disabled on your device instead. Nathan Link to post Share on other sites More sharing options...
cjvmoore Posted October 29, 2018 Author ID:1278091 Share Posted October 29, 2018 9 minutes ago, mbam_mtbr said: Interesting that it only shows up as just disabled on your device instead. Actually they show up as "Not installed for this user". (Translated from French.) Thank you for your detailed explanation. Link to post Share on other sites More sharing options...
mbam_mtbr Posted October 29, 2018 ID:1278098 Share Posted October 29, 2018 Thanks for letting me know @cjvmoore! Link to post Share on other sites More sharing options...
cjvmoore Posted October 29, 2018 Author ID:1278213 Share Posted October 29, 2018 Bad news: TelephonyDev (com.conterx.umora) was automatically installed today. It locks itself full screen in the foreground So I am back to square one Also, unlike Coordinator, it isn't detected as malware by Malwarebytes I have sent an Apps Report and I received the ticket 2458794. So it looks as though I must attack com.android.systemui Googling seems to indicate that without it the system won't boot completely. I guess systemui is System User Interface so there will probably be no touchscreen. If this is the case do you think that adb will still work? I was thinking of trying a "pm disable", hoping that if this is catastrophic I shall be able to recover with a "pm enable". Also will a "pm install -k --user 0" (or "pm install --user 0") undo a "pm uninstall -k --user 0"? Link to post Share on other sites More sharing options...
mbam_mtbr Posted October 30, 2018 ID:1278272 Share Posted October 30, 2018 HI @cjvmoore, To start, com.conterx.umora and other variants similar to it will be detected as Android/Trojan.HiddenAds.RL in future database versions. As far as com.android.systemui, I would start with seeing its type/location. There are two types/locations of system apps: /system/app/ /system/priv-app/ The system apps located in /system/app/, like Adups, are less critical. The system apps found in /system/priv-app/ are apps more critical to the device functioning. I would run adb shell pm list packages -f first to see where com.android.systemui resides. I'm pretty sure it will be in /system/priv-app/ though. However, that doesn't mean these can't be uninstalled, but there is an extra risk. I tried testing using pm disable and pm hide with System UI, but didn't have any luck. I also pulled the trigger and uninstalled System UI on my device, which is a legitimate system app on on it. I'm not convinced your version is doing everything it claims to be doing, and everything my version actually does. The result was a missing wallpaper and home/back buttons. It still booted up just fine after a restart, so it doesn't appear to have any risk of "bricking". Afterwards, I was able to successfully reinstall using -r: adb shell pm install -r --user 0 /system/priv-app/SystemUI/SystemUI.apk Once again, I'll leave the decision up to you. Nathan Link to post Share on other sites More sharing options...
Akos Posted October 30, 2018 ID:1278280 Share Posted October 30, 2018 @mbam_mtbr : In this case we will be unable to reinstall SystemUI, because as I think "original" 0 /system/priv-app/SystemUI/SystemUI .apk file also contains bloatware built-in. So will have to flash ROM again, which already contains bloatware. Link to post Share on other sites More sharing options...
mbam_mtbr Posted October 30, 2018 ID:1278285 Share Posted October 30, 2018 @Akos, Are you having similar issues with malware being installed on the device? Nathan Link to post Share on other sites More sharing options...
cjvmoore Posted October 30, 2018 Author ID:1278288 Share Posted October 30, 2018 SystemUI is indeed in /system/priv-app/ (Initially I thought "priv" was for private but I guess it must be for privileged.) I bit the bullet and attacked com.android.systemui. I first tried "pm disable" but I got a "Permission Denial". (I suppose this is because my telephone isn't rooted.) So I tried "pm uninstall -k --user 0". I got the repeated message "Unfortunately System UI has stopped." and was unable even to reboot via the telephone. So I rebooted via adb. On rebooting luckily there were icons on screen but I lost the top pull down menu and the bottom pull up software keys (last apps, home and back IIRC). I started Malwarebytes: it no longer detected any malware which is logical as the principal malware was in System UI. However it was *very* slow and took 10 minutes to scan. Unfortunately in this state my telephone was unusable as I wasn't even able to exit Malwarebytes So I tried "pm install -r --user 0 /system/priv-app/SystemUI/SystemUI.apk" and rebooted via adb. Luckily my telephone was back to normal. (I say normal but it still has the System UI malware.) I repeated a Malwarebytes scan and this time it took 1 minute instead of 10. To be continued... @Akos is your telephone rooted? If so what procedure did you use? Link to post Share on other sites More sharing options...
cjvmoore Posted October 30, 2018 Author ID:1278289 Share Posted October 30, 2018 50 minutes ago, Akos said: @mbam_mtbr : In this case we will be unable to reinstall SystemUI, because as I think "original" 0 /system/priv-app/SystemUI/SystemUI .apk file also contains bloatware built-in. So will have to flash ROM again, which already contains bloatware. On the 4pda.ru site there is a THL T9 Pro forum topic with a link to what is claimed to be virus-free firmware. I haven't tried it but it may be worth a try. Unfortunately I can't read Russian and the Google translation is often unintelligible Link to post Share on other sites More sharing options...
Akos Posted October 30, 2018 ID:1278303 Share Posted October 30, 2018 @mbam_mtbr : Yes, same issue there. @cjvmoore : I flashed a new ROM on it(from needrom.com), but it doesn't helped. I don't know the site you mentioned and seems hard to find right one. Link to post Share on other sites More sharing options...
mbam_mtbr Posted November 22, 2018 ID:1282590 Share Posted November 22, 2018 Hey @cjvmoore & @Akos, Any updates on your situations? I'm been thinking about solutions to your problem, and trying to see if there is a way to replace the com.android.systemui with a clean version. I'll keep you two updated. Nathan Link to post Share on other sites More sharing options...
Akos Posted November 22, 2018 ID:1282591 Share Posted November 22, 2018 @mbam_mtbr : I tried to search for a new ROM, which is maybe "clean", but didn't found any suitable one. I haven't any other idea. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now