Jump to content

Recommended Posts

I have a THL T9 Pro Android telephone.
One of the following malware apps keeps getting reinstalled automatically:-
Devices, Coordinator, Moosteel, Quotecite, com.android.security, HotKnotBean
The name changes but all have the symptoms that they lock themselves in the foreground on screen and consume a lot of data.
I think the origin of the problem is in the stock system ROM.

Malwarebytes detects a problem (PUP.Riskware.Autoins.Fota.INS) but does not eradicate it.
Your "real time protection" does not prevent the malware apps being reinstalled.

Malware support ticket 2439765 was opened and it was requested that I post in this forum.
Any suggestions you have would be most helpful.

Share this post


Link to post
Share on other sites

Hello,

A step can you do or read this.

 

I hope that helps you.

 

Good Luck!

 

MAM

Share this post


Link to post
Share on other sites

Hi @cjvmoore,

As far as PUP.Riskware.Autoins.Fota.INS, @MAM is correct that the method to remove is via the provided link 

In regards to reinstalled apps, if you could send me an apps report, that would be very helpful!

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included. Send the Apps Report to create a ticket.

PM me the email used and/or the ticket number assigned.

Nathan

Edited by mbam_mtbr

Share this post


Link to post
Share on other sites

Thank you very much for your help.

I successfully uninstalled com.adups.fota and com.adups.fota.sysoper using the procedure described above.

However Malwarebytes still detects a problem (PUP.Riskware.Autoins.Fota.INS) apparently while analysing com.android.systemui.
Is it safe to uninstall com.android.systemui or will I brick my telephone?

In the meantime I shall wait and see whether my problem has been solved.
 

Share this post


Link to post
Share on other sites

Just to underline that this is exactly the same problem as in my original post.
(Sorry, I haven't found out how to edit my post.)
 

Share this post


Link to post
Share on other sites

Unfortunately Coordinator was installed overnight :(
It seems to be in the com.peony.mochi package.
I have sent the Apps Report you requested and I received the ticket 2457510.
If you wish I could also send a screenshot and even possibly the apk.

So uninstalling com.adups.fota and com.adups.fota.sysoper is not sufficient.
Is it safe to uninstall com.android.systemui or will I brick my telephone?

Share this post


Link to post
Share on other sites
1 hour ago, Akos said:

I got same as infected app: com.android.systemui, named System UI. I also tried to reinstall with a custom ROM from https://www.needrom.com/ , but this new ROM contains this infection too.

The download on the THL website has the same version as that on my telephone.

So I guess it also has the malware :(

Share this post


Link to post
Share on other sites
3 hours ago, cjvmoore said:

Unfortunately Coordinator was installed overnight :(

Actually there does seem to be an improvement:
Coordinator was installed but seems to be dormant.
It no longer locks itself full screen in the foreground and hasn't yet consumed any data :)

Malwarebytes detects it as malware (Android/Trojan.HiddenAds.Moo).
In that case shouldn't Malwarebytes have prevented its installation?

Share this post


Link to post
Share on other sites

Thank you for your PM.

The situation is much better after uninstalling com.adups.fota and com.adups.fota.sysoper :)
I watched Coordinator for a while and it did start using a small quantity of data :(
So I uninstalled it yesterday.
Since then no new malware has been installed :)

I shall avoid messing with com.android.systemui unless the situation deteriorates.

I notice that "pm uninstall -k --user 0" doesn't actually uninstall the package but just seems to disable its use, I suppose by user 0 (I guess 0 is system or root).
There is also a "pm disable" command.
What is the difference?
(Sorry, I am not very familiar with the Android SDK.)

Thank you very much for your help.

Share this post


Link to post
Share on other sites

Hi @cjvmoore,

Great question!  We used to use pm hide originally, which is similar to pm disable.  The difference is pm hide doesn't allow the app to be loaded into memory again, thus re-enabling.

However, many users were getting the this error with command pm hide:

Error: java.lang.SecurityException: Neither user 2000 nor current process has android.permission.MANAGE_USERS

It was brought to my attention there was another method:

https://www.xda-developers.com/uninstall-carrier-oem-bloatware-without-root-access/

I first attempted using adb shell pm hide -k --user 0, but that produced the same error.

Instead, by using adb shell pm uninstall -k --user 0, I was able to successfully remove apps from the app information list on a BLU Studio XL.  As noted in the article, --user 0 is the current user.  So technically yes, it's only uninstalling for the current user, and not all the users.  Thus, it still resides on the device.  I found the APKs on my test device using Android Device Monitor, another tool provided by Android Studio, via its File Explorer.   Interesting that it only shows up as just disabled on your device instead.

Nathan

Share this post


Link to post
Share on other sites
9 minutes ago, mbam_mtbr said:

Interesting that it only shows up as just disabled on your device instead.

Actually they show up as "Not installed for this user". (Translated from French.)

Thank you for your detailed explanation.

Share this post


Link to post
Share on other sites

Bad news:
TelephonyDev (com.conterx.umora) was automatically installed today.
It locks itself full screen in the foreground :(
So I am back to square one :(
Also, unlike Coordinator, it isn't detected as malware by Malwarebytes :(
I have sent an Apps Report and I received the ticket 2458794.

So it looks as though I must attack com.android.systemui :(
Googling seems to indicate that without it the system won't boot completely.
I guess systemui is System User Interface so there will probably be no touchscreen.
If this is the case do you think that adb will still work?

I was thinking of trying a "pm disable", hoping that if this is catastrophic I shall be able to recover with a "pm enable".
Also will a "pm install -k --user 0" (or "pm install --user 0") undo a "pm uninstall -k --user 0"?
 

Share this post


Link to post
Share on other sites

HI @cjvmoore,

To start, com.conterx.umora and other variants similar to it will be detected as Android/Trojan.HiddenAds.RL in future database versions.

As far as  com.android.systemui, I would start with seeing its type/location.  There are two types/locations of system apps:

/system/app/
/system/priv-app/

The system apps located in /system/app/, like Adups, are less critical.  The system apps found in /system/priv-app/ are apps more critical to the device functioning.  I would run adb shell pm list packages -f first to see where com.android.systemui resides.  I'm pretty sure it will be in /system/priv-app/ though.  However, that doesn't mean these can't be uninstalled, but there is an extra risk.

I tried testing using pm disable and pm hide with System UI, but didn't have any luck.  I also pulled the trigger and uninstalled System UI on my device, which is a legitimate system app on on it.  I'm not convinced your version is doing everything it claims to be doing, and everything my version actually does.  The result was a missing wallpaper and home/back buttons.  It still booted up just fine after a restart, so it doesn't appear to have any risk of "bricking".

Afterwards, I was able to successfully reinstall using -r:

adb shell pm install -r --user 0 /system/priv-app/SystemUI/SystemUI.apk

Once again, I'll leave the decision up to you.

Nathan

Share this post


Link to post
Share on other sites

@mbam_mtbr : In this case we will be unable to reinstall SystemUI, because as I think "original" 0 /system/priv-app/SystemUI/SystemUI .apk file also contains bloatware built-in. So will have to flash ROM again, which already contains bloatware.

Share this post


Link to post
Share on other sites

SystemUI is indeed in /system/priv-app/ :(
(Initially I thought "priv" was for private but I guess it must be for privileged.)

I bit the bullet and attacked com.android.systemui.
I first tried "pm disable" but I got a "Permission Denial".
(I suppose this is because my telephone isn't rooted.)
So I tried "pm uninstall -k --user 0".
I got the repeated message "Unfortunately System UI has stopped." and was unable even to reboot via the telephone.
So I rebooted via adb.

On rebooting luckily there were icons on screen but I lost the top pull down menu and the bottom pull up software keys (last apps, home and back IIRC).
I started Malwarebytes: it no longer detected any malware which is logical as the principal malware was in System UI.
However it was *very* slow and took 10 minutes to scan.
Unfortunately in this state my telephone was unusable as I wasn't even able to exit Malwarebytes :(

So I tried "pm install -r --user 0 /system/priv-app/SystemUI/SystemUI.apk" and rebooted via adb.
Luckily my telephone was back to normal.
(I say normal but it still has the System UI malware.)
I repeated a Malwarebytes scan and this time it took 1 minute instead of 10.

To be continued...

@Akos is your telephone rooted?
If so what procedure did you use?
 

Share this post


Link to post
Share on other sites
50 minutes ago, Akos said:

@mbam_mtbr : In this case we will be unable to reinstall SystemUI, because as I think "original" 0 /system/priv-app/SystemUI/SystemUI .apk file also contains bloatware built-in. So will have to flash ROM again, which already contains bloatware.

On the 4pda.ru site there is a THL T9 Pro forum topic with a link to what is claimed to be virus-free firmware.

I haven't tried it but it may be worth a try.
Unfortunately I can't read Russian and the Google translation is often unintelligible :(
 

Share this post


Link to post
Share on other sites

Hey @cjvmoore & @Akos,

Any updates on your situations?  I'm been thinking about solutions to your problem, and trying to see if there is a way to replace the com.android.systemui with a  clean version.  I'll keep you two updated.

Nathan

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.