Persistent Adware on DOOGEE X5 Pro.

[DeathWitch]

I purchased a DOOGEE X5 Pro phone a while back, and while I thought the phone would be good, that wasn't the case at all. But there's a problem that I've been putting off seriously tackling until now: This phone (or the one I got at least) has a major adware problem. 

After a while of some use, the phone would:

• Randomly be redirected to malicious ad content within the default browser.
• Randomly display popup ads that are difficult to take off because they have a timer delay on the close/X button to close the ad, or would even temporarily disable the touch functionality of the phone.
• Persistent notifications labelled "[GameCenter] ...."
• These highly annoying ads appear within minutes of using the phone.

 

And what about resetting the phone? It works for a while, and then goes back to doing the same thing.

At first I thought it was malicious apps causing trouble, so I avoided certain apps and factory resetted it if an app turned out to be malicious. But it would seem that isn't the case as even after installing more major apps like Reddit resulted in the adware suddenly showing up. 

As you can see the first screenshot below, the app that brings up the adware has a chinese name that I can't recognise. In the notification bar, I circled the icon of the '[GameCenter]..." notification. As for the other screenshot, I suspect that it's the adware/malware in question,  but it's installed as a system application so I can't uninstall it.

For now I have Malwarebytes (Premium Trial) and Norton Mobile Security to see if it can be stopped. So far nothing has occurred, but it's only been two days (I'll probably try reinstalling other apps to see if it's triggered).

After reading about the 'xhelper' malware that sounded very similar to what was happening on my phone, I thought it would be worth asking about this in forums to see if I can get some help.

[mbam_mtbr]

Hi @DeathWitch,

Sounds like you may have preinstalled.  If that's the case, we may have a solution.  If you don't mind sending, lets start with an Apps Report.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

From there, we can find out what app could be the issue, and move forward removing via this method:

You can use this method to uninstall for current user (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 <package name>

Nathan

 

 

[DeathWitch]

Thank you!  Sent the message and app report

[IanH2]

I had exactly the same problem today, I have an x5 max pro (with factory  rom 3.18.19+ doogee info@doogee.cc 20180319), and the  the chinese virus app  as above was present and not removable. the full screen  ads " 'interesting for you' by mgid" could not be closed, and locked even the power button.  So i removed the battery and installed a backup with twrp.  Is  this malware preinstalled, and coming to life on a timer, or does it come via recently installed apps as a sideload?, the only app I installed recently was 'scanner pro' from the play store, I doubt it was responsible.  I have malwarebytes on my phone, and it didnt see it, I also tried avg to no effect.   After installing the backup the chinese character app is gone  - but will it return?.

[mbam_mtbr]

Hi @IanH2,

If you could send me an Apps Report, that would be very helpful.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1.Open the Malwarebytes for Android app.

2.Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

You also might try this method for any pre-installed malware:

You can use this method to uninstall for current user (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

Warning: Make sure to read Restoring apps onto the device (without factory reset) in the rare case you need to revert/restore app.

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 <package name>

Nathan

[IanH2]

After restoring from a twrp backup it has happened again today!, this time I noticed some funny business with super su being woken up and fake button presses by an app calling itself mtk factory tools or some such, (which isnt installed), when I look at the supersu log it has no record of the activity, at the moment the only problem is the browser being unusable due to ads, it hasnt got to the stage of locking the screen with ads, yet...   I think this thing is in the factory rom and is on a time delay. Thanks Doogee!. 

Malwarebytes doesnt see a problem.

I have emailed an apps report to malware bytes, and will send twrp backup images, if needed. 

Ian

 

[IanH2]

Backed up the active malware  phone with TWRP (and verified that when I restore the latest (active malwared) backup the nastiness returns).

With malware running rampant both eset and malwarebytes are unable to see a problem,  presumably because the malware got root permissions.

I re-installed an earlier backup with the presumed sleeping, latent malware, malwarebytes gave it a clean bill of health -  initially eset reports the following problems:

android/agent,BOA

android/agent.AZS

android/triada.JA

trojandropper.agent.dzf

android.Hiddad.AEV

Android/Agent.bnh

trojandropper.agent.DKI (multiple times?)

trojandropper.agent.der

android.agent.blb

Oddly enough, when I re-installed the same  backup again with presumed sleeping malware, and ran eset againit saw    .... nothing!.  Should have been the exact same set of issues as it was exactly the same rom/data , but none showed up the second time?.  Very odd.

 

This time round the new chinese app( mentioned in the original post of this thread) in the apps list has not appeared.

Time for a new non-factory rom.

However I can re-install the Doogee malware with it running/latent  with twrp whenever needed.

 

 

 

 

 

[IanH2]

.. and one more note, when using twrp to back up the phone with malware active , it could not back up the first system entity because of corruption.  Did the malware modify it?.  

 

[mbam_mtbr]

Hi @IanH2,

Since you reset your device, it appears Adups is once again active.  You'll need to remove them again: Uninstalling Adups and other preinstalled malware via ADB command line tool

Also, are you seeing the same odd App with Chinese characters in your Apps list?

Nathan

[IanH2]

Hi Nathan,

no,  I didnt spot that app with the chinese character this time,  perhaps I should reinstall the image with the running malware and see if it appears again - perhaps I didnt give it time to install.  I have reflashed the pre malware breakout rom, and run the commands to remove com.adups.fota.sysoper and com.adups.fota as explained .  (they were present), and verified that they have been removed.  ( I also removed mtklogger for good measure, as it is alleged to be another malware*, and I remember mtk something messing with the su root app) Hopefully the phone will be OK now.

The mystery is what the mechanism is for the malware to become active,  I wondered if I could fool it into waking up be installing an image with an old date on the phone, and then letting it wake up and discover months have passed and its time to release the demons. Tried that and it didnt summon them.  Anyway. 

Thanks.    

Ian

*https://www.blackhat.com/docs/us-17/wednesday/us-17-Johnson-All-Your-SMS-&-Contacts-Belong-To-Adups-&-Others.pdf