Jump to content

Recommended Posts

I'm having an issue with my UMX android phone with some sort of adware virus I believe. I use Google Chrome as my main browser and for the last few months, when I click on Google Chrome and even when I'm not using Google Chrome it redirects me to weird websites like hastopic.com and weekhot.codeblogbt.com and random apps like ThemeLightBlue or YourTube that hijack my phone screen with some sort of Tarot game. This also makes my phone run really slow. I've cleared all chrome history and data and factory reset my phone 3 times. Each time I factory reset it, it starts doing the same thing ranging from between 3 days to a few hours. After the most recent factory reset it changed my home tab on android to something like gdd news. I've had Malwarebytes installed, it doesn't even detect YourTube as malware and says it's safe even though I didn't install it and it's not listed in the app store. These apps also try and disguise themselves as system apps. As I'm typing this an app on my phone popped up called Jungle Treasure which is actually on the Google Play app store but I did not confirm installation for. 

Screenshot_20201101-144820.png

Link to post
Share on other sites

  • Staff

Hi @ScciVcci,

If you could send me an Apps Report, I can look further into this for you.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1. Open the Malwarebytes for Android app.

2. Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Link to post
Share on other sites

I'm also having this issue (also on a UMX phone)- Android keeps installing Yourtube even after a factory reset and then I end up with popups to tarot card games.  Malwarebytes scans the app and finds no problems. 

I did have these issues before after initially receiving the phone and I suspected the malware was embedded in the firmware itself, but a firmware update seemed to remove the malware and fix the issue (I've gone months without the problem).  There was a firmware update relatively recently, I can't think of any other reason for it to suddenly start up again. 

Screenshot_20201104-104611.jpg

Screenshot_20201104-105229.jpg

Link to post
Share on other sites

  • 3 weeks later...

My phone also became an unusable brick after a week or so, it constantly locked up and failed to respond. 

The solution I've found for now is to do a factory reset, then keep wifi and data off as much as possible and avoid updating anything just in case.  No malware has become active yet and I can use the phone for SMS messages and calls at least.  It seems like it's the wifi in particular that is important to keep off, I've left data on for a few hours at a time for things like my driving app and nothing bad has happened yet. 

Link to post
Share on other sites

  • Staff

Hi @Chipperbad,

If you could send me an Apps Report as well (instructions in my post above) that would be super helpful!  It sounds like UMX and the Settings app is at it again: https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/

I have been looking into this for awhile now, and even have a UMX test phone.  Unfortunately, I haven't been able to reproduce what everyone is seeing myself.  However, if I have enough proof that the Settings app is indeed causing issues again, I'll go ahead and add a detection.

Nathan

Link to post
Share on other sites

Same exact issue as everyone else, since September/October 2020. Factory resets, system updates, nor security patches helped me.

My solution. AVG detects it and disabling Google Play Store keeps it off. Everytime I enable GPS, [they] come back. 

Assurance phone, the rest is in the screenshot. Best of luck.

Screenshot_20201129-154825.thumb.png.ec907c27ce2b4da4a361d39a8e1f6eaa.png

 

Link to post
Share on other sites

Hi @mbam_mtbr

I have been experiencing the same issues as the others, also using a UMX phone. Had the device for appr. 2 yrs., no issues. This started about a month or 2 ago. Beginning with the device running super slow, then strange little characters running across any screen I was on. Really weird. Finally I decided to try Malwarebytes; I wasn't aware there was a version for Android, but have used the software on Windows PCs for years. Found the same as mentioned above, the tarot card thing, some other game site, YourTube kept installing itself (after being uninstalled); now it's either the 'connect app' (all lower case) or most often, 'Android/Trojan.HiddenAds.OBJS.

Very troubling indeed, particularly when I'm away from home and / or need to use my GPS app. All I get is a frozen phone, restart (sometimes after having to remove the battery to power off!) and MBytes finds & deletes the shenanigans, only to have it reinstall & the device is frozen again, etc. etc. etc. Thanks a bunch, Assurance Wireless! A**holes! Here's hoping you can help eliminate this mess! Thanks for your time.

Link to post
Share on other sites

Seeing exactly the same thing here. Started with 80+ tabs open, pointing to various ad websites, can’t remember what most of them were, then hastopic.com opening every time I launched Chrome.

 

Saw a bunch of apps get installed (not all at the same time, some reoccurred, some did not:

  • YourTube
  • sinc
  • signa
  • connect tool (com.blufish.work.took)
  • Music Media (com.android.views.widgets)
  • Agent Killer (com.loi.agentkiller)

Saw the Tarot popup one time. Noticed that last app I saw installed (Agent Killer) seemed to be a game (which I never installed, nor opened) but it says it was open in the foreground for 1.5 hours. They must be infecting phones with this app to fake download/usage time stats.

Here are some screenshots:1C9F207B-4EAC-41AB-AA1A-0122D96758DB.thumb.png.c4d0c62e75f2634a702256b2c7b61d5c.png6F3F1E1E-27FC-463F-B4C2-B3EF520B6623.thumb.png.4acfb028c217261411b36b4fafcfa12a.png5606B063-AC62-494F-AA2B-AA75E66D25CA.thumb.png.33fbee5fc1dc24a8447dc86d2f88cff5.png2A40D26E-6265-44E7-AA4F-7796F49D9CC6.thumb.png.cb5c2e88f344cd1d8925ff588ae21d49.png

Link to post
Share on other sites

  • Staff

Hi @fkali25, @GeekyRedhead, & @gadgetboyj,

Thank you for chiming in!  Hopefully with all your help we can pin point what exactly is going on, and  get this resolved.  First of all, could all of you send me a screen shot of the current Wireless Update system version?  This is how you get there:

Settings > System > About Phone > System Update > System Update

The screen will look something like this: 

Screenshot_20201105-134945.jpg.2d33170e9840dcd37d8bc1f32b76c972.thumb.jpg.7aed703e45e38ee18da0bf7622fb1f8c.jpg

 

In some cases, it's Wireless Update  itself that causes the auto installs.  Because it's a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Wireless Update (com.dtinfo.tools) for current user (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.dtinfo.tools

At this point, after removing the installed HIddenAds malware again, check to see if this stops it from re-installing.  If it's still happening, then the culprit may be the Settings app like it was last time.  In which case, we are dependent on UMX to fix again. (once again see https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/)

At some in the future (like when/if UMX fixes this), you will need to reinstall Wireless Update to preform a system update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/SystemFota/SystemFota.apk

Lastly, if all of you could send an Apps Report, that would be very helpful.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1. Open the Malwarebytes for Android app.

2. Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Link to post
Share on other sites

On 12/3/2020 at 7:55 AM, mbam_mtbr said:

Hi @fkali25, @GeekyRedhead, & @gadgetboyj,

Thank you for chiming in!  Hopefully with all your help we can pin point what exactly is going on, and  get this resolved.  First of all, could all of you send me a screen shot of the current Wireless Update system version?  This is how you get there:

Settings > System > About Phone > System Update > System Update

The screen will look something like this: 

Screenshot_20201105-134945.jpg.2d33170e9840dcd37d8bc1f32b76c972.thumb.jpg.7aed703e45e38ee18da0bf7622fb1f8c.jpg

 

In some cases, it's Wireless Update  itself that causes the auto installs.  Because it's a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Wireless Update (com.dtinfo.tools) for current user (details in link below):

https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/

Use this/these command(s) during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.dtinfo.tools

At this point, after removing the installed HIddenAds malware again, check to see if this stops it from re-installing.  If it's still happening, then the culprit may be the Settings app like it was last time.  In which case, we are dependent on UMX to fix again. (once again see https://blog.malwarebytes.com/android/2020/01/united-states-government-funded-phones-come-pre-installed-with-unremovable-malware/)

At some in the future (like when/if UMX fixes this), you will need to reinstall Wireless Update to preform a system update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/SystemFota/SystemFota.apk

Lastly, if all of you could send an Apps Report, that would be very helpful.

To send an Apps Report with Malwarebytes for Android use the following instructions.

1. Open the Malwarebytes for Android app.

2. Tap the Menu icon.

3. Tap Your apps.

4. Tap three lines icon in upper right corner.

5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwareybtes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Nathan

Thank you Nathan, I will definitely be getting back to you with this information tonight. It has now come to my attention that one of the applications is placing the phone on Do Not Disturb and turning the volume all the way down, so that it can open up YouTube videos, presumably to farm views, some of the videos in question are pictured below. Unbelievable that they are so brazen, putting the phone into do not disturb causing missed calls, texts, and other notifications, and then using people’s Google accounts to put views on videos.  
 

87B3E004-AF85-43C4-851A-C5DB091D361A.thumb.png.b9bf8c27db67f0d541bca6f78a1dd8ec.pngD933F333-F5D7-44F2-BA3B-09D2DBE7194E.thumb.png.5007ad4b1bf4a7e590d5337b4bbf83cb.pngF34C01B8-08C3-48AF-B80C-7679FB3907F2.thumb.png.b7bc0742ce7f1c5ea895759f9a9dda40.png

Link to post
Share on other sites

I just started having the same issue.

Phone brand: Assurance Wireless

Hardware: AN03-V1.0

Phone: L51

Android 8.1.0

getting android/TrojanDropperAgent.UMXrv on my settings app.

phone keeps opening Play Store and downloading apps without my permission

changes wallpaper

turns on do not disturb

opens chrome @ hastopic

Link to post
Share on other sites

On 11/20/2020 at 1:53 PM, Chipperbad said:

I am having the exact same problem with the exact same phone through Assurance Wireless. Came after the last firmware update. Phone is basically unusable at this point, and they could care less. I also have a friend with same phone through Assurance, exact same problem. So much for Lifeline...

***UPDATE*** Assurance Wireless has agreed to replace both phones free of charge even though neither had met their year required maturity date for free replacement.(After some detailed explanation. I think they know more than they admit)

Link to post
Share on other sites

  • Staff

Hey Everyone,

Anyone have luck with uninstalling Wireless Update (com.dtinfo.tools)? Did it stop HiddenAds from installing?  We went ahead and added detection Android/TrojanDropperAgent.UMXrv which is the Settings app per everyone's request (99% sure this is what is dropping HiddenAds).  Since you can't remove the Settings app due to it being needed for the phone to function, there isn't much we can do other than flag it so people are aware.  It's up to UMX to resolve as they did last time.

However, here are some things you can do if you are not getting HiddenAds installed to make the UMX more tolerable.

An annoyance on UMX phones is the default browser's (Chrome) default homepage. The default homepage is usually g22news.comg21news.com, or another annoying URL.  The culprit causing this to be set as the default homepage is Customizations.  Customizations is also responsible for occasionally putting ads in notifications.  You can disable Customizations in Apps info.  Make sure to have Show system selected in App info (click the three dots in upper right to find).

Screenshot_20201211-075207.thumb.png.3ffe724c17e3fa4e6f6a6f5e9658d173.png

 

If for some reason you choose not to disable Customizations but don't want g21news.com to be the default homepage, here's how to change the homepage on Chrome:

  • Settings > Homepage
  • Change the Open this page to Chrome's homepage or change the g21news.com link to whatever URL you like

Screenshot_20201215-110209.thumb.png.f9449a92ea5cbdd94b1662756fcab192.png

 

Next up is Online Plus.  It is responsible for the news pop up on the lock screen. Once again, you can just disable in App info.

Screenshot_20201215-105050.thumb.png.9135146127a0fa8f4fce77d1bcae8293.png

Unfortunately, this still isn't a fix if you are experiencing apps being installed on your device, but hopefully this makes the UMX experience more tolerable for everyone.

Nathan

Edited by mbam_mtbr
Link to post
Share on other sites

I uninstalled Wireless Update last year during the first round of Adups and it did work, but my phone operating system and apps never updated after that.  It was fine since I only used my phone for basic services.  When I read that UMX removed the PUPS, I reset my phone and it was fine.  Thank you for your work on that! 

It looks like they are back at it though.  A week or so ago I replaced the g21news in the homepage section and haven't noticed any abnormal behavior.

Link to post
Share on other sites

Temporary work-around to at least make the phone usable, I've disabled Chrome (no longer launches hastopic websites). Also any other apps I've either uninstalled or disabled if they are system apps. ie. YouTube, Online Plus. But phone is still somehow putting itself into "Do Not Disturb". Which is very frustrating.

Link to post
Share on other sites

  • Staff
On 12/16/2020 at 6:36 PM, stvvv said:

I uninstalled Wireless Update last year during the first round of Adups and it did work, but my phone operating system and apps never updated after that.  It was fine since I only used my phone for basic services.  When I read that UMX removed the PUPS, I reset my phone and it was fine.  Thank you for your work on that! 

It looks like they are back at it though.  A week or so ago I replaced the g21news in the homepage section and haven't noticed any abnormal behavior.

Great to hear the work arounds are working for you!  I would periodically reenable Wireless Update (com.dtinfo.tools) to check for updates.  You can re-install using this command:

adb shell pm install -r --user 0 /system/priv-app/SystemFota/SystemFota.apk

Nathan

Link to post
Share on other sites

On 12/21/2020 at 8:38 PM, cckid said:

Temporary work-around to at least make the phone usable, I've disabled Chrome (no longer launches hastopic websites). Also any other apps I've either uninstalled or disabled if they are system apps. ie. YouTube, Online Plus. But phone is still somehow putting itself into "Do Not Disturb". Which is very frustrating.

I'm also still having the phone put itself into Do Not Disturb mode on its own, causing missed messages and calls. Makes it borderline unusable as a phone.

 

@mbam_mtbr I uninstalled Wireless Update (com.dtinfo.tools) and I also uninstalled Customizations (com.android.partnerbrowsercustomizations)Facebook App Manager (com.facebook.appmanager), and Facebook App Installer (com.facebook.system). I removed those 3 in addition because I noticed that all of them, despite being disabled, continued to run in the background,  no matter how many times I force stopped them.

 

Before I did this, I was completely unable to use the phone unless it was in Airplane Mode. If it was connected to data at all (Wi-Fi or Cellular), it would completely lock up after 3-4 minutes of use, getting slower and slower. Eventually it would just lock up completely (time frozen in the corner, can't even lock the screen, etc.). It would also become very hot during this. Who knows, maybe they're using the things to mine Bitcoin or something.

 

After removing those 4 items with adb, and uninstalling any other apps that were force installed, the phone now appears to be stable and working, no more force installed apps (so far, it's only been a bit over an hour, so I'll have to take another look at it after it sits overnight). The phone also immediately become much cooler, and while occasionally locking up for 30 or so seconds, I seem to recall that it always did that during resource-intensive tasks (i.e updating apps in Play Store). As mentioned above, I've already seen the phone put itself in Do Not Disturb mode again, so something is probably still messing around with things in the background, but I'll keep an eye on it, and update soon.

 

Here are some more screenshots of Customizations and Facebook App Installer running, despite being disabled, as well as another of the force installed apps which I removed, com.syarila.parstnes:

Screenshot_20201223-170405.thumb.png.539bbbab6a761aae16b4f6652754c59d.pngScreenshot_20201223-174445.thumb.png.87ed439639716cf43550d41df361e870.pngScreenshot_20201223-164947.thumb.png.4c50f81fb82c9263b15c3bab22c55019.png

Link to post
Share on other sites

A quick update:

 

Woke up this morning to a phone call, but was unable to answer it, as the screen was off the entire time. Phone was frozen for a good 2-3 minutes, and then when I finally got it unlocked, Chrome was open with 3 Hastopic tabs open.

 

Haven’t had any force installations, but clearly something still going on in the background. Going to have to trash this phone soon if we don’t get a fix from Assurance/UMX. Turned off email sync because if they’re already abusing what they are, I’m worried they’d use their access to the phone for other nefarious purposes.

Link to post
Share on other sites

After a reboot because it locked up again, Do Not Disturb mode was back on, and ‘connect tool’ was once again force installed. Might try to give Assurance a call after the holidays and see if they’ll send me something that’s not made by UMX, though I’ve been holding out because of the impending switch to T-Mobile. I’d rather they send me something they’ll work well on T-Mobile’s 4G.

Link to post
Share on other sites

The problems I had with the factory installed viruses on my Assurance UMX phone where less extensive than what you have been describing so you may have some other malware on your phone.  A year ago I had Adups that was factory installed in Wireless Update that launched Chrome toward ad websites, six months later UMX cleaned it up with an update and the phone was malware free for a period of time.  Recently there is another, less aggressive version installed in Customizations and all it does is change the Chrome homepage to g21news.com which seems to be negated by adding my own choice of custom homepage in the space provided.

I haven't experienced any other abnormal behaviors or malfunctioning with my Assaurance, UMX phone.

Link to post
Share on other sites

2 minutes ago, stvvv said:

The problems I had with the factory installed viruses on my Assurance UMX phone where less extensive than what you have been describing so you may have some other malware on your phone.  A year ago I had Adups that was factory installed in Wireless Update that launched Chrome toward ad websites, six months later UMX cleaned it up with an update and the phone was malware free for a period of time.  Recently there is another, less aggressive version installed in Customizations and all it does is change the Chrome homepage to g21news.com which seems to be negated by adding my own choice of custom homepage in the space provided.

I haven't experienced any other abnormal behaviors or malfunctioning with my Assaurance, UMX phone.

I also got the g21news.com homepage set initially and fixed that by resetting data for Chrome. If there is another malware, it was installed by one of the malwares bundled with the phone, as the only other apps I have installed are few, and are installed on other devices without issue. They are also all trustworthy apps, from the Play Store (Zoiper, NetMonitor, etc.). The issue also started after installing the latest system software update from UMX, no other changes.

 

I’ve tried a couple more things to see if it makes a difference:

1. Uninstalled the Settings app (I know, not advisable, but want to verify the culprit), I’ve since reinstalled it to try something else first:

2. I noticed that I’ve been seeing the Sprint “Carrier Hub” app on the notification bar saying processing requests and I don’t recall ever seeing that in the past, prior to this latest system update, so I’ve uninstalled that and will keep an eye on things. It still also seems that the Wi-Fi activity on the phone never seems to stop (though it seems to have slowed significantly, the indicator is no longer solid on), so I’ve installed Glasswire to see if I can identify what’s communicating, though if it’s a hidden system app, I have doubts of it showing up there.

 

Will update after another day or two.

Link to post
Share on other sites

Back again,

I let the phone sit for most of today while with family, and came back to find:

1. I must have removed the Settings app again after removing Carrier Hub, as it was not installed

2. Despite the Settings app being uninstalled, still saw the phone enter Do Not Disturb, and it had opened 2 Hastopic tabs in Chrome, opened YouTube, and opened Amazon. I checked my YouTube and Amazon History and didn't find anything, so no idea what it was doing.

 

I then proceeded to accidentally bootloop the phone by accidentally trying to reinstall the wrong package for the Settings app (I know, I likely shouldn't have been messing with that due to the importance of the Settings app, but at this point I'm willing to try anything to get this resolved, and I can always reset, which I now have).

So now I reset the phone, re-installed my apps, updated everything, and once again removed Wireless UpdateCustomizations, and the two preinstalled Facebook apps. I suppose we'll see if the Factory Reset gets things back in order.

 

Happy holidays everyone!

Link to post
Share on other sites

I am not an expert whatsoever, but I noticed my phone (same as LifelineUser above) had a new lock screen with an alien in his spaceship. I started looking on google images, and found a guy that had the same lock screen that shouldn't be there: https://support.google.com/android/thread/57229932?hl=en

I read the replies, and according to an expert he said the problem "is a vulnerability within the MediaTek chip itself that allows root access to the device." Another person offered a link to the exploit: https://www.xda-developers.com/mediatek-su-rootkit-exploit/

The manufacture of my phone has used a compromised MediaTek chipset in older versions of the same model as my phone. For the life of me I can't find a spec sheet showing what chipset is used in my phone. I'm convinced I'm dealing with the same exploit given the lock screen, unwanted ads, battery getting hot doing stuff it shouldn't, phone vibrating, and making dings all the time. So, what I am saying is that maybe all our phones have one of the listed vulnerable chipsets in the link, and all our phones have all been exploited (root access) by one per or another.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.