Jump to content

Recommended Posts

  • Replies 66
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

An app called "alarm" installed and started spamming this fake lock screen on my phone this morning, I'm curious if anyone else has had something similar happen?  If so, getting rid of the alarm app i

There was a firmware update last week and I tried it thinking that it couldn't make the phone any worse.  After the update malwarebytes no longer flags the settings app, but I did notice an odd blank

Thank you.  I did the wireless update a couple of weeks ago, and so far no malware, and no new apps, so this seems good.  I'm able to leave my wireless on now, if I want, without having stuff added.

Posted Images

noticing this on my umx phone as well - scan revealed android/TrojanDropperAgent.UMXrv in settings app, and a second scan found HiddenAds in a "phone" app.  Earlier today I noticed I had 2 phone apps, which seemed odd.  I was checking through installed apps because my browser kept opening up to ads by itself.  So when the scan showed  HiddenAds in one of them (it had an android icon instead of the phone icon), I just remove that app.  I always have trouble with carrierhub - every time I restart my phone I have to force it to stop many times, before it finally sticks - no option to uninstall.  A few weeks ago I was noticing some odd "notifications", which I tracked to "customization", so I disabled that app, and the notifications stopped. 

I think these all started with a wireless update a month ago or so (maybe a little longer).  I usually keep wifi and data turned off, so that slows things down.  As soon as I turn on either, I start getting notifications or browser opening.  Also, never sure if it's just getting opened by accident or not, but I very often find my camera open when I come back to my phone.  I rarely use my camera, so that is odd.  Could just be user error, but it keeps happening, so I'm a little suspicious.

Link to post
Share on other sites
On 12/27/2020 at 12:31 AM, vspin said:

I am not an expert whatsoever, but I noticed my phone (same as LifelineUser above) had a new lock screen with an alien in his spaceship. I started looking on google images, and found a guy that had the same lock screen that shouldn't be there: https://support.google.com/android/thread/57229932?hl=en

I read the replies, and according to an expert he said the problem "is a vulnerability within the MediaTek chip itself that allows root access to the device." Another person offered a link to the exploit: https://www.xda-developers.com/mediatek-su-rootkit-exploit/

The manufacture of my phone has used a compromised MediaTek chipset in older versions of the same model as my phone. For the life of me I can't find a spec sheet showing what chipset is used in my phone. I'm convinced I'm dealing with the same exploit given the lock screen, unwanted ads, battery getting hot doing stuff it shouldn't, phone vibrating, and making dings all the time. So, what I am saying is that maybe all our phones have one of the listed vulnerable chipsets in the link, and all our phones have all been exploited (root access) by one per or another.

I replaced my UMX phone a few months ago and it's the same model, but a slightly newer version.  I'm looking at the "Device Info" app that I got from Play Store and it says that the CPU hardware is Qualcomm Technologies, Inc:  QM215.  Nothing says Mediatek anywhere.

Link to post
Share on other sites
  • Staff
On 12/24/2020 at 1:49 PM, stvvv said:

The problems I had with the factory installed viruses on my Assurance UMX phone where less extensive than what you have been describing so you may have some other malware on your phone.  A year ago I had Adups that was factory installed in Wireless Update that launched Chrome toward ad websites, six months later UMX cleaned it up with an update and the phone was malware free for a period of time.  Recently there is another, less aggressive version installed in Customizations and all it does is change the Chrome homepage to g21news.com which seems to be negated by adding my own choice of custom homepage in the space provided.

I haven't experienced any other abnormal behaviors or malfunctioning with my Assaurance, UMX phone.

@stvvv, that's exactly what I'm experiencing on my test UMX.  Thanks for sharing this so I know that I got all the bases covered.

@gadgetboyj, make sure to update the phone to the latest version before disabling Wireless Update.  We know the default version has the dropper malware we saw last year.

Nathan

Link to post
Share on other sites

Trojan.Dropper.Agent.UMXrv on cheap "obamaphones" like Assurance Wireless L51 seems to be back with the latest "wireless updates." It was fine for a few months, but my phone is usually a frozen, unusable mess now. Any time I try to do anything, random Chrome ad windows begin popping up and usually freeze or crash the phone. Disabling Chrome seems to be the only workaround for me right now. Even malwarebytes can't fix the infected settings app which immediately reinstalls all the HiddenAds apps.

Link to post
Share on other sites
On 12/28/2020 at 8:21 AM, mbam_mtbr said:

 

@gadgetboyj, make sure to update the phone to the latest version before disabling Wireless Update.  We know the default version has the dropper malware we saw last year.

Nathan

I just wiped user data partition from recovery, so I'm still on the latest firmware version from October.

 

So far, after having done that factory reset, and disabling Wireless UpdateCustomizations, and the two preinstalled Facebook apps, the phone has remained malware-free (at least nothing user-facing as of yet). All problems have been alleviated, no more random tabs in Chrome, no more popups, no more apps opening on their own (i.e. YouTube, Amazon, Chrome), no more of the phone entering Do Not Disturb mode on its own, and the phone is very responsive now, and not heating up like crazy.

 

Let's hope it stays this way, but I don't have very high hopes, considering it did take some time after the initial system update before everything started to surface. Worst case if the issue returns, I may just need to keep factory resetting the phone until it can be replaced.

Link to post
Share on other sites
On 12/28/2020 at 8:21 AM, mbam_mtbr said:

 

@gadgetboyj, make sure to update the phone to the latest version before disabling Wireless Update.  We know the default version has the dropper malware we saw last year.

Nathan

I just wiped user data partition from recovery, so I'm still on the latest firmware version from October.

 

So far, after having done that factory reset, and disabling Wireless UpdateCustomizations, and the two preinstalled Facebook apps, the phone has remained malware-free (at least nothing user-facing as of yet). All problems have been alleviated, no more random tabs in Chrome, no more popups, no more apps opening on their own (i.e. YouTube, Amazon, Chrome), no more of the phone entering Do Not Disturb mode on its own, and the phone is very responsive now, and not heating up like crazy.

 

Let's hope it stays this way, but I don't have very high hopes, considering it did take some time after the initial system update before everything started to surface. Worst case if the issue returns, I may just need to keep factory resetting the phone until it can be replaced.

Link to post
Share on other sites

Just a follow up. I contacted my phone company, Assurance Wireless, explained the situation, and they sent me a new phone for $5 shipping. I have not seen any solution to this problem other than junking your phone. I hope that changes before too many people are affected.

Link to post
Share on other sites
13 minutes ago, LifelineUser said:

Just a follow up. I contacted my phone company, Assurance Wireless, explained the situation, and they sent me a new phone for $5 shipping. I have not seen any solution to this problem other than junking your phone. I hope that changes before too many people are affected.

In 2019 when the lifeline phones had Adups malware factory installed I called them a week after I got my phone and told them that it had a factory installed virus.  They didn't say anything about it and tried routine troubleshooting like a factory reset which I told them already didn't work.  So they volunteered to send me a new phone and it had the exact same viruses preinstalled on it.

Link to post
Share on other sites
  • 2 weeks later...

There was a firmware update last week and I tried it thinking that it couldn't make the phone any worse.  After the update malwarebytes no longer flags the settings app, but I did notice an odd blank notification from an app called essqz, which I had never seen before.  It could have been installed already, but if so I never noticed it when going through the apps lists over and over the past few months trying to clear out malware.  It certainly never gave a notification before... a google search didn't turn up any results for it. 

I also seem to be unable to update any apps in the google play store; they get stuck at "pending" and never go forward from there.  Again, only since the firmware update. 

To reiterate, I've had luck avoiding pretty much all of the popups and malware after resetting my phone and keeping wifi completely off, so from that last reset up until now I still hadn't seen anything suspicious.  I'm not sure if anyone else has gotten the update and noticed anything different

Screenshot_20210114-224733.jpg

  • Like 1
Link to post
Share on other sites

Yo tuve mi experiencia con ese virus, todo comienza cuando adquirí un celular de los económicos(un bmobile) y siempre me aparecía una notificación de una aplicación llamada "wifi-settings" que se ejecutaba en segundo plano,así que un día simplemente desapareció y pude ocupar mi celular sin problemas,pero no fue hasta hace unos meses que formatee mi telefono me comenzaron a salir ciertas aplicaciones como una llamada "xunity"," espacio fantástico","themeblulight","settings"(que obviamente no era la aplicacion predeterminada del teléfono) entre muchas otras ya mencionadas en este foro sin olvidar a hastopic que me aparecía en el navegador. Xunity podía mandar desde mi celular mensajes a varios numeros desde la app de mensajería del celular(solo eran como letras al azar pero siento que tenían algun mensaje),después sin siquiera estar instaladas las aplicaciones ingresaban a mi whatsapp y enviaban spam a números desconocidos hasta que whatsapp prohibió mi cuenta 

Link to post
Share on other sites

Lo mejor es deshacerse del dispositivo,cerrar todas las sesiones de todas las cuentas y desde otro dispositivo cambiar las contraseñas xq al parecer tienen acceso a todo,hoy después de muchos días de haberme desecho de mi celular acaban de ingresar a mi cuenta de facebook y publicaron spam en mi perfil,así que estén al pendiente de las actividades de sus cuentas,solo ocupan las cuentas infectadas para eso,publicar spam,otras cosa también seria eliminar desde otro dispositivo y otra cuenta de google toda actividad almacenada en su cuenta infectada para que no infecte otros dispositivos y también no ocupar esa cuenta como principal solo como una cuenta secundaria si almacenaron algunos datos importantes para usted,elimine sus datos bancarios y mantegalos muy alejados de ese dispositivo,no se vaya a llevar una sorpresa algun día de estos,por que este virus es muy peligroso.

Saludos

Link to post
Share on other sites
11 minutes ago, Hammu said:

Yo tuve mi experiencia con ese virus, todo comienza cuando adquirí un celular de los económicos (un bmobile) y siempre me apareció una notificación de una aplicación llamada "wifi-settings" que se ejecutaba en segundo plano, así que un día simplemente desapareció y pude ocupar mi celular sin problemas, pero no fue hasta hace unos meses que formatee mi telefono me comencé a salir ciertas aplicaciones como una llamada "xunity", "espacio fantástico", "themeblulight", "settings" (que obviamente no era la aplicacion predeterminada del teléfono) entre muchas otras ya mencionadas en este foro sin olvidar a hastopic que aparecía en el navegador.Xunity podía mandar desde mi celular mensajes a varios numeros from la app de mensajería del celular (solo eran como letras al azar pero siento que tenían algun mensaje), después sin siquiera estar instaladas las aplicaciones ingresaban a mi whatsapp y enviaban spam a números desconocidos hasta que whatsapp prohibió mi cuenta 

Se me olvidó mencionar cosas como que mi teléfono se ponía en solo alarmas,se descargan un paquete de fotos a mi galería cuando se instalaba el virus(las fotos eras tipo fondo de pantalla)y también se me instalaban juegos desde la playa store tipo agentkiller y todos los demás creados por la misma desarrolladora de "juegos", se ejecutaban es segundo plano y no dejaban ver nada a gusto xq se trababa el celular,también la aplicacion con la interfaz del marcianito en la nave sin olvidar aplicaciones como alibaba,tiktok y like que se instalaban en mi cel.

Otra cosa es que algunos antivirus detectaban el virus en la app predeterminada de ajustes del teléfono y que no se podía eliminar(que de echo ya se mencionó aquí en el foro).

Link to post
Share on other sites

I'm wondering if anyone else has tried the new "wireless update"?  It is showing up on my phone too, but I have the malware at least manageable right now.  If I update, might fix it, or might introduce new problems?  So I'm waiting to hear back if anyone else has experience.   Another app that was added when I wasn't looking was a new "bluetooth" app.  I realized it wasn't the real one and removed it.

Link to post
Share on other sites
  • Staff
On 1/24/2021 at 2:38 PM, iBeleave said:

I'm wondering if anyone else has tried the new "wireless update"?  It is showing up on my phone too, but I have the malware at least manageable right now.  If I update, might fix it, or might introduce new problems?  So I'm waiting to hear back if anyone else has experience.   Another app that was added when I wasn't looking was a new "bluetooth" app.  I realized it wasn't the real one and removed it.

I updated to newer version on my test UMX, and the Settings app no longer contains Trojan.Dropper capabilities.  I would do the update.

Nathan

Link to post
Share on other sites
  • 3 weeks later...

An app called "alarm" installed and started spamming this fake lock screen on my phone this morning, I'm curious if anyone else has had something similar happen?  If so, getting rid of the alarm app immediately fixed it. It seems like they're just shotgun blasting junk apps onto the phone today all of the sudden

Screenshot_20210216-111958.jpg

  • Like 2
Link to post
Share on other sites
On 2/16/2021 at 4:20 PM, NathanYT said:

An app called "alarm" installed and started spamming this fake lock screen on my phone this morning, I'm curious if anyone else has had something similar happen?  If so, getting rid of the alarm app immediately fixed it. It seems like they're just shotgun blasting junk apps onto the phone today all of the sudden

I've had that for a month or two.

I finally decided to clean up all this crapware again and I uninstalled a bunch of apps, but now data doesn't work.  I think Wifi does but I have it disabled so it doesn't come back.  All this time I thought it was a drive by download due to an old Android version, and it was coming back because I missed a malicious app.  Never would have thought the malicious app was built-in until I found this thread.

Link to post
Share on other sites
On 1/27/2021 at 12:00 PM, mbam_mtbr said:

I updated to newer version on my test UMX, and the Settings app no longer contains Trojan.Dropper capabilities.  I would do the update.

Nathan

Thank you.  I did the wireless update a couple of weeks ago, and so far no malware, and no new apps, so this seems good.  I'm able to leave my wireless on now, if I want, without having stuff added.

  • Like 1
Link to post
Share on other sites
  • 2 weeks later...
Via Assurance Wireless, I'm having the exact same issue with the exact same cell. 
It appeared after the most recent firmware update. 
They don't seem to mind that the phone is virtually unusable at this point. 
I also have a friend who has the same phone and is having the same issue with Assurance. 
So that's the end of Lifeline...
Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

malware is back!  a new "wireless update" notification appeared about a week ago, which I ignored.  Normally I have to actually choose to update, however, even without updating, the "wireless update" app itself now has confirmed malware, which it did not have after the last update in January.  Whenever I am online it installs new apps.  I cannot actually disable wireless update, but I did "force stop", which seems to be holding, at least until I restart my phone.  Guess I'll be looking into how to remove it, but last time I tried to use the Android SDK it was very confusing and difficult to figure out, so not really looking forward to that.  What a bother!

Link to post
Share on other sites
  • Staff

Hi @miamaelia & @iBeleave,

First step is sending an Apps Report so we can see what has been installed on you mobile device.

To send an Apps Report with Malwarebytes for Android use the following instructions.

  1. Open the Malwarebytes for Android app.
  2. Tap the Menu icon.
  3. Tap Your apps.
  4. Tap three lines icon in upper right corner.
  5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwarebytes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Next step, in order to build a case against UMX, we need to track down exactly what is installing apps.  We can do this by using My Google Activity.  Google tracks activity on your mobile device that we can leverage in our favor.  On your UMX, go here: https://myactivity.google.com/  You can see if an app is installed, and what installed it.

Finally, I suggest a firewall that can block/track apps internet traffic.  I personally use NoRoot Firewall: https://play.google.com/store/apps/details?id=app.greyshirts.firewall&hl=en

With the firewall on you can see what apps are accessing the internet and block them.  Warning though, NoRoot Firewall is very chatty!  Therefore, you are going to need to allow a lot of things, especially when first using.

Nathan

PS Sorry @iBeleave that adb process is so complex.  Trust me, I would love to see a simpler method, but it's all we have for now.

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites
On 2/16/2021 at 1:20 PM, NathanYT said:

An app called "alarm" installed and started spamming this fake lock screen on my phone this morning, I'm curious if anyone else has had something similar happen?  If so, getting rid of the alarm app immediately fixed it. It seems like they're just shotgun blasting junk apps onto the phone today all of the sudden

Screenshot_20210216-111958.jpg

That's the exact fake lock screen I have. You'll find the same image in the link I provided in my earlier reply. Malwarebytes found 3 issues, 2 of which were infected system files, and I couldn't do anything about it. Today, assurance wireless had me do a factory reset, and luckily for me the phone kept restarting after the reset, and so she decided it was best to send me a better phone ($5.30 to ship to me) with all the restarts, given that I had the phone for a year. I hope the new phone doesn't have any issues. I wish everyone the best.

Link to post
Share on other sites
  • 5 weeks later...

I recently updated from the previously mentioned umx phone to an updated U693CL and I am getting a pop-up in Chrome, it always opens a new tab for g21news.com after a set random time. Malwarebytes doesn't detect anything and I suspect it's changed or the app is hidden behind admin commands. Also there is a modified home screen that will not allow me to remove Google search bar on the home screen. If assurance wireless was looking into it they ain't doing crap about it as they probably know and are getting payed by the manufacturer. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.


Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.