Jump to content

Malware in system partition?


Recommended Posts

  • Phone carrier                                                                                E-Plus (Alditalk)
  • Phone brand and model (i.e. Samsung Galaxy S8+)                   Siemens GS270
  • Which Android operating system you are running                        8.1.0  ScUpD: 05 Okt 2019 kernel 3.18.79+ (gcc version 6.3.1.20170109)   Update run today
  • If your phone is rooted                                                                  I dont know
  • If you are running any other security software                              Not

 

it seems I caught malware, malwarebytes can not find. What does it do and why do I think I have it, even, if malwarebytes says "you are clean"?

It started with a hijacking of my Whatsapp. I recognized, because I was blocked for spamming. After re - verifying my number I saw, that several people from Singapore, who I don't know, answered to a message, I did not send.

Also every 3 to 4 hours, my browsers (first BBQ, now Firefox) where hijacked: New tabs are automatically opened and lead me to game - websites.

Also my "SMS - receive" function was deactivated. This may have been the reason, why Whatsapp first did not accept my phone number for verifying.

I run 3 different free antivirus programs, that all where de-installed after.  All of them found malware and removed it. However all 3 to 4 hours the malware will be installed and found again. 2 of these programs told me, that there was found a piece of software called "Update" (with version number) inside my system partition, that cannot be removed. They recommended to deactivate it with the Androit System function,- witch I tried. However it can not be deactivated,- the button was gray. Later I found a way inside malwarebytes to deactivate it. I also removed some games and some Chinese Software, that I can not remember to have installed and that I found suspicions. The situation did not change: Still after a few hours my browser pops up and shows websites for curious games. Of course I never click there and close the tab asap.

Also malwerbytes keeps finding Apps like xiaoan, gem, Tayase, and it shows for example an app com.yhn4621.ujm0317 that I find syspicious, but can not find to remove (not in my settings, nor in malwarebytes)

I cleaned the cash of the browser with no success of getting rid of this.

I cleaned my data storage.

Of cause I could install some firefox add on to block these websites, however my system is already very slow and I am afraid, that this would slow down my sytem even more.

Maybe I should remove this "update" Sotware (it has a white cloud on blue background as symbol) with malwarebytes? Does anyone know it?

In other reports I read, that I will have to change the libc.so-file. However I don t know how and I don't know if this advice is valid for my system.

 

Link to post
Share on other sites

Hi @Mark-Herzog,

If you can send an Apps Report, I can check to see what's going on here.

To send an Apps Report with Malwarebytes for Android use the following instructions.

  1. Open the Malwarebytes for Android app.
  2. Tap the Menu icon.
  3. Tap Your apps.
  4. Tap three lines icon in upper right corner.
  5. Tap Send to support

Choose an email app to send Apps Report.

Your email app will open with the Apps Report included.

At this point, it would be very helpful to mention you are submitting via recommendation from the Malwarebytes forum.  This allows our support staff to know where to direct it.

By sending the Apps Report, you will create a ticket in our support system.

Private Message (PM) me the email used and/or the ticket number assigned.

Next, even though I know you already cleared the browsers cache, make sure you clear both history and cache in the browser. 

In addition, clear the Storage & Cache within the browser's App Info:

  1. Go to Settings > App Info
  2. Go to your browser app icon in App info list (such as Chrome) and click on it
  3. Once in your browser’s App info, go to Storage & cache
    1. Click Clear Storage
    2. Click Clear cache

Nathan

Link to post
Share on other sites

Hello, my telephone infected by the same.

My phone are siemens GS160

I have blocked and blocked, my phone reset to factory, but this come true. What must i do?

I have 2 same identical phones, all 2 infected. Whatsapp are blocked....

I don't no what i must do...

I have also een siemens GS270, but this is not infected.

Its like come with a google account?

 

First 2 telephones shares the same google account.

3st telephone not, and this has not a problem or infected.

Can you help me?

 

 

Screenshot_20210402-202732.png

Screenshot_20210404-140131.png

Screenshot_20210404-140137.png

Screenshot_20210404-140144.png

Link to post
Share on other sites

 

Also Malwarebytes was now able to detect some malware in the "update" app. As before manually Malwarebytes deactivated this app and I decides to choose "forcingly stop app". However as soon as the phone is booted - because for example the battery was empty - this "update" app is again started. For Malewarebytes automatically also starts scanning after restart of the phone, it direktly finds again one of the malware-apps, that have been deleted already. So it is obvious, that this "update" app is downloading them again and again. Therefore I think clearing Storage & Cash again will not help. I very much want to avoid this too, because it also means that I have to renew all credentials on all portals I am using and this takes a loooooong time, because then phone is so slow.   What I need is a tool, to replace this "update" app to what it was before.

 

Link to post
Share on other sites

Hi @Mark-Herzog & @HendrikusE,

On some devices, the Update app causes malware apps known as HiddenAds to be auto installed.  Because Update is a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Update (com.redstone.ota.ui) for current user (details in link below):

 

Use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining HiddenAds malware apps.  

To periodically check for system updates, you will need to re-install Update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

Let me know if this method works or not.

Nathan

Link to post
Share on other sites

14 hours ago, mbam_mtbr said:

Hi @Mark-Herzog & @HendrikusE,

On some devices, the Update app causes malware apps known as HiddenAds to be auto installed.  Because Update is a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Update (com.redstone.ota.ui) for current user (details in link below):

 

Use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining HiddenAds malware apps.  

To periodically check for system updates, you will need to re-install Update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

Let me know if this method works or not.

Nathan

This seems VERY complicated.  I found this : https://www.borncity.com/blog/2021/04/04/neues-zum-gigaset-android-smartphone-malware-befall/  Please check, if you after reading (German) still stick to this advice...

 

Link to post
Share on other sites

Hi @Mark-Herzog,

For the specific variant Android/PUP.Riskware.Autoins.Redstone, you will need to run this command:

adb shell pm uninstall -k --user 0 com.redstone.ota.ui

It is slightly different then the command listed in step 7 under Uninstalling Adups via ADB command line listed in the tutorial I linked since it's a slightly different variant of Auto Installer.

I apologize that this is a complicated method.  Unfortunately, it's the best we have at the time.

And yes, it appears it is the same malware as found in the article you linked.

Nathan

Link to post
Share on other sites

20 hours ago, mbam_mtbr said:

Hi @Mark-Herzog & @HendrikusE,

On some devices, the Update app causes malware apps known as HiddenAds to be auto installed.  Because Update is a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Update (com.redstone.ota.ui) for current user (details in link below):

 

I can not install this tool on my Ubuntu .  I need a more simple solution.   Simens says, they are aware of the problem and will soon deliver a new update. Will this help?

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.