Jump to content

Nasty malware that reinstalls after factory reset but not Xhelper, help pls


Recommended Posts

Hi, maybe you can help me with my malware problem on my Gigaset GS270 plus. So basically I have a malware that installs three seperate apps at once. Shortly after that Google Chrome Browser opens a commercial site for gaming apps. If I delete those three apps via settings or with Malwarebytes, they are reinstalled within a few hours. Factory reset brings no relieve since the apps are installed again shortly after, simliar to Xhelper but not quite. I can not find any APK files typical for Xhelper (com.mufc) as described in your blog. So I assume it's not XHelper. I hope someone in this forum can help me to find the underlying malware that re-infects my mobile phone and can help me with the steps to get there.

The APKs for the three malware apps mentioned above:

com.wagd.smarter
com.wagd.xiaoan
com.wagd.gem
 
All three of them are detected as   Android/Trojan.Downloader.Agent.WAGD   by  Malwarebytes.
 
I already sent an Apps Report to the support staff, but maybe we can find a quick solution here. The ticket is 3423249. I unfortunately sent it twice (3423156). I hope this is not confusing.
 
Thanks in advance for any help.
 
Moritz
 
 
Link to post
Share on other sites
10 minutes ago, Report12 said:

Probably the malware is on the firmware of the phone, its pretty common on that kind of unknows low brands.

 

In that case factory reset is useless.

 

Best wishes.

It definitely wasn't delivered with malware, but the firmware is neverthless infected now. I just hope someone knows a way to identify the infected system apps similar to xHelper.

Link to post
Share on other sites
Just now, moritz said:

It definitely wasn't delivered with malware, but the firmware is neverthless infected now. I just hope someone knows a way to identify the infected system apps similar to xHelper.

Did you receive a recent firmware update?. Anyway if the firmware has been infected the only way to clean is flashing the phone and instal a clean rom.

 

Best wishes.

Link to post
Share on other sites
17 hours ago, Report12 said:

Did you receive a recent firmware update?. Anyway if the firmware has been infected the only way to clean is flashing the phone and instal a clean rom.

 

Best wishes.

It seems to be a pretty recent problem and the update servers of the manufacturer are propabably hacked. I will try the solution described in this blog tonight.

https://borncity.com/win/2021/04/03/gigaset-gehackt-android-update-server-liefern-wohl-malware-aus/

Link to post
Share on other sites

I've got the same issue on a maisun virgin telly tablet for a day now  

I removed them all last night, and woke up to a lovely message from malwarebytes telling me it was safe to install the zip again, so they're back.   

I've had no firmware updates (it's an older tablet).

 

 

 

 

Link to post
Share on other sites
  • Staff

Hi @moritz,

I looked at the ticket, and it appears you have a pre-installed Auto Installer.

On some devices, the Update app causes malware apps known as HiddenAds to be auto installed.  Because Update is a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Update (com.redstone.ota.ui) for current user (details in link below):

 

Use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining HiddenAds malware apps.  

To periodically check for system updates, you will need to re-install Update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

Nathan

Link to post
Share on other sites
4 hours ago, mbam_mtbr said:

Hi @moritz,

I looked at the ticket, and it appears you have a pre-installed Auto Installer.

On some devices, the Update app causes malware apps known as HiddenAds to be auto installed.  Because Update is a pre-installed app, you cannot remove using traditional methods.

However, we can use the method below to uninstall Update (com.redstone.ota.ui) for current user (details in link below):

 

Use this command during step 7 under Uninstalling Adups via ADB command line to remove:

adb shell pm uninstall -k --user 0 com.redstone.ota.ui

At this point, run a Malwarebytes for Android scan to remove any remaining HiddenAds malware apps.  

To periodically check for system updates, you will need to re-install Update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk

Nathan

Hi Nathan,

I followed the instructions and it was successful, so far no re-infection. I hope it stays like this. Thanks for your help.

Regards Moritz

Link to post
Share on other sites

Hello Nathan,

I successfully uninstalled Update, thanks you. I'll see if no more infection occurs.

Could you please explain this :

" To periodically check for system updates, you will need to re-install Update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk "

I got this error: failed to write; /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk (No such file or directory)

Since the package path on my device was "/system/app/Rsota/Rsota.apk=com.redstone.ota.ui", I tried the following :

adb shell pm install -r --user 0 /system/app/Rsota/Rsota.apk
Failure [INSTALL_FAILED_INVALID_APK: Package couldn't be installed in /data/app/com.redstone.ota.ui-1: Package /data/app/com.redstone.ota.ui-1/base.apk code is missing]

I tried also :

C:\Users\Philippe\AppData\Local\Android\Sdk\platform-tools>adb shell pm install -r --user 0 /system/app/Rsota/Rsota.apk=com.redstone.ota.ui
Error: failed to write; /system/app/Rsota/Rsota.apk=com.redstone.ota.ui (No such file or directory)

So, how do you re-install Update ? And what are the potential issues if it never gets re-installed ?

Many thanks for your help :-)

Link to post
Share on other sites
  • Staff
2 hours ago, Feurtel said:

Hello Nathan,

I successfully uninstalled Update, thanks you. I'll see if no more infection occurs.

Could you please explain this :

" To periodically check for system updates, you will need to re-install Update.  You can reinstall with this command:

adb shell pm install -r --user 0 /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk "

I got this error: failed to write; /system/priv-app/ThirdPartyRSOTA/ThirdPartyRSOTA.apk (No such file or directory)

Since the package path on my device was "/system/app/Rsota/Rsota.apk=com.redstone.ota.ui", I tried the following :

adb shell pm install -r --user 0 /system/app/Rsota/Rsota.apk
Failure [INSTALL_FAILED_INVALID_APK: Package couldn't be installed in /data/app/com.redstone.ota.ui-1: Package /data/app/com.redstone.ota.ui-1/base.apk code is missing]

I tried also :

C:\Users\Philippe\AppData\Local\Android\Sdk\platform-tools>adb shell pm install -r --user 0 /system/app/Rsota/Rsota.apk=com.redstone.ota.ui
Error: failed to write; /system/app/Rsota/Rsota.apk=com.redstone.ota.ui (No such file or directory)

So, how do you re-install Update ? And what are the potential issues if it never gets re-installed ?

Many thanks for your help :-)

Hi @Feurtel,

The re-install is so you can check for updates since the same app that is an Auto Installer is also the system updater.  You must have a slightly different path then the one I posted.  No worries though, since this is easy to track down.

Run this command: adb shell pm list packages -f -u

You can copy/paste the output into a text editor like Notepad and search for com.redstone.ota.ui for the correct path.

Just make sure to uninstall for current user again after checking for updates.

Nathan

Link to post
Share on other sites

Hi Nathan,

I did as your said ; the path on my device is well /system/app/Rsota/Rsota.apk=com.redstone.ota.ui.

And when I try to re-install using that path, I got below error :

adb shell pm install -r --user 0 /system/app/Rsota/Rsota.apk
Failure [INSTALL_FAILED_INVALID_APK: Package couldn't be installed in /data/app/com.redstone.ota.ui-1: Package /data/app/com.redstone.ota.ui-1/base.apk code is missing]

Philippe

Link to post
Share on other sites
  • Staff

Hi @Feurtel,

Try this:

adb shell pm install -r --user 0 /system/app/Rsota/Rsota.apk

There could have been an extra space in the last command.  Also, try doing this command:

adb shell pm list packages -f

Notice that this is without the -u which is used to show uninstalled apps.  If com.redstone.ota.ui is still in the list of the output then it's installed.

Nathan

Link to post
Share on other sites
  • Staff

Hi @Feurtel,

Well shoot.  That should work.  Maybe try typing it out manually just to make sure there are no issues with copy/pasting over weird formatting.

Well, at least you are safe from malware being installed.  Worse case scenario, a factory reset will re-install com.redstone.ota.ui.  Hopefully it doesn't come to that though.

Nathan

Link to post
Share on other sites

Hi Nathan,

Yes, I had also typed the line manually :-)

I have proceeded to a factory reset, and indeed com.redstone.ota.ui is reinstalled, and detected by Malwarebytes. Before de-installing it again, I tried this :

adb shell pm disable-user --user 0 com.redstone.ota.ui

Could it be enough ? Or am I at risk and I really should run a uninstall (which I'm ok with : I prefer no more update app but malware free :-) ) ?

Many thanks for your answers and patience.

Link to post
Share on other sites
  • Staff

Hi @Feurtel,

With the command adb shell pm disable, it has a high probability of re-enabling itself.  We have seen this in the past with other Auto Installers.  I would strongly recommend the uninstall.  However, you can check it after a couple of days to see if the disable stuck.

Nathan

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.