Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

recurring malware immediately after factory reset?


  • Please log in to reply
21 replies to this topic

#1 linuxchick

linuxchick

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 08 January 2016 - 03:10 PM

I have a friend's Asus Nexus 7 tablet, (transformer TF101-android version 4.0.3) that is infected with malware. I can do a factory reset, but as soon as I connect the wifi, it starts re-downloading porn/malicious aps. I managed to install malwarebytes from the google play store, it finds 23 infections but can't delete any of them.  I'm at a loss as to what else to try! Anyone have any ideas? "Edited to add: As far as I know this device has never been rooted"


Edited by linuxchick, 08 January 2016 - 03:49 PM.


BC AdBot (Login to Remove)

 


#2 Oyugi

Oyugi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nairobi
  • Local time:12:30 PM

Posted 08 January 2016 - 03:44 PM

I think the malware/virus could be residing on the memory card. Have you tried formating it or else you can do a hard reset by pressing the power button with one of the volume rockers simultaneously, in most cases use the volume up button +power button to boot, you will be taken to a unique interface and there you will have to use the volume buttons and power button to navigate. From there select formatting or clean swipe or something that has to do with complete formatting. Having done that be careful when restoring the backup, avoid installation of apps you got from porn affiliated websites or apps that have a different name from what you want when downloading. Alternatively you can verify with google when running the apks..

#3 linuxchick

linuxchick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 08 January 2016 - 04:11 PM

In my original post, by factory reset, that's what I meant... a hard reset using the power/volume buttons.... it does reset and wipe the data.... but as soon as I connect the wifi (without entering a google account or restoring any files), it fills up with junk. I need to figure out how to fix it, after a reset and before connecting to the internet.



#4 Oyugi

Oyugi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nairobi
  • Local time:12:30 PM

Posted 09 January 2016 - 04:18 PM

I think i now understand where the problem started. You might have installed a mobile synchronization software on your desk/lap top, hence by submitting your google account for play store syncing the malware got a chance to auto update it's apps or do unauthorised downloads, some of this apps could be appcaster, mobogenie, bluestacks and the likes,. To save your device just do the following, uninstall all those desktop sync softwares, then format your device and lastly change your google /play store account password (very important) then synchronize your phone with google with the new password you changed. After that don't use desktop clients that request for your account details if you are not certain they are 100% legit of which many aren't. That should work.

#5 linuxchick

linuxchick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 09 January 2016 - 05:32 PM

I don't think you're understanding me..... the malware installs immediately after a clean wipe of the device, BEFORE signing in to a google account, BEFORE even entering a google account at all. It's fine until you connect to wifi..... The malware has infected the system files..



#6 m4lw4r3

m4lw4r3

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 January 2016 - 05:31 AM

If you are still having this issue I would suggest trying a custom rom on the device as this could a firmware modification which is allowing this to happen (bloatware installed by the seller), if after installing a custom rom this stops then thats the case if not then this maybe a bootkit such as Obad or Oldboot.

 

Custom Firmware for Nexus 7 xda-devs

 

Removing Obad

 

Removing Oldboot may require you to completely flatten the device as formatting does not work (still resides in memory) I am still looking into this itself, also trying running Anti Virus on the device and post back results.



#7 Oyugi

Oyugi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nairobi
  • Local time:12:30 PM

Posted 10 January 2016 - 10:55 AM

Would you mind posting names of those malicious apps or any strange files, sorry i never understood your post well, let me dig deeper and see if there is anything i can get.

#8 linuxchick

linuxchick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 10 January 2016 - 11:18 AM

porn club

hot tube

swift wifi

clean doctor

badoo

piano tiles2

sexy girls

...every time it connects to wifi, there are more that is just some of them, it's insane how much crap this is downloading and installing!

 

I'm working on rooting it and trying to uninstall... but it's pretty hard when it keeps rebooting all the time



#9 m4lw4r3

m4lw4r3

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 10 January 2016 - 03:25 PM

http://androidforums.com/threads/extraordinary-android-virus.942374/

It seems porn club maybe the culprit as its a downloader, root and remove the unneeded apps from /system, did he install these apps ?

#10 linuxchick

linuxchick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 10 January 2016 - 06:28 PM

As far as I know they didn't knowingly install anything, it may have been one of the kids though.. I've got it rooted and am working on deleting apps now. I'll post back with my results if I ever get it fixed!



#11 linuxchick

linuxchick
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  

Posted 10 January 2016 - 08:32 PM

so as far as I can tell, I've deleted something I shouldn't have.... I did a power/volume wipe/reset, I get all the way through the set-up but then when the home screen should show up, it tells me "Set up has stopped"  so I get a black screen, no menu, just the back, home and recent ap buttons.....  all I can get into is settings from the "swipe up" menu in the bottom right corner... good grief this thing is going to be the death of me! My only hope now is to connect it to a computer and see if I can install a custom rom I guess...



#12 m4lw4r3

m4lw4r3

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 11 January 2016 - 02:19 AM

Now that you have got it rooted it's time to install a custom Tom this way would be easier than deleting a loads of apps which you need, install a custom recovery

https://twrp.me/devices/asusnexus72013wifi.html ~ recovery


http://download.cyanogenmod.org/?device=grouper ~ rom

https://s.basketbuild.com/filedl/gapps?dl=gapps-lp-20141109-signed.zip ~ gapps

Please follow a tutorial before just doing this

#13 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:07:00 PM

Posted 21 January 2016 - 11:12 PM

If these apps are being installed from third party sources do this, In Settings, Security, Unknown Sources uncheck allow installation of apps from unknown sources. If it's infecting you when you switch on your wifi try resetting your router as your router may be infected, but i have never heard of a router infection installing apps.


they call me te java mayster


#14 c_robertson

c_robertson

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:30 AM

Posted 07 February 2016 - 12:26 PM

I have the same infection. After doing a factory reset (hard reset) it starts displaying "updating 1 of 32" there is no sd card and the i wiped the files before I did the factory restore and it still updated with infections. There is an android.os file that is a core service that installs. Im attempting to install a new rom for lg e970 but links lead and files are all dead. I got the lg updater but it wont run on win 10. Teying again later. Trying to find a recent rom/package for this att branded system.

#15 arana

arana

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 12 February 2016 - 10:21 PM

thats exactly what i experienced today, the only way to get rid of it that I found was to flash stock rom again (or whatever rom custom or stock), it is my belief that this thing replaces some system apps by its own and also adds some mre apps to it so they reinstall themselves when you factory reset, i think it somehow gains its own root access and hides it from you, in my case it even turned wifi on by itself, and if it had no access points it used mobile data, same thing not even needed to register any email address or sync it with nothing, i posted about it in XDA

 

seems like its a new malware on the loose, coz i had never even heard about it and today i found 2 in 2 separete phones from unrelated people lol.

here is the XDA posting ( i hope im allowed to pos link if not then im sorry and please remove it )

http://forum.xda-developers.com/general/general/strange-case-recurring-malware-t3313955






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users