FORUMS
Remove All Ads from XDA

Nomu S20 - GPS problems, mic volume, no OTA or support, and Android Triada ROM virus

64 posts
Thanks Meter: 7
 
By JVitor, Member on 29th May 2017, 12:46 AM
Post Reply Email Thread
6th July 2017, 05:24 AM |#21  
Junior Member
Thanks Meter: 0
 
More
Quote:
Originally Posted by the.mule.42

I deleted it with avira and created a file with the exact name and changed to read only (rooted phone). It seems like It's worked. Yet.

---------- Post added at 08:03 PM ---------- Previous post was at 07:13 PM ----------

Btw for me the 1.0.6 zip is corrupted says the TWRP when I try to install. I successfully installed the chamelephone os.

Hi everybody,
Is there news from a clean ROM ? I tried to delete triada with avira, Dr Web on chamelephone then turned base.apk in com.chunmei.calculator and 8949-1005_1497342619861.xde to read only but it didn't work.
Thank's for the help
 
 
6th July 2017, 01:57 PM |#22  
Junior Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by scoubidouille

Hi everybody,
Is there news from a clean ROM ? I tried to delete triada with avira, Dr Web on chamelephone then turned base.apk in com.chunmei.calculator and 8949-1005_1497342619861.xde to read only but it didn't work.
Thank's for the help

Hi,
Yeah the triada came back after a while but when I deleted the whole com.android.vending and created a new read only text file with the exact name and it's kinda looks like it's working. It's been 4 or 5 days and the triada is still nowhere.
The Following User Says Thank You to the.mule.42 For This Useful Post: [ View ] Gift the.mule.42 Ad-Free
6th July 2017, 09:10 PM |#23  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by LeonKillah

I've updated my phone to the latest ota firmware, rooted and deleted virus with demo license of Dr.Web.
No virus so far...

The virus will self-inject at random at some trigger events. Dr. Web cannot detect it. Read again posts #1, #11 and #14.

Quote:
Originally Posted by the.mule.42

Btw for me the 1.0.6 zip is corrupted says the TWRP when I try to install. I successfully installed the chamelephone os.

The .zip file is to be flashed with SP Flash tools. But you might lose your IMEI nvram in the process and have to re-write it with SN Write tool. Have a look here.

Quote:
Originally Posted by the.mule.42

Hi,
Yeah the triada came back after a while but when I deleted the whole com.android.vending and created a new read only text file with the exact name and it's kinda looks like it's working. It's been 4 or 5 days and the triada is still nowhere.

It looks like a good solution. Which app are you using? Root Browser is not able to change permissions but I have created a fake file with the same name to see if it works. Note: just learned how to change permissions in TWRP File Manager (Post #26).
6th July 2017, 09:19 PM |#24  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by JVitor

Unfortunately the above fix doesn't work. Fake "Settings" came up again this morning after starting YouTube app. Hackers are not kidding.

For those who might be interested, attached follows the the installer of the fake "Settings" app which is injected by some unknown process at /storage/emulated/0/.jm/com.android.vending/8949_1004_1495532446456.xde.apk (it looks like it's renamed or changed after install so that antivrus programs will not see it or detect it).

Attached new filenames of the same installer which are injected at /storage/emulated/0/.jm/com.android.vending. The files are renamed by removing the suffix .apk right after the execution/installation. Since the previous date I had posted on this thread I counted about 20 subsequent injections/installations (after uninstalling the fake Settings app and deleting the installer). I will try the workaround of post #23.
7th July 2017, 01:00 AM |#25  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by JVitor

I will try the workaround of post #23.

Besides creating a fake installer I have modified the permissions of the folder /storage/emulated/0/.jm/com.android.vending by applying the chmod 644 command in TWRP File Manager (see attachment). For permissions see this: https://www.linode.com/docs/tools-re...ons-with-chmod

Let's see if this works.
Attached Thumbnails
Click image for larger version

Name:	Screenshot_2017-07-06-18-50-02.png
Views:	116
Size:	35.0 KB
ID:	4203813  
7th July 2017, 09:41 AM |#26  
Junior Member
Thanks Meter: 3
 
More
Quote:
Originally Posted by JVitor

The virus will self-inject at random at some trigger events. Dr. Web cannot detect it. Read again posts #1, #11 and #14.



The .zip file is to be flashed with SP Flash tools. But you might lose your IMEI nvram in the process and have to re-write it with SN Write tool. Have a look here.



It looks like a good solution. Which app are you using? Root Browser is not able to change permissions but I have created a fake file with the same name to see if it works. Note: just learned how to change permissions in TWRP File Manager (Post #26).

Hi,

I used Total commander but as I set again the permissions it's always return to writable so I guess it's just didn't work even if TC tells me it did. Besides that the triada still nowhere so it is enough to create a txt the same name as the directory.
8th July 2017, 04:01 AM |#27  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by the.mule.42

I used Total commander but as I set again the permissions it's always return to writable so I guess it's just didn't work even if TC tells me it did. Besides that the triada still nowhere so it is enough to create a txt the same name as the directory.

I think the most logical approach would be to create a fake file with the same name and suffix of the installer, inside the .jm/com.android.vending. Nevertheless, the method of changing the folder permissions with TWRP File Manager does work (#26).

After changing the permissions of the folder, to read and write only (no execution), I notice a strange behavior of Google Chrome app in the firewall, sort of making several attempts to initiate some process. So I suspect that the embedded Google Chrome app is the infected app/carrier. I have uninstalled the system Google Chrome, installed it again from Play Store and restored folder permissions just for the sake of testing this hypothesis. I tried also to inspect the Kernel log with 3C Toolbox, but I am not so knowledgable on Android system processes, services and structure.
8th July 2017, 07:09 PM |#28  
Junior Member
Thanks Meter: 0
 
More
I deleted /system/priv-app/SecurityService and it seems it worked
I've no more alert or com.chunmei.calculator installation and my fake file 8949-1005_1497342619861.xde is still the same since 2 days. Avira and Dr Web don't detect anything. What should I do to check ?
8th July 2017, 11:31 PM |#29  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by scoubidouille

I deleted /system/priv-app/SecurityService and it seems it worked
I've no more alert or com.chunmei.calculator installation and my fake file 8949-1005_1497342619861.xde is still the same since 2 days. Avira and Dr Web don't detect anything. What should I do to check ?

com.chunmei.calculator is also a publicity spammer. If ads randomly pop up when you have active data or Internet connection then probably it is working in the underground. In order to check you can go to Android Settings > Apps select all apps and check if there are two "Settings" apps. One of them is the publicity spammer and/or triada spy. Another simple way is to delete the installer files in .jm/com.android.vending sdcard folder (you can use Root Browswer to view it). If the installer appears again, then the virus is still active. It seems to have a routine to check whether it has been uninstalled and then it generates another installer and installs itself again.
8th July 2017, 11:37 PM |#30  
OP Member
Thanks Meter: 7
 
More
Quote:
Originally Posted by JVitor

After changing the permissions of the folder, to read and write only (no execution), I notice a strange behavior of Google Chrome app in the firewall, sort of making several attempts to initiate some process. So I suspect that the embedded Google Chrome app is the infected app/carrier. I have uninstalled the system Google Chrome, installed it again from Play Store and restored folder permissions just for the sake of testing this hypothesis.

Note: After a couple of days, today on July 11, the pest appeared again. So unistalling and reinstalling Chrome is not enough.
8th July 2017, 11:56 PM |#31  
OP Member
Thanks Meter: 7
 
More
For a definitive fix/clean ROM see posts #53 and #57.

Compilaton of possible fixes. Root access and TWRP recovery manager will be required. If you don't have root access and TWRP recovery see posts #23 and #33. See post #41 for tips on how to flash TWRP or update your ROM.

Note: the solution might depend on the ROM version of your smartphone.

1. Delete the following folders (ROM versions 1.0.2 and 1.0.3):

Code:
/system/priv-app/SecurityService
/system/app/AdupsFota
/system/app/AdupsFotaReboot
2. Uninstall the "Software Updates" app (ROM version 1.0.6). It looks like a fake software update app:



3. Delete files inside and change permissions of the following folder to read and write only (no execution):

.jm/com.android.vending It's located in the sdcard/storage directory. You can change the folder permissions in TWRP File Manager. See posts #26 and #28. At post #23 is also suggested to delete the folder com.android.vending and create a text file with same name with no suffix/extension.
The Following User Says Thank You to JVitor For This Useful Post: [ View ] Gift JVitor Ad-Free
Post Reply Subscribe to Thread

Tags
android triada virus, gps problems, microphone volume, no support, nomu s20

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes