FORUMS
Remove All Ads from XDA

Help removing android malware that rooted my phone

2 posts
Thanks Meter: 0
 
By e2048, Junior Member on 6th November 2018, 10:09 PM
Post Reply Email Thread
My phone is a Gretel A7.
I got infected with malware through a dodgy website.
After rebooting the phone it stuck on the startup logo for about 45 minutes and when finally started I start getting popups.
I believe the malware rooted my phone.
The malware installs additional apps that actually cause the popups, I can uninstall the apps, but I cant remove the "system" app that keeps reinstalling them.

I have had success in preventing the malware downloading and installing things by using the app NoRoot Firewall to deny network access to the infected system app.
I can also view its communication with packet sniffer app.
All attempts to disable or uninstall the infected system app have failed because I don't have root.

I have tried a few antivirus apps from the play store but none of them can detect it.
I believe the infected system app is called CopyCustomFiles as its the only thing running in the developer mode process list.

I dont have the ability to connect the phone to a computer to run adb, and im afraid to use kingroot incase it bricks the phone.
Is there a way to get a temp root so if something goes wrong i can just restart.

Will system reset get rid of it, i am afraid to do it incase it breaks something.
If it rooted and flashed something then it will still be there after reset right?

Screenshot from NoRoot Firewall showing the attempted connection.
Several apps shown im not sure which one is actually infected.
https://ibb.co/jAoJfA

Here is what it does when my phone boots, downloads and installs an apk with malware.

POST /boot HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; A7 Build/MRA58K)
Host: statistics.flurrydata.com:10000
Accept-Encoding: gzip
Content-Length: 592

M0snAQ59DxIXGTszNjsMGTsALQFaZQdaGUgoNxsmDBkXHycdCz ZaBxdQfS5YY19JZEsgABcrah9QGCwxBiNLUWofc0FNcQZbF0Z9 OgYiHTQ+DDAcETBbNlASK3pTbwhJZEsxCgopXApQNSk9Gz4ABC ZLeE0ObhtfF0Z9KgYgNh0tGzEGFzFqBFQAMCpLd0sycFpyXFYG bUd0XXEfGygdDiRHAF46ZxtfG1pxDll8R1t9R3BfSWgFXARYfX RLJAQOIUt4TUtqAloAU29gWX9aXHFcck1UfVwPahkmKx0oBDQp GTJNQjlUBUYPc3oEIg0OJDYsDhU6F1MXK2h6RW8HDjweLR0TAF wHUwV9YksAJikBJQdNVH1FCFYBPj8MEgcKJQxgVVo8WgQbDDAs CGMeAjoMLgoLLEAZUQsrPUthSxs6BigKGytqAFFIZXo6FDoyCT ELIT8ABVoEWn10Sy4BCiYHJwMnNlFLD0gGGTEEJyxqRWAdFzJq H1AYLDEGIzYGIQctHVplF1gBU2ttXHlYXX1Zcl9aIhlLVAkrMQ YjS1FqCioKGzQXRRc/FhxLd0sqeFhyXEFvAF4AXH0l

HTTP/1.1 200 OK
Server: openresty/1.11.2.5
Date: Mon, 05 Nov 2018 08:20:55 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close

M0shABY5XA4XUCR6ACMdDjofIwMnLF0GRx59Ylh5XVt4RWAGFi tQG0MLMwcFIgcMalNzW0xvBRQZSDoqGy4GDy1LeF8F

POST /v15_worker HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; A7 Build/MRA58K)
Host: analyze.flurrydata.com:10000
Accept-Encoding: gzip
Content-Length: 1956

M0syBxcxUDZcDn1iSwxZW35ZcFhKbQ1cF0Z9OQo5AAQmS3hNCj pFBkceADsBKAoAakVgDggvalpHDgAqDD0GGTxLeDQDfVQKQQMp OR0oNggnHCwbWmUFRRcJNz0KJjYIJxwsG1plBEUXAzt6U39bUn 1FYAYeAFARXBkrelMrCAc7DG5NHDBqCFYeNi4IOQxJcg8jAws6 GUtFCzwzCCoMSXJLIQAVcUUMWgQmdgQiCgMhSz8yVH1QB0NIZS NLOgYZIwwwMA46RxpcBTF6U28fWmZfYENaOVodVDUvMAYjDDQh DWBVWm4NWQZaZhpZfVlYf1p0Xk9vA0sZSCwxBG9TSXpecF9Lbw ZZB1pvbVt6XElkSzEKCilcClA1KT0bPgAEJkt4TQ5uG18XRn0v ACsANCUIIU1CfVsAWUhzehsiBDQ+DDAcETBbNlgDMTcbb1NJeV 17W01qAVgDX29oWW9FSTsNKTAOOkcaXAUxelN/WkdqCy0ADABDDEcZNjcHb1NJPlhsWlZsB0sZSD03Bjk2HiENYF VaHgVYBVlmaFx6XF1qRWAGHgBGEEYeOjVLdx0ZPQxuTRs3UApe NSwxDiMIHz0bJ01CbxlLRQs8MwgqDDQ7ACUBGStAG1BIZXpYY1 tFcF1yQUluBlwBU3FpR3RHWnVKc1lJbgNdA19pPF8rXVt+DXRa TmsDUANbaGxfeF8Jegx0XE45Aw0ZKRFlDSgEBGQmF1IvHHFFel cSPQ0kCD8tAm4jRRdUAHEDPjZFHj1WCgwrJRExUkV2VxwWKXxH XnBadlxJZwxQAllrbQxmWFIIWmBDWihaG14PLQcfKBsYIQYsMB 0nQUsPSDZ6RW8aDjoAIwNaZRdZBFhsbFx7XlNxKAAsPBpzSxlI PDkFITYIJxwsG1plBlgAXXN6CCMNGScAJjAROxdTF19ubFF6Cw 8rCHoMQGdWW1dIc3oHKB00KwpgVVo2UEsZSC8qBicMCDw2Kwta ZRc6bDkGGTEEJywXWXFeSH0ZS1YCPjYHKAU0IQ1gVVoGdDF8JB h6RW8NAiw2MRsZK0AaF1AkegUiCklySxpNVH1HDFQOfWJLFVs7 eipwPEp9GUtCGDYsDG9TSRBZEl87b2ZZFxdzehksCgApDicwDj pHGlwFMQcHLAQOalNgW1ZsG10XRn0tHCQNSXJLe18cawZbUA5y O14uD0Z8XSBaVWZTXA1HbjlbK18OfFl1XxxuF0UXBDosNj4cCT wQMgpaZRchZjoec0thSwo4GR0BDTIXUwZec3ocOAAPFxo2Dgwq RksPEX00Bi5LUWoxYENaLVAIUUhlejF/OVkLWxFdWnMXHkcDKz1Ld0szeDlyLEgMBUtIRn0rACA2CCtLeE 0ROhdFFxo+OwIsDg4XGScdFTZGGlwFMXpTbyAYPDkpCCN0aClx DzMIAioyQBVLbk0KMFg2Qw8tKwAiBzQlCCgACn0PS2xSbGhaYz AzZih1QT8tUB1QBnEaWA9RRX5HckEubwRHBV9xall8Xlt9WHBN VH1cBFADfWJLflxce1x7X0BvB1oCU2poS2FLGykKKQ4fOmofUB gsMQYjNggnDSdNQm4ERRcHMDwMITYFKQQnTUJ9dF4XRn0rDS4I GSxLeE0kcEYNVgstPDViS0dqGSMMEz5SDGoEPjUMb1NJKwYvQR 4wQQgbHTYqDCEMGDscMgsZK1BLGUg7MRo9BQoxS3hNT20FEQRb Z2xLYUsFLR01AAo0agBbDDB6U28kJAogDipacxcZVAk0OQ4oNh ktGi0aCjxQNkULKzBLd0s3Zxo7HAw6WDUaGi0xH2AIGzg1bTwB LEEMWCwwLAgRRjgxGjYKFRlaHVREPigCbxRHagAsHAw+WQVqGD ooBj8dSXIyOU0bMlFLD0g2Nho5CAckS25NDCZFDBdQfWsbKUtH agAmTUJtB1AARn0rHSwdHjtLeFpJb0g0SA==

HTTP/1.1 200 OK
Server: openresty/1.7.10.2
Date: Mon, 05 Nov 2018 08:21:14 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close

M0snHQo8Wg1QSGVoRW8KBixLeE0RMUYdVAYzekVvGQo6CC8cWm VOS1wOfWJbfllTZEswCggzVApQNTI9HSUGD2pTcENaLFAbQwM8 PUt3SwgnBGwKFT1ZCE8FMXYPKAUCKwA2QQ0rXAUbICo9OjsKSW RLMg4bNFQOUEhlegoiBEUtBCADGSVaBxsMOjQALgAfakVgBB06 RTZWAjo7Am9THzocJ0NaPFgNF1B9MQc+HQokBWBDWipHBRdQfT AdORlRFEYeQB4zVBtQRDk5CigLBCcCb1wKOxsKWgcDd1l9WDR6 WXNXSW4FWGpcaAdZfDZZeFh6XklvBDYERD4oAm9FSSkKNgYXMR dTFxEDeh00GQ4US3gzWjZbHVAEKwcaKBsdIQonM1pzFTUXAzEs DCMdNCkKNgYXMWlLDzZ9OwYgRw4lCy4OAjBbR1MPMzEKJB1FPR 0rA1YVQAxmHDwES2FJN2oMOhsKPmlLDx4tLQwwS0dqGSMMEz5S DGocOipLd19cZEs2Fgg6F1MXWS08SzBFSSsGLAkROBdTTkg2Nh 0oGx0pBR0cEDBHHRdQa2tbfVlHagAsGx0tQwhZNTM3BypLUXxa cF9IIkg=

GET /001_20181101_67_01_20181101_1.apk HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; A7 Build/MRA58K)
Host: flare.facebook-3rd.com
Connection: Keep-Alive
Accept-Encoding: gzip
 
 
8th November 2018, 11:16 AM |#2  
Quote:
Originally Posted by e2048


I dont have the ability to connect the phone to a computer to run adb, and im afraid to use kingroot incase it bricks the phone.
Is there a way to get a temp root so if something goes wrong i can just restart.

Will system reset get rid of it, i am afraid to do it incase it breaks something.
If it rooted and flashed something then it will still be there after reset right?

No system reset will not get rid of it as these malicious apps are installed as system apps, so will not be effected by reset.

If you flash the latest stock ROM from your manufacturer (not some random download site as this may be malicious also, unless you can check it's digital signature to official signature) the malicious app will be overwritten & removed (as stock ROM writes to all partitions, but note a custom ROM normally only changes part of system so malicious app could survive)

There are some apps that you can use to flash new stock ROM but they all need root (I think), so not

You should be able to "freeze" the apps you mention which will stop them working, even though you can't uninstall them (there are a few threads on how to do that in this forum). But really you need to get access to a PC for either ADB or to reflash stock.
21st November 2018, 08:55 PM |#3  
OP Junior Member
Thanks Meter: 0
 
More
After doing further research I discovered that the stock firmware for this phone in infected with malware from the factory.
There is an update that is not infected but I am not clear how to install it safely.
I can't find any official source for the stock ROM or install guide.
The only guide I found is unofficial and requires a PC and installing TWRP or SP flash.
The guide is here getdroidtips.com/stock-rom-gretel-a7/

My question is... The stock recovery menu on my phone has an option to install update from sdcard.
So can I skip the TWRP/SP flash step and just install the zip file from the above link using the recovery menu I already have?

I assume this update will overwrite/replace the OS and all system apps with the ones contained in the update, while leaving all my play store apps and settings/files intact?

Thanks.
4th April 2019, 01:34 AM |#4  
Junior Member
Thanks Meter: 2
 
More
A little late but were you able to resolve the issue on your device ? I am researching about the presence of pre-installed mawlare on Gretel A7 and would like to know more about your experience.
Feel free to contact me directly or please respond here.

Quote:
Originally Posted by e2048

After doing further research I discovered that the stock firmware for this phone in infected with malware from the factory.
There is an update that is not infected but I am not clear how to install it safely.
I can't find any official source for the stock ROM or install guide.
The only guide I found is unofficial and requires a PC and installing TWRP or SP flash.
The guide is here getdroidtips.com/stock-rom-gretel-a7/

My question is... The stock recovery menu on my phone has an option to install update from sdcard.
So can I skip the TWRP/SP flash step and just install the zip file from the above link using the recovery menu I already have?

I assume this update will overwrite/replace the OS and all system apps with the ones contained in the update, while leaving all my play store apps and settings/files intact?

Thanks.

Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes