FORUMS
Remove All Ads from XDA
Honor View 10

Cure for Chinese Notification Spam & Random App Installations

27 posts
Thanks Meter: 15
 
By Cevyn, Junior Member on 6th August 2013, 05:06 PM
Post Reply Email Thread
I recently obtained a Star N9500, which is a Samsung Galaxy 4 clone. It's a very nice piece of hardware, with the exception of the pre-installed spamware apps. I'm going to detail how I discovered which system apps were the culprit so that you can follow a similar procedure on your Chinese Android device.

The symptoms are Chinese language spam notifications that when touched will immediately begin downloading some other app, most often a game or Chinese social networking/dating app. Other times, Chinese apps would just randomly install, or links to other Chinese sites would appear on the home screen. The problem is that there is no obvious app to uninstall to stop this from happening, AdAway doesn't prevent it, and none of the ad network / push detectors or blockers available in the Play Store found anything wrong. These apps are buried in the phone's firmware, and this must be solved with detective work.

The removal process requires your phone to be Rooted.

The first thing that I did was to Google the name of each and every .apk in the /system/apps folder. You'll have to use the Translate feature for most of the results. Only one app I Googled got a hit called “uuplay.apk”. Turns out that this is a known Chinese Adware app. I proceeded to rename it with a “.dis” extension with ES File Explorer and felt I solved the problem...but I didn't.

Sure enough the notification spam continued, so I knew there had to be more. None of the APKs in the system apps folder resulted in any Google hits, so I had to figure this out myself.

I proceeded to use ES File Explorer to copy every file in the “/system/apps” folder to my desktop computer. Next, I used 7-Zip to unzip every APK to my RAMDRive. I started to look at the individual files with Notepad++ but found this quite tedious. Then I realized that Chinese apps probably access Chinese servers with a “.cn” domain.

I fired up Agent Ransack and did a search inside all of the decompressed app files for “.cn”. Sure enough, two hits on “GoogleUpdate[3738].apk” and “GoogleService[3738].apk”. I looked inside the “classes.dex” files and sure enough found links to Chinese sites located at “http://g.10086.cn”. I also found mention of “com.google.system.king”. Ahhhhh that makes sense, because I noticed that the SD Card ended up with a folder of the same name with Chinese looking files inside, such as “hziee”, and also “jrinfo.cfg”.

I Googled the king string and found a Chinese site that described the app as “Android application management, convenient and practical, Fool phone management experts.” Ah-ha!!! So I renamed both of those APKs in the system app folder with a “.dis” extension, rebooted my phone and voila – no more spam They didn't fool me, and hopefully this post will help someone else out there with this infestation.

I attached the spamware app APKs from my phone to this thread for additional deconstruction by anyone interested. I'd be curious to know to what extent they would go in downloading spam.

~Cevyn L (FastMHz)
Attached Files
File Type: 7z ChineseSpamware.7z - [Click for QR Code] (1.38 MB, 3861 views)
The Following 5 Users Say Thank You to Cevyn For This Useful Post: [ View ] Gift Cevyn Ad-Free
 
 
6th August 2013, 05:58 PM |#2  
Senior Member
Flag Sofia
Thanks Meter: 243
 
More
Yes, be careful with those Chinese phones.
Some of them has self-register apps that send expensive sms messages to China. Some of them have also apps similar to those you mentioned.

Usually, you can delete the whole /system/vendor/app folder, full of Chinese crap.
Some of the apps are also located in the /system/app folder. Best way for non-experienced users is to search for apps description over the net if you're unsure of what a certain app does.

MTKDroidTools has some predefined apps list and can automatically remove Chinese stuff for you, but still there's a chance some new or differently named app is installed on the phone.

Ofcourse, for any of these manipulations you need root access.
6th August 2013, 06:21 PM |#3  
Cevyn's Avatar
OP Junior Member
Flag Hagerstown, MD
Thanks Meter: 15
 
More
Yeah I can imagine some of them have some nasty stuff loaded in, so definitely a good idea to scrutinize every app for anything suspicious. I think doing what I did above on any Chinese phone to search for any apps with links to .cn based domains isn't a bad idea, even if spamware isn't an issue. I also only use prepaid SIMs in these things for a reason
9th August 2013, 05:47 PM |#4  
Cevyn's Avatar
OP Junior Member
Flag Hagerstown, MD
Thanks Meter: 15
 
More
UPDATE 08-09-2013:

Quick Fix: If your phone has the same rogue files as mine did, root your phone, and delete the following from /system/apps: UUPLAY.APK, GoogleUpdate[3738].apk, GoogleService[3738].apk, SystemThread[3738].apk, Backup_File[3738].i, projectmkmassags.apk, and smsreg.apk.

I completely decompiled the APKs to Java code and found these strings inside:

http://61.160.234.133:9090/date/getDate
http://g.10086.cn/gamecms/wap/game/w...nelId=12068000
http://www.ccinchina.com/blog/upload...A3NQ%3D%3D.jpg
http://117.135.133.9:8080/source/app...52520130058754
http://117.135.131.9:8080/push_4/push.action?imei=value
http://61.160.242.35:8080/pro_5/pro.action
/datang_gaohong/
SilentClient.apk
shurufa_01.apk
BaiduBrowser_Android_2-3-28-6_1000934d.apk

None of those other APKs were present, but a datang_gaohong folder was on my SD card, as well as a folder called LogicDownloads that referenced these types of filenames. I deleted all of them and haven’t had them come back. I deleted a bunch of other non-dangerous bloatware as well. The phone is now about as perfect as I could imagine one being. Battery seems to go forever now as well.
The Following 3 Users Say Thank You to Cevyn For This Useful Post: [ View ] Gift Cevyn Ad-Free
2nd September 2013, 07:47 PM |#5  
Junior Member
Thanks Meter: 0
 
More
mine ends all like GoogleService[3774]
i didn't understand if all those apps you listed on the last message , we should delete em all or only the one in capslock ?

sorry my questions i'm a bit newbi ;(
7th September 2013, 08:04 PM |#6  
Cevyn's Avatar
OP Junior Member
Flag Hagerstown, MD
Thanks Meter: 15
 
More
Delete them if you have them.

Also, zip up the "GoogleService[3774].apk " and any other 3774 apps you have and attach to a message on this thread...I'll look inside for Chinese links. Interesting you have a different set of numbers in brackets on yours, could be a version indicator or something.
8th September 2013, 03:23 PM |#7  
Junior Member
Thanks Meter: 0
 
More
Thank You
thank you for your reply , haven't deleted em all only ( uuplay ) so here are the others , hope is what you wanted . So if if delete those ones i won't have chinese apps news and autoinstall ?
Attached Files
File Type: rar apk.rar - [Click for QR Code] (510.5 KB, 625 views)
12th September 2013, 08:41 PM |#8  
Junior Member
Thanks Meter: 0
 
More
Help, I can´t remove them!!!!!
Hello all,
First of all sorry for my bad English, it´s not my first language and thank you very much for helping us.

I have a N9500 with chinese applications and I´ll post all the applications in app folder. I try to delete:
GoogleUpdate[3774].apk, GoogleService[3774].apk, SystemThread[3774].apk and smsreg.apk
But I can´t delete or rename them, why? I´m root in the phone but I only get errors when I try it.
I´m using "ES FILE EXPLORER" for deleting them.
Again thank you very much
Attached Thumbnails
Click image for larger version

Name:	Captura de pantalla 2013-09-12 a la(s) 20.30.33.jpg
Views:	1290
Size:	216.9 KB
ID:	2253097  
14th September 2013, 12:00 AM |#9  
Junior Member
Thanks Meter: 0
 
More
Smile
Quote:
Originally Posted by rodxyz

Hello all,
First of all sorry for my bad English, it´s not my first language and thank you very much for helping us.

I have a N9500 with chinese applications and I´ll post all the applications in app folder. I try to delete:
GoogleUpdate[3774].apk, GoogleService[3774].apk, SystemThread[3774].apk and smsreg.apk
But I can´t delete or rename them, why? I´m root in the phone but I only get errors when I try it.
I´m using "ES FILE EXPLORER" for deleting them.
Again thank you very much



check if you are in r/o or r/w mode. you got a small task on the right corner . if you are in r/w , change in r/w hope it will solve
14th September 2013, 04:50 AM |#10  
agzorig's Avatar
Senior Member
Flag UPLB
Thanks Meter: 12
 
More
Thank you for this thread, I have been searching for a couple of days now for this!
I also have been wondering how I get these weird apps in my phone everytime I wake up, and find it already installed.
I noticed the folders you said which I also deleted, hoping it would fix the problem.
Anyways, thanks a lot for sharing this.
By the way, I really don't know how I got this malware, not really sure if it was preinstalled in my Cherry Mobile Superion TV2, or got it somewhere else in the apks I recently downloaded and installed.

Sent from my Superion TV 2 using Tapatalk 4
17th June 2014, 10:28 AM |#11  
SUMM0NER's Avatar
Member
Flag London
Thanks Meter: 6
 
More
Thumbs up
Thanks guys, your thread helped me a lot.

Just removed uuplay.apk and uuairpush.apk.

Deleting/renaming them via ES Explorer didn't work for me, I had to use Root App Delete. Even that initially seemed to fail to remove the fake Google Play app, but then came up with a prompt to tap here to force removal, which worked.

Rebooted and done deep ESET scans yesterday and again today, looks like it is all gone.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes