The symptoms are Chinese language spam notifications that when touched will immediately begin downloading some other app, most often a game or Chinese social networking/dating app. Other times, Chinese apps would just randomly install, or links to other Chinese sites would appear on the home screen. The problem is that there is no obvious app to uninstall to stop this from happening, AdAway doesn't prevent it, and none of the ad network / push detectors or blockers available in the Play Store found anything wrong. These apps are buried in the phone's firmware, and this must be solved with detective work.
The removal process requires your phone to be Rooted.
The first thing that I did was to Google the name of each and every .apk in the /system/apps folder. You'll have to use the Translate feature for most of the results. Only one app I Googled got a hit called “uuplay.apk”. Turns out that this is a known Chinese Adware app. I proceeded to rename it with a “.dis” extension with ES File Explorer and felt I solved the problem...but I didn't.
Sure enough the notification spam continued, so I knew there had to be more. None of the APKs in the system apps folder resulted in any Google hits, so I had to figure this out myself.
I proceeded to use ES File Explorer to copy every file in the “/system/apps” folder to my desktop computer. Next, I used 7-Zip to unzip every APK to my RAMDRive. I started to look at the individual files with Notepad++ but found this quite tedious. Then I realized that Chinese apps probably access Chinese servers with a “.cn” domain.
I fired up Agent Ransack and did a search inside all of the decompressed app files for “.cn”. Sure enough, two hits on “GoogleUpdate.apk” and “GoogleService.apk”. I looked inside the “classes.dex” files and sure enough found links to Chinese sites located at “http://g.10086.cn”. I also found mention of “com.google.system.king”. Ahhhhh that makes sense, because I noticed that the SD Card ended up with a folder of the same name with Chinese looking files inside, such as “hziee”, and also “jrinfo.cfg”.
I Googled the king string and found a Chinese site that described the app as “Android application management, convenient and practical, Fool phone management experts.” Ah-ha!!! So I renamed both of those APKs in the system app folder with a “.dis” extension, rebooted my phone and voila – no more spam They didn't fool me, and hopefully this post will help someone else out there with this infestation.
I attached the spamware app APKs from my phone to this thread for additional deconstruction by anyone interested. I'd be curious to know to what extent they would go in downloading spam.
~Cevyn L (FastMHz)