Cure for Chinese Notification Spam & Random App Installations

Cevyn

Member
Jan 7, 2011
31
15
0
Hagerstown, MD
www.cevyn.com
I recently obtained a Star N9500, which is a Samsung Galaxy 4 clone. It's a very nice piece of hardware, with the exception of the pre-installed spamware apps. I'm going to detail how I discovered which system apps were the culprit so that you can follow a similar procedure on your Chinese Android device.

The symptoms are Chinese language spam notifications that when touched will immediately begin downloading some other app, most often a game or Chinese social networking/dating app. Other times, Chinese apps would just randomly install, or links to other Chinese sites would appear on the home screen. The problem is that there is no obvious app to uninstall to stop this from happening, AdAway doesn't prevent it, and none of the ad network / push detectors or blockers available in the Play Store found anything wrong. These apps are buried in the phone's firmware, and this must be solved with detective work.

The removal process requires your phone to be Rooted.

The first thing that I did was to Google the name of each and every .apk in the /system/apps folder. You'll have to use the Translate feature for most of the results. Only one app I Googled got a hit called “uuplay.apk”. Turns out that this is a known Chinese Adware app. I proceeded to rename it with a “.dis” extension with ES File Explorer and felt I solved the problem...but I didn't.

Sure enough the notification spam continued, so I knew there had to be more. None of the APKs in the system apps folder resulted in any Google hits, so I had to figure this out myself.

I proceeded to use ES File Explorer to copy every file in the “/system/apps” folder to my desktop computer. Next, I used 7-Zip to unzip every APK to my RAMDRive. I started to look at the individual files with Notepad++ but found this quite tedious. Then I realized that Chinese apps probably access Chinese servers with a “.cn” domain.

I fired up Agent Ransack and did a search inside all of the decompressed app files for “.cn”. Sure enough, two hits on “GoogleUpdate[3738].apk” and “GoogleService[3738].apk”. I looked inside the “classes.dex” files and sure enough found links to Chinese sites located at “http://g.10086.cn”. I also found mention of “com.google.system.king”. Ahhhhh that makes sense, because I noticed that the SD Card ended up with a folder of the same name with Chinese looking files inside, such as “hziee”, and also “jrinfo.cfg”.

I Googled the king string and found a Chinese site that described the app as “Android application management, convenient and practical, Fool phone management experts.” Ah-ha!!! So I renamed both of those APKs in the system app folder with a “.dis” extension, rebooted my phone and voila – no more spam :) They didn't fool me, and hopefully this post will help someone else out there with this infestation.

I attached the spamware app APKs from my phone to this thread for additional deconstruction by anyone interested. I'd be curious to know to what extent they would go in downloading spam.

~Cevyn L (FastMHz)
 

Attachments

I.nfraR.ed

Senior Member
May 9, 2013
234
275
0
Sofia
Yes, be careful with those Chinese phones.
Some of them has self-register apps that send expensive sms messages to China. Some of them have also apps similar to those you mentioned.

Usually, you can delete the whole /system/vendor/app folder, full of Chinese crap.
Some of the apps are also located in the /system/app folder. Best way for non-experienced users is to search for apps description over the net if you're unsure of what a certain app does.

MTKDroidTools has some predefined apps list and can automatically remove Chinese stuff for you, but still there's a chance some new or differently named app is installed on the phone.

Ofcourse, for any of these manipulations you need root access.
 

Cevyn

Member
Jan 7, 2011
31
15
0
Hagerstown, MD
www.cevyn.com
Yeah I can imagine some of them have some nasty stuff loaded in, so definitely a good idea to scrutinize every app for anything suspicious. I think doing what I did above on any Chinese phone to search for any apps with links to .cn based domains isn't a bad idea, even if spamware isn't an issue. I also only use prepaid SIMs in these things for a reason ;)
 

Cevyn

Member
Jan 7, 2011
31
15
0
Hagerstown, MD
www.cevyn.com
UPDATE 08-09-2013:

Quick Fix: If your phone has the same rogue files as mine did, root your phone, and delete the following from /system/apps: UUPLAY.APK, GoogleUpdate[3738].apk, GoogleService[3738].apk, SystemThread[3738].apk, Backup_File[3738].i, projectmkmassags.apk, and smsreg.apk.

I completely decompiled the APKs to Java code and found these strings inside:

http://61.160.234.133:9090/date/getDate
http://g.10086.cn/gamecms/wap/game/wyinfo/700144311000?channelId=12068000
http://www.ccinchina.com/blog/uploa...111109151143_MzI0NzM3NjgwNjMxMTM3NzA3NQ==.jpg
http://117.135.133.9:8080/source/ap...id_2-3-28-6_1000934d.apk?imei=352520130058754
http://117.135.131.9:8080/push_4/push.action?imei=value
http://61.160.242.35:8080/pro_5/pro.action
/datang_gaohong/
SilentClient.apk
shurufa_01.apk
BaiduBrowser_Android_2-3-28-6_1000934d.apk

None of those other APKs were present, but a datang_gaohong folder was on my SD card, as well as a folder called LogicDownloads that referenced these types of filenames. I deleted all of them and haven’t had them come back. I deleted a bunch of other non-dangerous bloatware as well. The phone is now about as perfect as I could imagine one being. Battery seems to go forever now as well.
 

anticristian

Member
Sep 2, 2013
29
1
0
mine ends all like GoogleService[3774]
i didn't understand if all those apps you listed on the last message , we should delete em all or only the one in capslock ?

sorry my questions i'm a bit newbi ;(
 

Cevyn

Member
Jan 7, 2011
31
15
0
Hagerstown, MD
www.cevyn.com
Delete them if you have them.

Also, zip up the "GoogleService[3774].apk " and any other 3774 apps you have and attach to a message on this thread...I'll look inside for Chinese links. Interesting you have a different set of numbers in brackets on yours, could be a version indicator or something.
 

anticristian

Member
Sep 2, 2013
29
1
0
Thank You

thank you for your reply , haven't deleted em all only ( uuplay ) so here are the others , hope is what you wanted . So if if delete those ones i won't have chinese apps news and autoinstall ?
 

Attachments

rodxyz

New member
Sep 12, 2013
1
0
0
Help, I can´t remove them!!!!!

Hello all,
First of all sorry for my bad English, it´s not my first language and thank you very much for helping us.

I have a N9500 with chinese applications and I´ll post all the applications in app folder. I try to delete:
GoogleUpdate[3774].apk, GoogleService[3774].apk, SystemThread[3774].apk and smsreg.apk
But I can´t delete or rename them, why? I´m root in the phone but I only get errors when I try it.
I´m using "ES FILE EXPLORER" for deleting them.
Again thank you very much
 

anticristian

Member
Sep 2, 2013
29
1
0
Hello all,
First of all sorry for my bad English, it´s not my first language and thank you very much for helping us.

I have a N9500 with chinese applications and I´ll post all the applications in app folder. I try to delete:
GoogleUpdate[3774].apk, GoogleService[3774].apk, SystemThread[3774].apk and smsreg.apk
But I can´t delete or rename them, why? I´m root in the phone but I only get errors when I try it.
I´m using "ES FILE EXPLORER" for deleting them.
Again thank you very much


check if you are in r/o or r/w mode. you got a small task on the right corner . if you are in r/w , change in r/w hope it will solve
 

agzorig

Senior Member
Jan 20, 2011
140
12
0
UPLB
Thank you for this thread, I have been searching for a couple of days now for this!
I also have been wondering how I get these weird apps in my phone everytime I wake up, and find it already installed.
I noticed the folders you said which I also deleted, hoping it would fix the problem.
Anyways, thanks a lot for sharing this.
By the way, I really don't know how I got this malware, not really sure if it was preinstalled in my Cherry Mobile Superion TV2, or got it somewhere else in the apks I recently downloaded and installed.

Sent from my Superion TV 2 using Tapatalk 4
 

SUMM0NER

Member
Jun 20, 2007
40
6
38
London
Thanks guys, your thread helped me a lot.

Just removed uuplay.apk and uuairpush.apk.

Deleting/renaming them via ES Explorer didn't work for me, I had to use Root App Delete. Even that initially seemed to fail to remove the fake Google Play app, but then came up with a prompt to tap here to force removal, which worked.

Rebooted and done deep ESET scans yesterday and again today, looks like it is all gone. :laugh:
 
Last edited:

Chandar78

New member
Jun 18, 2014
2
0
0
bangalore
SmsReg

Guys

Plz help me....

In my apps list i could see SMSReg listed. to remove this... i cannot find UUPLAY.APK, GoogleUpdate[3738].apk, GoogleService[3738].apk, SystemThread[3738].apk, Backup_File[3738].i, projectmkmassags.apk, and smsreg.apk. in my phone (micromax A110Q)

can any one help me ASAP?
 

Chandar78

New member
Jun 18, 2014
2
0
0
bangalore
How to delete SmsReg

I donno how to delete smsreg....

can any one explain the each step to delete/rename the APKs (UUPLAY.APK, GoogleUpdate[3738].apk, GoogleService[3738].apk, SystemThread[3738].apk, Backup_File[3738].i, projectmkmassags.apk, and smsreg.apk)
 

RASTAVIPER

Senior Member
May 2, 2011
3,702
815
253
Any faster way to find the culprit?
My Chinese phone Kolina 100+ always loads a spam website, whenever I try to open a link.
This happens with both stock and Dolphin browser.
Adaway and ad push detector only stopped ads in applications.
Not this annoying homepage.
 

RASTAVIPER

Senior Member
May 2, 2011
3,702
815
253
Yes, I don't see this application before I scan my phone with Kaspersky anti-virus (and force the program to analyze system applications). So you probably have the same problem.
You mean that this twitter app is hidden and only Kaspersky can reveal it?
I searched with Rootappdelete app and there is no twitter app in system apps.
 

sandeep josh

New member
Sep 4, 2015
2
0
0
Hi there,
I have a problem. I recently got a Huwaei GX1s ( Huwaei SC-UL 10 ) phone from China. I have changed the language to English but once I get inside any apps already there or installed from its apps store they are opened in chinese language. I tried to download google translator but it doesn't download even Google Play Store won't open.
How can I solve this problem of Chinese language in apps???