I need help with an apk that comes with a malware

Search This thread

ZIGS318

Member
Jan 23, 2022
9
2
Hi, everyobody. So, I've downloaded an apk for a multiplattform emulator that I used to have installed in my phone but lost when rebooting and happens to have been removed from the PlayStore. The thing is, said apk seems to come with a malware. I've done a couple of test to see if the malware was from somewhere else or if it comes from the phone's system but it seems like it comes in the apk of the emulator.

This malware installs some bloatware apps and even if I uninstall them, the malware just installs them again by itself. It also starts to take control of the phone. The malware, however, disappears if I do a factory reset. I tried opening the apk file with a file explorer and see what's inside the apk file to see if I could identify the malware files or whatever that triggers it and erase them from the apk, but unfortunately I lack the knowledge to tell what belongs to the emulator and is the malware.

I know it's a little bit silly of a help request, but I really like that emulator and I can't find a clean malware-free apk of it. If someone with knowledge on the subject has some spare time and is willing to help me with this silly request I would be really greatful to them.

Here's one of the few links to the apk. CAREFUL: don't install it, the malware seems to install itself in your phone's system and won't gomeven if you uninstall the emulator.


I have read the rules and I don't think I'm breaking them by asking help with this, but if I'm making something wrong or if this is not the place for asking for this kind of help, please let me know and I'll delete the post. Also, it would be nice if you could tell me what is a proper site for asking help with this.

Thanks in advance, everybody.
 
Last edited:

blackhawk

Senior Member
Jun 23, 2020
8,862
3,561
Samsung Galaxy Note 10+
I wouldn't even attempt to download a known infected file🤣
Scan it with online Virustotal and see what you got. You should have done this before side loading it... not very clever.
If it's not the cause a factory reset is in your future, and if you're running Android 8 or lower more may be required if its a rootkit.
Find and ID the malware and uninstall/delete it... if you can.
 

xXx yYy

Senior Member
Feb 4, 2017
601
3
94
Hi, everyobody. So, I've downloaded an apk for a multiplattform emulator that I used to have installed in my phone but lost when rebooting and happens to have been removed from the PlayStore. The thing is, said apk seems to come with a malware. I've done a couple of test to see if the malware was from somewhere else or if it comes from the phone's system but it seems like it comes in the apk of the emulator.

This malware installs by itself again if I uninstall it and starts to take control of the phone. I tried opening the apk file with a file explorer and see what's inside the apk file to see if I could identify the malware files or whatever that triggers it and erase them from the apk, but unfortunately I lack the knowledge to tell what belongs to the emulator and what could not.
how does this malware manifest itself?

you can always run the apk through an online android-apk decompiler to get the source code and then look into it
 
Last edited:
  • Like
Reactions: ZIGS318

Austinredstoner

Senior Member
Feb 3, 2021
898
1
1,756
Moto G7
Hi, everyobody. So, I've downloaded an apk for a multiplattform emulator that I used to have installed in my phone but lost when rebooting and happens to have been removed from the PlayStore. The thing is, said apk seems to come with a malware. I've done a couple of test to see if the malware was from somewhere else or if it comes from the phone's system but it seems like it comes in the apk of the emulator.

This malware installs by itself again if I uninstall it and starts to take control of the phone. I tried opening the apk file with a file explorer and see what's inside the apk file to see if I could identify the malware files or whatever that triggers it and erase them from the apk, but unfortunately I lack the knowledge to tell what belongs to the emulator and what could not.

I know it's a little bit silly of a help request, but I really like that emulator and I can't find a clean malware-free apk of it. If someone with knowledge on the subject has some spare time and is willing to help me with this silly request I would be really greatful to them.

Here's one of the few links to the apk. CAREFUL: don't install it, the malware seems to install itself in your phone's system and won't gomeven if you uninstall the emulator.


I have read the rules and I don't think I'm breaking them by asking help with this, but if I'm making something wrong or if this is not the place for asking for this kind of help, please let me know and I'll delete the post. Also, it would be nice if you could tell me what is a proper site for asking help with this.

Thanks in advance, everybody.
Did u just said malware can't be uninstalled even after doing factory reset. The malware is called xhelper that's a malware that can't be uninstalled once u get it.
 
  • Like
Reactions: blackhawk

ZIGS318

Member
Jan 23, 2022
9
2
I wouldn't even attempt to download a known infected file🤣
Scan it with online Virustotal and see what you got. You should have done this before side loading it... not very clever.
If it's not the cause a factory reset is in your future, and if you're running Android 8 or lower more may be required if its a rootkit.
Find and ID the malware and uninstall/delete it... if you can.
Thanks for the advice.
 
  • Like
Reactions: blackhawk

ZIGS318

Member
Jan 23, 2022
9
2
how does this malware manifest itself?

you can always run the apk through an online android-apk decompiler to get the source code and then look into it
Well, for what I've seen it's a malware that hides in the system files (I don't know where). Once there, it starts installing bloatware and spyware on the phone and starts to take control of things like the browser (mostly to show pages of ads and bets) and calls and messages. I can uninstall the bloatware apps, but the malware installs them again after some time has passed. After a Factory Reset, the malware is gone, that's how I realized the malware comes from the emulator apk. But Iike that emulator so I want to erase the malware from the apk. Also, thanks for the advice, I will try it. :"D
 

ZIGS318

Member
Jan 23, 2022
9
2
Did u just said malware can't be uninstalled even after doing factory reset. The malware is called xhelper that's a malware that can't be uninstalled once u get it.
No, I expressed myself wrong. The malware disappears after a factory reset. What I can't uninstall is the bloatware apps that the malware installs while it's in the phone. Once the malware is gone, so are the bloatware apps.
 
  • Like
Reactions: Austinredstoner

xdabookam

Member
Feb 8, 2015
14
2
Can't help with de-compiling but when I was investigating a malware outbreak, I turned off the system setting apk.
It later turned out to be ES file explorer and the apps were being installed via google play/mobile services.
Of course you can't change any settings but at least I could use the phone and nothing got installed.
Use the terminal/adb commands to turn off and back on when your done:
pm disable com.android.settings / pm enable com.android.settings
 
Last edited:
  • Like
Reactions: ZIGS318

ZIGS318

Member
Jan 23, 2022
9
2
Can't help with de-compiling but when I was investigating a malware outbreak, I turned of the system setting apk.
It later turned out to be ES file explorer and the apps were being installed via google play/mobile services.
Of course you can't change any settings but at least I could use the phone and nothing got installed.
Use the terminal/adb commands to turn off and back on when your done:
pm disable com.android.settings / pm enable com.android.settings
Emmm...I didn't get that well. How do I enter that command? Thabks you for the answer, though.
 

Kenora_I

Senior Member
Jun 12, 2021
1,350
3
317
Ireland
Redmi 7A
Samsung Galaxy A21s
Emmm...I didn't get that well. How do I enter that command? Thabks you for the answer, though.
Emmm...I didn't get that well. How do I enter that command? Thabks you for the answer, though.
He’s talking about ADB, android debug bridge.
That needs to be installed on ur pc and run while your phone is connected to the PC.
I’ll post a tutorial here.
View attachment 5520451



NFO:
Code:
• Versions: Installer, Portable & ADBKit
• Android Debug Bridge & Fastboot updated to latest v1.0.41 (Version 32.0.0-8006631, January 2022)

Installer Features:
• Installation Folder chooseable
• Creates Desktop & Start Menu Shortcut
• Toolkit & Desktop Shortcut
• Creates Commands Shortcut
• View Commands List
• Add to System Path Environment
• Universal ADB Driver Installation

ADBKit:
• Pure ADB (Android Debug Bridge)
• Open CMD.bat to easily open a CMD
• Only 5.81MB (compressed 2.74MB)


Requirements:
Code:
• Windows OS
• USB Driver for your Device or Universal ADB Driver (Included in the Installer)
• PowerShell for the Toolkit

Developer Options & USB Debugging:
Code:
01. Install the USB Driver for your Phone or Universal Adb Driver.
02. On your Phone, go to Settings > About Phone. Find the Build Number and tap on it 7 times to enable Developer Options.
03. Now enter System > Developer Options and find "USB debugging" and enable it.
04. Plug your Phone into the Computer and change it from "Charge only" to "File Transfer" Mode.
05. On your Computer, browse to the directory where you extracted the Portable Version or use Tiny ADB & Fastboot Shortcut.
07. Launch a Command Prompt with Open CMD.bat or use Tiny ADB & Fastboot Shortcut.
09. Once you’re in the Command Prompt, enter the following Command: adb devices
10. System is starting the ADB Daemon (If this is your first Time running ADB, you will see a Prompt on your Phone asking you to authorize a Connection with the Computer. Click OK.).
11. Succesful enabled USB Debugging.


Installer:
Code:
1. Download ADB_&_Fastboot++_vXXX.exe
2. Follow the Installers Instructions and select where you would like to install ADB & Fastboot++
3. After the Installation Wizard has completed you can select to start ADB & Fastboot++
4. You should see a Command Window open, now you can use ADB and Fastboot Commands


Portable:
Code:
1. Download ADB_&_Fastboot++_vXXX_Portable.zip
2. Extract the Zip Archive
3. Double click on Open CMD.bat
4. You should see a Command Window open, now you can use ADB and Fastboot Commands


ADBKit:
Code:
1. Download ADBKit_vXXX.zip
2. Extract the Zip Archive
3. Double click on Open CMD.bat
4. You should see a Command Window open, now you can use ADB Commands



Toolkit Features:
• Uninstall Bloatware without Root Access
(This works because Applications truly aren’t being fully uninstalled from the Device, they are just being uninstalled for the current User
• Re-install uninstalled Apps
• Install Kernel (Popup Menu, reboots automatically to Bootloader)
• Install Recovery (Popup Menu, reboots automatically to Bootloader)
• Install APKs (Popup Menu)
• Push Files (Popup Menu)
• Check Firmware Version
• Check Android Version
• Check Kernel Version
• Check Firmware Build Date
• Check Kernel Build Date
• Check Security Patch Date
• Check IMEI
• Check IP Adresses
• Check App Packages
• Check Process Activity (Real Time)
• Take Screenshots (PNG Format)
• Video recoding - 30 Seconds (Without Device Sound)
• Video recoding - 60 Seconds (Without Device Sound)
• Video recoding - 120 Seconds (Without Device Sound)
• Video recoding - 180 Seconds (Without Device Sound)
• Reboot the Device
• Reboot to Bootloader
• Exit Bootloader to System
• Reboot to Recovery
• Create Logcat
• Exit (adb kill-server & close Toolkit)




 
  • Like
Reactions: ZIGS318

shivadow

Senior Member
Jan 26, 2012
2,628
483
The malware will be downloaded by a background process. You need to find the link for the website and break it.

The best place to start would be an app that can log dns and ip calls, like Adguard. It will also block any already known links.

If you can break the link to prevent the apps installing its a start.. But as already suggested you are better off using a more up to date app because retroarch may not run correctly on newer tech.
 
  • Like
Reactions: ZIGS318

xdabookam

Member
Feb 8, 2015
14
2
He’s talking about ADB, android debug bridge.
That needs to be installed on ur pc and run while your phone is connected to the PC.
I’ll post a tutorial here.
Yes the pm command was entered via adb from a PC via USB. A shell terminal on the device as a standard user never seems to have the right privileges to run the pm command but su - (superuser root) will.
 

ZIGS318

Member
Jan 23, 2022
9
2
The malware will be downloaded by a background process. You need to find the link for the website and break it.

The best place to start would be an app that can log dns and ip calls, like Adguard. It will also block any already known links.

If you can break the link to prevent the apps installing its a start.. But as already suggested you are better off using a more up to date app because retroarch may not run correctly on newer tech.
Thanks for the advice! I'll see what I can do!
 

Top Liked Posts

  • There are no posts matching your filters.
  • 2
    I wouldn't even attempt to download a known infected file🤣
    Scan it with online Virustotal and see what you got. You should have done this before side loading it... not very clever.
    If it's not the cause a factory reset is in your future, and if you're running Android 8 or lower more may be required if its a rootkit.
    Find and ID the malware and uninstall/delete it... if you can.
    2
    You could try firewall blocking the app or maybe running under VMOS.
    Personally I just ditch it...
    There are decompiler apps that might enable you to defang it.
    Or there are perfectly “virus-free” emulators on the internet.
    1
    Hi, everyobody. So, I've downloaded an apk for a multiplattform emulator that I used to have installed in my phone but lost when rebooting and happens to have been removed from the PlayStore. The thing is, said apk seems to come with a malware. I've done a couple of test to see if the malware was from somewhere else or if it comes from the phone's system but it seems like it comes in the apk of the emulator.

    This malware installs by itself again if I uninstall it and starts to take control of the phone. I tried opening the apk file with a file explorer and see what's inside the apk file to see if I could identify the malware files or whatever that triggers it and erase them from the apk, but unfortunately I lack the knowledge to tell what belongs to the emulator and what could not.
    how does this malware manifest itself?

    you can always run the apk through an online android-apk decompiler to get the source code and then look into it
    1
    Hi, everyobody. So, I've downloaded an apk for a multiplattform emulator that I used to have installed in my phone but lost when rebooting and happens to have been removed from the PlayStore. The thing is, said apk seems to come with a malware. I've done a couple of test to see if the malware was from somewhere else or if it comes from the phone's system but it seems like it comes in the apk of the emulator.

    This malware installs by itself again if I uninstall it and starts to take control of the phone. I tried opening the apk file with a file explorer and see what's inside the apk file to see if I could identify the malware files or whatever that triggers it and erase them from the apk, but unfortunately I lack the knowledge to tell what belongs to the emulator and what could not.

    I know it's a little bit silly of a help request, but I really like that emulator and I can't find a clean malware-free apk of it. If someone with knowledge on the subject has some spare time and is willing to help me with this silly request I would be really greatful to them.

    Here's one of the few links to the apk. CAREFUL: don't install it, the malware seems to install itself in your phone's system and won't gomeven if you uninstall the emulator.


    I have read the rules and I don't think I'm breaking them by asking help with this, but if I'm making something wrong or if this is not the place for asking for this kind of help, please let me know and I'll delete the post. Also, it would be nice if you could tell me what is a proper site for asking help with this.

    Thanks in advance, everybody.
    Did u just said malware can't be uninstalled even after doing factory reset. The malware is called xhelper that's a malware that can't be uninstalled once u get it.
    1
    The malware will be downloaded by a background process. You need to find the link for the website and break it.

    The best place to start would be an app that can log dns and ip calls, like Adguard. It will also block any already known links.

    If you can break the link to prevent the apps installing its a start.. But as already suggested you are better off using a more up to date app because retroarch may not run correctly on newer tech.