[Nougat] What is "zdemo" app? Could it be malware?

[UglyStuff]

Hi Everyone,

Long time no see, but I'm back with a quick question: I've noticed an unknown (to me) application on my Leagoo T5c running Android 7.0 called "zdemo".

It doesn't appear in my app drawer (I use a launcher called Rootless Pixel that I like a lot, because it's extremely light and easy on the eye), only in the Application list in Parameters, and I've uninstalled it, but I suspect it could have been malware, because all of a sudden, I've started to get unwanted popups in a few application, Blue Mail among them, so I suspect it could come back.

Do any of you know of this app? I Googled it and got nowhere.

 

[Jadensito]

It happens to me too. I have another one named media provider or something like that, it has a fake Android logo and it can be desistaled.

 

[UglyStuff]

Yeah, I managed to uninstall it... Twice, which means it's coming back at more or less regular intervals. I suspect it's a malware, but MalwareBytes didn't find anything wrong on my phone, so I'm a bit stumped.

 

[UglyStuff]

I suspect those malware were bundled with Rootless Pixel Launcher, because since I've uninstalled it, they're gone and haven't returned...

 

[Donna B.]

Zdemo appears in conjunction with System Input Method. I think the former is a trojan and the latter adware. I keep stopping and uninstalling the apps just to have them return. I think the gallery app is the culprit but haven't figured out how to clean it yet because its a system file.

 

[UglyStuff]

Hi Donna,

Do you own a Leagoo phone too? I've had issues with rotten ROM from that brand before, but I thought that was a thing of the past.

If the Gallery app is indeed the culprit, then there must be a bad picture or video in it that you imported, maybe a cover from a music album you downloaded?

I for one know that all the music on my phone doesn't come from CDs I ripped...

The funny thing is, before I installed those two launchers I mentioned, I had no issues whatsoever. The Rootless Pixel Launcher contacted me via Play Store and defended himself from injecting any bad code into his launcher, and says that CPL Launcher is based on his own Rootless Pixel launcher, so it could be that the repository where the APK is stored has been compromised, and the malware is added to the files before it's made available to the Google Play store, but I can't be sure.

 

[UglyStuff]

For reasons unknown, my first reply got lost somewhere, and I don't feel like rewriting it word for word. Do you have a Leagoo phone too? If so, which ROM do you have installed on it (mine was released in March 2018)?

I suspect those two malware come bundled with the launchers I mentioned, but the dev for Rootless Pixel launcher assured me his code is clean, and I tend to believe him. I think the repo where his code is stored could have been hacked, but I have no way to prove it, of course.

EDIT: my first reply finally made it to the thread. Sorry for the double post...

 

[UglyStuff]

UPDATE: I finally did a factory reset, reinstalled all my apps (minus a couple I never used anyway) from the Play Store, put my music back on the device (not my pictures though, because I want to sieve through them first), installed Rootless Pixel Launcher again, and so far, so good, no malware in the applications list.

I'll give it a day or two, just to be on the safe side, then I'll modify my incendiary comment on the Play Store about Rootless Pixel Launcher...

 

[Jimfilt]

Somebody created this code to bug people, had probably nothing to do uses your ip to track and install his popup window.
If I disconnect my wifi and use my phone without an internet connection zdemo and system input method don't come back. I should try on another wifi or in another country. Wonder if it could be tracked and maybe interesting to see where it leads. Could it be stashed on google play store? It seems curious that there is little info on the web about this problem as if somebody in a key position really f...-up

 

[UglyStuff]

Yeah, I too find it hard to believe that those two malware aren't better documented on the Web. However, if you scan your device with MalwareBytes and look up the entire name of both, you find ***partial*** references, stating that they aren't "real" malware, just PUPs, which I find intriguing too.

On my phone, I've noted unwanted popups that were hard to close when they were installed, but nothing untoward once I got rid of them, so they're definitely adware, either separately, or working jointly, I don't know.