[Nougat] What is "zdemo" app? Could it be malware?

Search This thread

UglyStuff

Senior Member
Feb 4, 2018
120
7
Hi Everyone,

Long time no see, but I'm back with a quick question: I've noticed an unknown (to me) application on my Leagoo T5c running Android 7.0 called "zdemo".

It doesn't appear in my app drawer (I use a launcher called Rootless Pixel that I like a lot, because it's extremely light and easy on the eye), only in the Application list in Parameters, and I've uninstalled it, but I suspect it could have been malware, because all of a sudden, I've started to get unwanted popups in a few application, Blue Mail among them, so I suspect it could come back.

Do any of you know of this app? I Googled it and got nowhere. :eek:
 

UglyStuff

Senior Member
Feb 4, 2018
120
7
Yeah, I managed to uninstall it... Twice, which means it's coming back at more or less regular intervals. I suspect it's a malware, but MalwareBytes didn't find anything wrong on my phone, so I'm a bit stumped.
 

Donna B.

New member
Oct 26, 2018
1
0
Zdemo appears in conjunction with System Input Method. I think the former is a trojan and the latter adware. I keep stopping and uninstalling the apps just to have them return. I think the gallery app is the culprit but haven't figured out how to clean it yet because its a system file.
 

UglyStuff

Senior Member
Feb 4, 2018
120
7
Hi Donna,

Do you own a Leagoo phone too? I've had issues with rotten ROM from that brand before, but I thought that was a thing of the past.

If the Gallery app is indeed the culprit, then there must be a bad picture or video in it that you imported, maybe a cover from a music album you downloaded?

I for one know that all the music on my phone doesn't come from CDs I ripped...

The funny thing is, before I installed those two launchers I mentioned, I had no issues whatsoever. The Rootless Pixel Launcher contacted me via Play Store and defended himself from injecting any bad code into his launcher, and says that CPL Launcher is based on his own Rootless Pixel launcher, so it could be that the repository where the APK is stored has been compromised, and the malware is added to the files before it's made available to the Google Play store, but I can't be sure.
 

UglyStuff

Senior Member
Feb 4, 2018
120
7
For reasons unknown, my first reply got lost somewhere, and I don't feel like rewriting it word for word. Do you have a Leagoo phone too? If so, which ROM do you have installed on it (mine was released in March 2018)?

I suspect those two malware come bundled with the launchers I mentioned, but the dev for Rootless Pixel launcher assured me his code is clean, and I tend to believe him. I think the repo where his code is stored could have been hacked, but I have no way to prove it, of course.

EDIT: my first reply finally made it to the thread. Sorry for the double post...
 

UglyStuff

Senior Member
Feb 4, 2018
120
7
UPDATE: I finally did a factory reset, reinstalled all my apps (minus a couple I never used anyway) from the Play Store, put my music back on the device (not my pictures though, because I want to sieve through them first), installed Rootless Pixel Launcher again, and so far, so good, no malware in the applications list.

I'll give it a day or two, just to be on the safe side, then I'll modify my incendiary comment on the Play Store about Rootless Pixel Launcher...
 

Jimfilt

New member
Oct 28, 2018
1
0
Somebody created this code to bug people, had probably nothing to do uses your ip to track and install his popup window.
If I disconnect my wifi and use my phone without an internet connection zdemo and system input method don't come back. I should try on another wifi or in another country. Wonder if it could be tracked and maybe interesting to see where it leads. Could it be stashed on google play store? It seems curious that there is little info on the web about this problem as if somebody in a key position really f...-up
 
Last edited:

UglyStuff

Senior Member
Feb 4, 2018
120
7
Yeah, I too find it hard to believe that those two malware aren't better documented on the Web. However, if you scan your device with MalwareBytes and look up the entire name of both, you find ***partial*** references, stating that they aren't "real" malware, just PUPs, which I find intriguing too.

On my phone, I've noted unwanted popups that were hard to close when they were installed, but nothing untoward once I got rid of them, so they're definitely adware, either separately, or working jointly, I don't know.