Zygote and Whatsapp requesting root??

[gogglebot]

Hello, I have a Redmi Note 3 Pro running sMiUI (based on the Xiaomi.eu ROM) but this seems to be irrelevant.

while this strange behaviour doesn't seem to be limited to this device, being noted here and here, it does seem that the symptoms are the same.

In the SuperSU logs i found that firstly Whatsapp tried to gain root and was denied, followed by zygote requesting 3 times over the following few hours. The log for each is blank.

I have just rebooted my device and after unlocking whatsapp immediately requested root. Yet to see zygote request root again but I'll update you should it appear.
UPDATE: Whatsapp has again requested root.
UPDATE2: WhatsApp continues to request, however zygote has not. It appears to be happening every half-hour (ish)
U3: uninstalled WhatsApp, will see what happens at the half-hour mark.
Anyone know what's going on?

Also some probably irrelevant weirdness but I'll write it anyway given this only started appearing after this happened:
My phone did something weird earlier, I restarted, and normally on my ROM it just has a spinning little loading thingy in the middle of an otherwise blank screen, then goes off and reboots, showing the Mi logo, this time however it randomly showed a kinda-pulsating android logo shortly after the usually " spinning loading icon" and then continued to the usual Mi logo. Given I'm running sMiUI I've never seen it display a large android logo before like this. I just rebooted again and this behaviour was not repeated.

 

[immns]

Try xiaomi.eu rom, or stock rom. Or might be you're just installed modified WhatsApp and zygote apk from untrusted source. I don't use sMIUI

 

[gogglebot]

Try xiaomi.eu rom, or stock rom. Or might be you're just installed modified WhatsApp and zygote apk from untrusted source. I don't use sMIUI

The struggle I went through to get off of the vendor ROM, I'm not going back to stock. sMiUI was based on the Xiaomi.eu ROM, so the zygote is probably straight out of that.
I have installed WhatsApp from Google Play so I assume it doesn't get more secure than that. I've made no attempt to replace zygote, I don't really know what it does, something about starting apps.
The ROM I'm using doesn't seem to be remotely relevant to this, given it's happened on 3 different devices from different brands as I can see from the links I provided.

 

[immns]

It doesn't make any sense. WhatsApp is used to not request any root permission unless it's infected by mallware. You can try to use xiaomi.eu rom alongside with 3rd party mods instead of use pre-moded rom from sMIUI.

 

[gogglebot]

It doesn't make any sense. WhatsApp is used to not request any root permission unless it's infected by mallware. You can try to use xiaomi.eu rom alongside with 3rd party mods instead of use pre-moded rom from sMIUI.

Indeed, last WhatsApp update was 13th December, so I would have seen this happening before today if it was in normal WhatsApp. This is nothing to do with sMiUI, I've had this ROM installed for many months now with no issues.
And as previously stated it is based on Xiaomi.eu ROM.

But yes my suspicion is malware, however it's not specific to MIUI or any varients as this was also occurring on a Galaxy S5 and another device.


Everyone: Please read the entire thread before replying so I don't have to keep restating facts

 

[fabiyo]

Hey, i have same problem too, im using redmi note 2, today i get notif, whatsapp need access root, after several minute, zygote need access root too, now i deny that access at super su

 

[MTMC]

first time root/customrom/kernel etc.

Ive had the same thing happen..First time I thought it was strange though and denied permision was with the zygote thing asking permission...ive granted whatsapp and whatsapp extensions permisson for example cause i thought that was just the way it worked. ive granted LMT permission and a couple more apps

thought it was more of a windows type "" do you trust this program to do things" type thing.

things is my, installation is pretty fresh. and I dont get where I should've gotten malware from
htcm8/Viperrom/elementalx kernel

bunch of file explorers (sdmaid /totalcommander) and terminals all from the playstore. Xposed installer and a couple modules that all seemed reputable with ongoing xda threads and downloaded from the original source. amplify/bootmanager(something with that maybe?)/chromepie/secure settings for a tasker profile/minminguard.

you see something we have in common on the phone?

phone is running fine..nothing strange. The zygote i got for the first time today and I denied and hopped on google...whatsapp is in my rootlog constantly. i see the greybox popping up every once in a while that root was granted. never thought anything of it.

today I installed termux ternimal from the playstore...maybe thats where the zygote su request comes from?

---------- Post added at 10:05 PM ---------- Previous post was at 09:39 PM ----------

from what I see elsewhere the whatsapp extension module in xposed, which is a root app might have something to do with the whatsapp requests. I dont exactly know how these things work but the altering might explain app doing thing they normally dont do.

dont know about zygote...got it one time and it has not been back

 

[mawvius]

Same here.

I'm on a fresh install and this zygote su request wasn't appearing until I reinstalled all my apps.

Another forum states that zygote is run at such a raw level that it simply would never request root.

I am for now denying su requests with little to no adverse effects.

Can anyone confirm for certain that zygote should never need to request root? Is there anyway to dig out the rogue source/apk when av apps are showing nill?

As I have nothing Whatsapp on my phone, thinking it may be an xposed mod. Might be a good idea for us to list are xposed mods so we can cross reference. Not sure?

samsung i9505 | resurrection remix | android 6