Vortex Beat 8 has adware apps that keep installing themselves - Android Q&A, Help & Troubleshooting

I have a Vortex Beat 8. It's a cheap Chinese phone and doesn't have its own forum here. I have adware apps that keep installing themselves, and I think that some process built into the rom, from the factory, is causing it. Does anyone have any tips on what I can do to stop this process?
The biggest problem, with the adware, is that I'm using the phone as a security camera using the Alfred app, and once the ad pops up on the phone, the camera shuts off. I can't turn off the wifi, because I need it enabled for Alfred.
I've factory reset the phone, and disabled or uninstalled all the apps I thought looked suspicious, and yet somehow, occasionally, it will reinstall the apps. Every time I clear, uninstall and disable things, I think I've finally got the problem permanently solved, but then out of nowhere the apps are suddenly back. The last time, the phone lasted several weeks before reinstalling the apps. The previous time, it lasted about a day or two.
I believe at least one of the systemapps I disabled somehow reenabled itself, so that may be the culprit. It's called "Wireless Update". There is also a potentially suspicious system app called "Update Service Core", but I can't disable or uninstall that. I've been using "Data usage" to try to see which apps have been active, but it's hard to tell, but it's not clear form the user interface when the activity took place.
Some of the Adware apps are called "Shortcuts" and "Movies-TV". As far as I can tell they're fairly simple apps that use Android System WebView or something similar to display a website, and then popup ads occasionally.
I tried several virus/adware apps and none of them have been able to detect anything.
At some point there was an update from the manufacturer, and afterwards the problem became worse. In hindsight, I should have rejected it. As far as I know, there are no alternative roms, on the internet, for this device.

I factory reset again and this time I disabled:
Adtime
News and rewards
(System)
Duraspeed
Mobile services
wireless update
Internet
Shortly afterward, the adware app/game Red Block installed itself.
I uninstalled Red Block and installed a firewall app called NoRoot Firewall. Through the firewall I gave internet access to Alfred, Google Play, and some other Google related things. Update Service Core was requesting access and I denied it. Here's hoping that denying Update Service Core was enough to stop this madness.

I'm still struggling with this. I followed the directions at https://forums.malwarebytes.com/topic/216616-removal-instructions-for-adups/ to uninstall adups for the current user. You can also find more info here:
https://blog.malwarebytes.com/andro...-come-pre-installed-with-unremovable-malware/
I used
Code:
adb shell pm list packages -f
to get the full list of packages and uninstalled adups and also a lock screen using:
Code:
adb shell pm uninstall -k --user 0 com.adups.fota
adb shell pm uninstall -k --user 0 com.adups.fota.sysoper
adb shell pm uninstall -k --user 0 io.appservice.lockappblack
However, the lock app uninstalled itself later as well as:
Movies-TV
Red Block
Shortcuts
and a new one called:
CraigsList
I had the firewall disabled at the time thinking that I had finally solved the problem. I don't know if the firewall being enabled could have prevented the reinstallation. Sometimes it crashes, and that might coincide with the apps being reinstalled. Also, the lock app renamed itself to io.appservice.lockappblack6. I also noticed that the built-in browser is called "Liberty-Browser", which makes me wonder if it's related to the lock app which has an apk called "lockAppLiberty.apk".
I noticed an app in my pm list that I didn't noticed last time: package:/system/priv-app/Ignite-Sliide_3.1.025-1405_releaseProduction/Ignite-Sliide_3.1.025-1405_releaseProduction.apk=com.dti.sliide It's not in the normal apps list and it looks sketchy af. I think it's DT Ignite, which is a known bloatware app that installs bloatware/adware without your permission. I've uninstalled DT Ignite, as well as the lock screen using the adb method above. I also uninstalled the other apps via normal means.
Here's hoping it sticks this time.

Related

[Q] Uninstall multiple apps, without confirmations.

I like to try apps. I think most of you do, too.
The problem is it's really difficult to uninstall an app in Android. I have an iPod Touch, and I can't say uninstallation on iPod Touch is that easy, but Android is worst.
Is there any app (with root privilege), that can uninstall multiple apps without confirming at each app? I tried many apps on the market, but non of them worked like that. One app could remove multiple system apps without confirmations, but it couldn't do that for user apps.
Please tell me if there is a way to achieve this.
And, Google should provide an option to turn off the uninstall confirmation + the useless "uninstalled" message boxes. Or add a way to uninstall multiple apps with only one confirmation (not at each app).
Titanium Backup - you can do batch installs and uninstalls of apk files.
Did not work
I tried the trial version of Titanium Back Up. It did have a menu for that, but executing it did not work. It just hung at 0% and did not progress.

[Q] AcerOOBE and Shell on Acer Liquid Z200?

Hello, I was checking my phone with CCleaner and AVG and I found two unknown apps, one is called AcerOOBE [com.acer.android.oobe], I found it on the Disabled Apps on CCleaner but it doesn't appear in my settings. The other one is Shell [com.android.shell], and AVG tells me it's malware but it can't be deleted 'cause it's a system app (I rooted my device one hour ago), I'd like to know if Shell is really Malware becuase I saw in my settings that it has permission for everything, phone calls, SMS, status bar, etc.
Also I'd like to know what is OOBE, I looked over the internet but I found nothing, Idk if I should uninstall both apps, enable OOBE, keep Shell active, what should I do?
Please, if anyone can help me It'll be great
how to slow AcerOOBE problem in acerE39

[Leagoo T5c - Nougat] How to get rid of System Input Method and Zdemo malware?!

Hi Everyone,
I've already posted a question about zdemo.app and what it did, only to discover that MalwareBytes considers it malware, and managed to uninstall it.
Problem is, it's coming back with a vengeance every day or so, and it brought a friend called System Input Method with it.
Both are treated as threats by MalwareBytes (strangely enough, Avast doesn't do anything about it...), and can be uninstalled, but they'll come back the next day.
At this point, I must add that my phone is dual-SIM and I have to manually switch from one to the other at least once a day due to network coverage issues in different locations I must go to, and I've noticed that both malware show up again in my Applications list right after I've switched SIM cards.
I doubt any of my cellular carriers would push malware onto my phone whenever I connect to their network, and I've had to deal with malware preinstalled in a former Leagoo baseband before (I've chosen to bypass the built-in Leagoo App Store because of that, and only install from Google Play Store), but I haven't found any new (and free...) firmware since March 2018, so there's a good chance my phone isn't really secure in the first place.
Still, I'd like to be rid of those two pesky applications once and for all, so if you have any advice, I'll take it!
A little heads-up: I think (I'm not sure, but I think) those two malware come bundled with both Pie Launcher and Rootless Pixel Launcher, because I've uninstalled both, reverted to Nova Launcher, and the malware is gone.
Is there a way to download .apk packages for both launchers and test them for malware before installing them? I can find the .apk packages easily enough, but I don't know if the content can be examined by an anti-malware program without installing them first.
Where did you download the Rootless Pixel Lanucher?
I'm pretty sure there are 0 malwares/virus in the Rootless Pixel Lanucher
Also you can get Rootless Pixel Lancher on Google Play Store now if you do not trust .apk installation
Peak.Krittin said:
Where did you download the Rootless Pixel Lanucher?
I'm pretty sure there are 0 malwares/virus in the Rootless Pixel Lanucher
Also you can get Rootless Pixel Lancher on Google Play Store now if you do not trust .apk installation
Click to expand...
Click to collapse
I only download apps from the Play Store. Both malware seem to download their .apk onto a hidden directory called ".meteor" on my device, because that's where either Avast or MalwareBytes have rooted (no pun intended) them out of in all the instances I've had to uninstall them.
What worries me is that both install as regular applications, they don't even try to hide or anything, since they appear/reappear in the Applications list, same as, say, Twitter or Dropbox. There seems to be a hidden conduit through which both malware land on my device, and I sure hope it's not via Google Play...
UglyStuff said:
I only download apps from the Play Store. Both malware seem to download their .apk onto a hidden directory called ".meteor" on my device, because that's where either Avast or MalwareBytes have rooted (no pun intended) them out of in all the instances I've had to uninstall them.
What worries me is that both install as regular applications, they don't even try to hide or anything, since they appear/reappear in the Applications list, same as, say, Twitter or Dropbox. There seems to be a hidden conduit through which both malware land on my device, and I sure hope it's not via Google Play...
Click to expand...
Click to collapse
My dubious friends are back: I had installed Nova Launcher, then Evie, but wasn't satisfied with the user experience, so I went back to the Play Store and installed a Pixel-inspired launcher called CPL.
After an hour or so, Avast notified me that the two malware were back and would I like to uninstall them. I said yes, as you can imagine.
Now, when I take a look in the "About CPL" info in the launcher settings, I notice that one of the contributors is Amir Zaidi, who's also behind Rootless Pixel Launcher. I posted about this on the Play Store, because I don't believe in coincidences...
I'm also using Leagoo T5c. In Nov 2018, I discovered system messages warning me of battery drain by "System Input method" (with path containing: "com.ss.android.cleanmaster").
But I did not install zdemo or nova launcher. But System Input Method coincided with IReader apk which I did not install. Both programmed by Zhangyue (.zhangyue.com/products/iReader)
Whenever Ireader reinstalled, System Input Method came back after many uninstallations.
---------- Post added at 11:08 AM ---------- Previous post was at 11:04 AM ----------
Malwarebytes classed "System Input Method" as Android/PUP.Riskware.HiddenAds.cma
I don't remember ever install IReader, but I may have install this app or that from this developer, though I can't be sure. I know that both zdemo and System Input Method are classified as "riskware", or PUP, and not as malware per se, still, I don't like the idea of having such software on my phone.
FWIW, I've done a factory reset twice since I posted my OP here, and reinstalled all my apps, including Rootless Pixel Launcher, and the "riskware" haven't returned.
My apologies to Rootless Pixel Launcher's dev, unless, maybe, he cleaned his repo of any malware that may have been hiding there.
1) Install Android SDK in order to use the ADB program.
2) Goto android sdk folder on computer and open command prompt.
3) You need to enable Developer Options in your phone first and then enable USB debugging. Set USB connection type to MTP Transfer.
4) Connect your phone to computer and set usb connection type to MTP Transfer.
3) Type "ADB Devices" to confirm that your phone is connected.
4) Type "ADB Shell"
5) Type "pm uninstall -k --user 0 com.ss.android.secure.cleanmaster
---------- Post added at 04:22 PM ---------- Previous post was at 04:21 PM ----------
SniperAlert2046 said:
1) Install Android SDK in order to use the ADB program.
2) Goto android sdk folder on computer and open command prompt.
3) You need to enable Developer Options in your phone first and then enable USB debugging. Set USB connection type to MTP Transfer.
4) Connect your phone to computer and set usb connection type to MTP Transfer.
3) Type "ADB Devices" to confirm that your phone is connected.
4) Type "ADB Shell"
5) Type "pm uninstall -k --user 0 com.ss.android.secure.cleanmaster
Click to expand...
Click to collapse
can also use ADB to uninstall Leagoo Default Launcher. But you need to install another launcher first.
I once did that shortly after getting my phone, to uninstall Sujet.app, Leagoo's default launcher that came with an embedded malware, but the subsequent ROM I installed was devoid of any unwanted surprise, so I left it as is.
In my case, and after two factory resets, zdemo and System Input Method haven't come back. Fingers crossed, but I'll keep your solution handy, just in case.
Thanks for your Input (pun intended)...!
UglyStuff said:
I once did that shortly after getting my phone, to uninstall Sujet.app, Leagoo's default launcher that came with an embedded malware, but the subsequent ROM I installed was devoid of any unwanted surprise, so I left it as is.
In my case, and after two factory resets, zdemo and System Input Method haven't come back. Fingers crossed, but I'll keep your solution handy, just in case.
Thanks for your Input (pun intended)...!
Click to expand...
Click to collapse
After a few days of uninstalling Leagoo Default Launcher ("Default Home") and and System InputMethod ("com.ss.android.ssecure.cleanmaster"), my phone battery usage increased significantly.
Seems like someone / some program trying to hack my phone.
Today, I discovered 2 new apps installed (by itself) on my phone - "HAIKE NEWS" ("com.lcworld.haiwainet") and H5Plugin ("com.ss.android.h5plugin"). Their permissions include full network access, connect and disconnect wifi, change network connectivitiy, request install packages.
and somemore SystemInputMthod returned.
Checked the log of malwarebytes and found that all 3 apps (Haike News, H5plugin, SystemInputMethod) installed at the same time. Seems like systeminputmethod is riskware created and used by China state agencies. Services used by Haike News included services with the woirds "Tencent" and "Baidu".
The services used by Haike News are "DaemonService ("cn.jpush.android.service"), DownLoadAppService ("com.lcworld.haiwainet.ui.update"), DownloadService and PushService (both named "cn.jpush.android.service"), TinkerResultService ("com.tencent.bugly.beta.tinker", f ("com.baidu.location").
---------- Post added at 06:01 AM ---------- Previous post was at 06:00 AM ----------
Haike News is "comprehensive news application built by People's Daily Overseas Edition. Inheriting the idea of “promoting China's voice, serving overseas"'
so most likely coontrolled by China state media authority.
Seems heavy, man!
I think a possible (probable) culprit is Leagoo's own AppStore, which I have deactivated right after the second factory reset I did. It's laden with ads, and probably discretly pushes some adware and assorted PUPs onto Leagoo phones every time you use it: case in point, even if you haven't allowed app installation from unknown sources, Leagoo's AppStore will install .apk files anyway, every time you install or update an app through it.
I only install apps through the Google Play Store now, and I haven't noticed anything untoward of late.
Finally found Sytsem Input Method's playstore link
Application Process: System Input Method (Process Name: com.ss.android.secure.cleanmaster)
[Playstore link: https://play.google.com/store/apps/details?id=com.ss.android.secure.cleanmaster&hl=en_GB]
Installed APK: /data/user/0/com.ss.android.secure.cleanmaster-1/base.apk
/data path: /data/user/0/com.ss.android.secure.cleanmaster
Version: 1.05
Target SDK: 22
Permissions:
Have full network access.
View WiFi connections.
View network connections.
Download files without notification.
Read phone status and identity
Modify or delete the contents of your usb storage.
Read contents of your Usb storage
Prevent phone from sleeping
Retrieve running apps
Draw over other apps
MainService: ime.mobile.ime.main
NOTE: This app written for older Android OS. So if installed in newer android versions, all permissions will be allowed even if you blocked it.
OK, so I know where that comes from: in the CPL launcher I mentioned earlier (or was it in my other thread?), there's a one-click cleaning icon on the desktop, that supposedly cleans caches and whatnot. I used it on occasion, then uninstalled the launcher for other reasons, and went back to Rootless Pixel Launcher after factory reset.
Ergo, CPL is the one that packs the malware, not Rootless Pixel Launcher. The latter serves as code base for CPL, according to Rootless's dev, so what they roll into their launcher is anybody's guess, at this point....
Thanks a bunch!
from what I observed... it seems that System Input Method installs itself individually or with another random app (eg Ireader around Nov'18 period - this may change to escape suspicious from users) or another news app (eg Haike News) with H5pluging app - on a rotational basis. Check the installation date / time stamp of the apps.
This is to confuse the phone owners from tracing the source of the riskware / malware.
So I suspected that the malwares / riskwares came form leagoo itself. Culprits might be Leagoo App Store (default launcher), leagoo's Updater app (com.redstone.ota.ui) and System Update (com.sprd.systemupdate).
So I Rooted phone and then installed Afwall+ firewall. But the firewall steathily disables internet filtering at odd hours. (or maybe the firewall is bugged or the phone hacked from phone HQ server).
So decided to deactivate Updater app (linked to redstone) and the OTAupdater... system app since phone already rooted and that the Leagoo company does not provide OS updates more than once or twice. (Seems like updater only pushes nuisance apps like Haike News, System Input Method and H5plugins riskwares to the phone on a rotational basis to avoid suspicious or confuse users).
Well, although AFwall+ firewall did not work, thereby exposing my phone to the internet without filtering IP traffic, the riskwares did not return. So uninstalling Updater (the one with the com.redstone.ota.ui pathname) and the System Update (com.sprd.systemupdate) works for me. The riskwares / malkwares did not return. and the phone no longer resets and randomly ask for sim card pin number inputs.

Oppo Reno 10x Not Allowing Launcher to be Uninstalled

This is talking about the Chinese version of the device, PCCM00.
I remember using ADB and debug mode when the phone first came out to uninstall the ColorOS since it kept me from using Nova Launcher, but now, when I attempt to uninstall the launcher using ADB Shell and the command "pm uninstall -k --user 0 com.oppo.launcher", it says DELETE_FAILED_INTERNAL_ERROR. I can still uninstall other system apps and see them erased. There are a couple that tell me the same error, but this is the one I'm concerned about. Has anyone had any problems uninstalling that one? Is there a work-around? Or a specific reason this is happening? Is there a solution?
I have the same version and haven't made it yet. Would also like to have the Nova Launcher.
Prometheus80 said:
This is talking about the Chinese version of the device, PCCM00.
I remember using ADB and debug mode when the phone first came out to uninstall the ColorOS since it kept me from using Nova Launcher, but now, when I attempt to uninstall the launcher using ADB Shell and the command "pm uninstall -k --user 0 com.oppo.launcher", it says DELETE_FAILED_INTERNAL_ERROR. I can still uninstall other system apps and see them erased. There are a couple that tell me the same error, but this is the one I'm concerned about. Has anyone had any problems uninstalling that one? Is there a work-around? Or a specific reason this is happening? Is there a solution?
Click to expand...
Click to collapse
Yes, due to their integrated work among their apps, they have made it hard to get some components removed. I too expect companies to have modular behaviour in their software!
Even if you make another launcher your default launcher, for example Nova Launcher, then there are some flickering and animation issues (specifically when swiping to go to homescreen) which is a problem created by OPPO and Nova can't do anything more to solve it.
The default launcher also runs in the background continuously, despite trying to shutoff all its integrated services like search, widgets, Lockscreen magazine, etc
Because of which at the end, I'm using its stock apps
messages
launcher
phone

Question READ_PHONE_STATE

I have just brought a Realme GT 5G and wonder if I should send it back.
First I had to discover that some preinstalled apps, not only can't be uninstalled, but also not disabled (without root): YouTube, Netflix, Google. The last I had to disabled on previous phones because it became active out of itself.
The second problem is that the Camera app asks rather strange permissions and exits when I don't give it. Why should I give a Camera app permission to read my phones state?
From: https://developer.android.com/reference/android/Manifest.permission#READ_PHONE_STATE
"Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device."
Not something you need to make a picture.
They claim that they need it to know if it is functioning properly.
Sound like nonsense. Where do they use it for?
I can see one valid use case for READ_PHONE_STATE, if you are in a call and go to take a picture, generally the camera is full screen so it makes it hard to end the call, dial, or other phone functions.
Very weak argument but that is all I have.
If you really want to disable the apps you can use Device Owner to disable them. If you don't trust an app you can use the Google Test DPC app.
RRiVEN said:
.. .If you really want to disable the apps you can use Device Owner to disable them. If you don't trust an app you can use the Google Test DPC app....
Click to expand...
Click to collapse
I found that you can do something like
adb shell pm disable-user --user 0 com.google.android.apps.googleassistant
Only for disabling a component of an app, root seems to be required.

Categories

Resources