lunes, 29 de diciembre de 2014

M-HORSE N9000W

Edit: look here http://sesionesfrikis.blogspot.com.es/2015/02/n9000w-malware-finally-found.html

I received this new phone, and everything seems ok
Rooted with RoomMaster SU v2.0.8
http://www.mgyun.com/romastersu

After that, I made titanium backup from previous phone: Whatsapp, Telegram...
and everything ok

With titanium backup app I removed unwanted apps: Facebook Msn, yahoo, ...
Du Speed Booster, APUS Launcher, PlayApp


I see "Cooee launcher S4" and I am not sure if it is malware

I installed Nova Launcher, and Security Lock Screen, but I want to be sure if I can remove this launcher without side effects: in my previous phone there were some situations where previous launcher was started ...
After several days, I see some apps installed automatically... MALWARE!!!
Some of them (I think some of the removed also, like Du Speed Booster or something similar, about battery http://forums.androidcentral.com/general-help-how/365217-random-apps-keep-installing-themselves.html )
ShareIt: cc.taosha.toolbox.shareit (/data/app/cc.taosha.toolbox.shareit-1.apk)
Baidu Browser: com.baidu.browser.inter (/data/app/com.baidu.browser.inter-1.apk)

Avast detects shareit as a trojan, and Kinguser (com.kingroot.kinguser) as potentially unwanted.

There are two possibilities for me: Cooee Launcher S4" or may be king root
I see /system/app/cooee_note3_20131218.apk
Googling it some people suggest to do a factory reset... but it won't work, as it comes by default...
http://answers.informer.com/variations/663134/how-to-uninstall-cooee-launcher-s4/

http://www.techsupportquestions.com/2411/uninstall-launcher-malware-internal-storage-android-phone

 ¿but wich one? CooeLauncher is a system app, and removal seems to be dangerous (after nova install, I can make a backup with Titanium backup, and there is a /system/app mover app in Fdroid, but by making it user app instead system may not work). In the other hand, kinguser is started initially (it can be seen with SD Maid), and so it could make it.
I am going to remove kingroot, and after that check for some time. Kingroot can be installed again with romastersu if I need it...

One of unwanted apps is in chinese, as Romastersu ...
https://play.google.com/store/apps/details?id=cc.taosha.toolbox.shareit

The others
https://play.google.com/store/apps/details?id=com.baidu.browser.inter


One of the worst things: these unwanted apps are not only installed but also downloaded? at any time, I think that consuming bandwidth and bytes... but I am not able to identify anything in android traffic usage, as apps are small.

Update: after one day without kinguser, no more unwanted apps. I decided to install iRoot (iRoot2_2.0.6_141122_1811_1000_r.apk) which also install kinguser, and with app remover I noticed that

root@android:/storage/sdcard0/mgyun/root/app # ls
co.mc.tools.batterybooster_1_542038_ad65a2f81e50808a9aec27affde98caa.apk
com.beagleboys.nfceveryday_4_522889_337d05b29a5e8a160825133213ede2ba.apk
com.beardcocoon.castcountdown.android_6_522890_9a9577e294a10e628320e77888a9d6bb.apk
com.btakoss.flashlightcompass_2_523078_d6299309474702d11f36cdbb24578a0d.apk
com.salyangoz.automessage_6_471851_6d32d80f002752c9ad71ceb96d14dcfe.apk

So chinese root tool includes apks ... and maybe the apks are not downloaded, but installed when kinguser, which starts automaticaly with phone, decides so.
These apk are asociated with the main menu

I made another test, and installed RomasterSu_2.0.9_141226_1816_1000_r.apk (I deleted 2.0.8 version), and it did not put apks in the same folder.
I installed again iRoot2_2.0.6_141122_1811_1000_r.apk and I noticed the same folder is initially empty, so maybe it downloads it later, and it install them ... I can confirm the apps are installed without any prompt / user confirmation.

I should try to change kinguser by another su utility like superSU, but it seems not to be trivial: downloading from google play it does not install properly, it says su binary has to be udpated and it is unable to update it, so superSU finally does not work.