I recently wanted to install a metronome app, so I downloaded one from the Play Store, but in the "install" step nothing happened. The app just wasn't there. I installed another one and forgot about that strange issue.
Yesterday though, something started to happen. Every now and then (and it's getting more and more frequently), I get a notification that some app tried to install itself (!) but was blocked because it's from "unknown sources", and it's prompting me to disable the "block install from unknown sources" check from Settings.
It looks like there are more than one apps trying to install themselves: "Superb Cleaner". "com.android.helper.patch[...]" and some more.
At first I though these might be system updates and was tempted to disable the "unknown source" block, but now I am worried I might have some malware on my phone.
I do have some sensitive information (browser logins, credit card data), and I also don't want to factory reset my phone.
Where should I search for the APK that is trying to install itself (or the APKs)?
EDIT: It's this application: https://play.google.com/store/apps/details?id=com.andymstone.metronome. I'm not entire sure the app is the cause, but it's strange that I don't have it installed, but in my google play account it appears as "Installed"...
My phone is an Allview X2 Soul Style with Android 5.1.
After I have unchecked the "block apps from unknown sources", now I keep getting prompted the install screen for these apps. I keep pressing "Cancel" but they come again every half an hour or so. :(
EDIT2: Here are the adb logs requested: Windows and Activities
EDIT3: Dumpsys log for the suspicious package: Dumpsys
Answer
Every now and then (and it's getting more and more frequently), I get a notification that some app tried to install itself (!) but was blocked because it's from "unknown sources", and it's prompting me to disable the "block install from unknown sources" check from Settings.
It's not a notification but a dialog and it looks like this:
(Click image to enlarge; image courtesy of Piyush)
At first I though these might be system updates and was tempted to disable the "unknown source" block, but now I am worried I might have some malware on my phone.
Yes, never enable that Unknown sources setting if you're in uncharted waters.
Where should I search for the APK that is trying to install itself (or the APKs)?
It's a bit difficult to find the app. I recommend finding the cause for the effect. In our case, the effect was the dialog hinting that the Unknown sources setting was blocked. That dialog is shown by Package Installer (a system-cum-core app). Package Installer is used by user or system apps which do not have the permission android.permission.INSTALL_PACKAGES to install an app. Since you did not attempt to side load an app, it stands to reason that an app called Package Installer without your consent. Our imminent goal is to find out that particular app.
The system service activity logs many important details. Among other things it shows the called package which in this case is Package Installer app with package name com.google.android.packageinstaller or com.android.packageinstaller. It also shows the calling package or the package which launched an another package.
Now, using adb in PC execute the command:
adb shell dumpsys activity activities # this command should be executed only when that dialog is in foreground
Demo output: notice the highlighted line:
In the highlighted line, the string after launchedFromPackage= and before userId is the package responsible for launching Package Installer app. In your case it would be a different package name. Note down that package name (henceforth denoted as
Now that we know the immediate cause we can hunt down the home or in other words, the apk. Execute the command:
Note: Finding the location of apk is required only for forensics. If you're not interested in that, I recommend you don't bother with this step and immediately jump to the heading Uninstall/Disable/Hide the app.
adb shell pm path
Demo output:
bash-4.2# adb shell pm path com.estrongs.android.pop
package:/data/app/com.estrongs.android.pop-1/base.apk
The string next to package: is the location of apk. You can also find the same information inter alia through the command:
adb shell dumpsys package
If you know the label of the package or can get to know it through any means (such as with AppXplore) then go into the application manager under Settings app which typically comes down Settings → Apps → All apps in stock Android, find the malware app and uninstall it.
Things to note
- If Uninstall button is grayed out and so as the Force stop button then your app must be a device administrator. In that case, go into the Security settings, choose Device administrators option and revoke the administrator privilege from the app. Come back and attempt to uninstall the app.
If you don't find the Uninstall option then your malware app is a system app. Whether your vendor shipped it or the app exploited your system or tricked you to install itself is another matter to deal with. For a system app, the button Uninstall is replaced by Disable.
- If both Force stop and Disable buttons are grayed out then the app may be a device administrator as well. In that case, revoke that privilege and then attempt to disable the app.
If the Disable button alone is grayed out, then:
For a rooted Android: use adb to disable the app through the commands:
adb shell
su
pm disableTo enable the app, replace disable with enable in aforesaid command.
You can alternatively use an app, such as Titanium Backup, to disable/freeze the malware app. You can also consider removing the apk using a file manager app.
For a non-rooted Android: provided that you're using Android 4.4.x or above, use the commands:
adb shell
pm block# for Android 4.4.x
pm hide# for Android 5.x and 6.x To unblock/unhide the package replace block by unblock and hide by unhide in appropriate aforesaid command. In this particular case, hiding the package would achieve the same result as disabling would.
The package would remain disabled or hidden until you revert the changes.
Note for readers
It has been confirmed by question's author that the malware app in their phone has the package name com.android.tools.callassistant. I found its label as Caller ID and it has been reported as a malware by AVG.
No comments:
Post a Comment