I have a micromax phone and its autoinstalling some apps. I dont know weather these apps are installed from play store or from the micromax "app center" (which I never used). This problem started about one week ago although I dont remember doing anything which may have started this problem ... Everyday the same apps get installed and I uninstall them as quickly as possible to prevent them from spreading Viruses in my phone. The apps include: Clean Master, UC News, Superb Cleaner etc etc. I suspect that these apps are getting installed by some inbuilt malware created by Micromax itself because Clean Master was installed when I brought the phone but at that time I had unistalled it.
I saw a previous question which showed how to make a certain folder unwriteable but in my case I dont even know which folder should I block.
Please help me and tell what steps should I take the next time I see these apps on my phone.
Further info: phone model: Micromax E481 Android version: 5.1 lollipop.
Answer
The symptoms listed in the question indicate that the malware has infected the ROM (system partition most likely) or it was already shipped with the ROM and now has begun to show its color.
In your particular case, as your hunch proved it to be correct, it appears to be App Center app which was acting as the malware. Disabling it stopped those installations.
If anyone has identified such malware as a system app which cannot be uninstalled, see if you can disable it from GUI. To disable it, go to Settings app → Apps → (three dots line, if exists → Shows System) All apps → your app → Disable.
If the Disable button is greyed out and if you don't have root access, than you can block the app from being run. You would first have to identify the package name of that malware app. You can use an app, such as AppXplore to know the package name. For example, in the screenshot here the package name of the app Android Live Wallpapers is com.android.wallpaper which is listed below the title of the app. You can find so for your malware too.
After that, setup adb in PC, enable usb-debugging and execute the commands:
adb shell pm hide PACKAGE # for Android Lollipop
adb shell pm uninstall --user 0 PACKAGE # for Android Marshmallow and Nougat. This is bit tricky. Some reports its result positive, while others, negative.
adb shell pm disable-user PACKAGE # alternative to aforesaid second command for Android 5.0 and above
adb shell pm block PACKAGE # for Android Kitkat
adb shell reboot
PACKAGE should be substituted by the package name of the malware app.
Know that if you have issues identifying the malware app you may have to try a few things, such as
- monitoring the network using a firewall or a system monitor to single out that app, such as through OS Monitor app, or
- by identifying system apps with signature not matched with your OEM's and Google's and than analyze which amongst the leftovers might be the malware.
- perhaps scanning the phone with some anti-malware tool from Play Store could help as well
lastly, if the malware app was stupid enough to leave the installer package name as its own package name, than provided you still have at least one of the apps installed automatically (like Clean Master) by that malware, you could do:
adb shell pm list packages -i PACKAGE
This would show some package name next to installer=
. If it is null
than you got to try something else until you figure out the package name of the malware app.
If you've root access, you can choose to disable or remove the malware app. There are many apps in Play Store, such as Titanium Backup, System App Remover, and the likes which can remove or disable a system app. Use any of them to remove that malware. Be very careful, since removing a system app may make your phone non-bootable and that means, taking a trip to service center of your OEM or getting yours hands more dirty.
At last, if you can install a custom ROM or if you are sure your stock ROM was clean and you have access to it, than by all means, get the device flashed by yourself or those who can do so for you. Running a system already compromised by a malware is a risky business.
And keep the Unknown sources under Settings → Security disabled, to remain on safe side.
No comments:
Post a Comment