Help malware/spyware built into phone - help

[little_green]

So I ordered as Chinese phone off eBay from UK warehouse but Chinese seller. Box was unsealed when it arrived but the excuse for this could be that the original eu charger was removed and a UK adapted put in instead.
I did a massage bytes scan straight away and it came back clean, same with 360 security scan.
360 security and found something
BUT
i've browsed through the app list under settings and the only one I see which I'm not sure what is is something called "pandora's box" and pandora's box service 3.6mb and 86kb respecively.
under app permissions for the second it basically lists everythings phone calls, texts, camera , audio gps, contacts, set alarm , screen lock, add and move acounts, change system settings, change network connections, control flashlight.....

neither can be uninstalled from the phone or disabled, just force stopped which makes no difference.

i have googled pandoras box which comes up to be an actual real app BUT this is NOT what is on my phone as I can install it which I wouldn't be able to do and as I said nothing called Pandora's box appears in my app tray it point appears under settongs-apps-all apps

Can take as screen shot of needed.

Can anyone help at all shed some light on this. I would just return thee phone but I'd have to do it signed to make sure the seller couldn't just say they never got the rerun paackaage which would cost £10-20 and it's probably not worth the hassle for thee cost of the phone.

It's a really nice phone with good specs and design build I hope to be able to resolve this and keep it.
Hope someone out there caann help

 

[chanchan05]

Root and uninstall pandora's box maybe? Or at least block it from accessing internet.

 

[little_green]

Root and uninstall pandora's box maybe? Or at least block it from accessing internet.

how do I stop it from accessing the internet?
i've been browsing through the phone and it seems there are quite a few apps that have access to basically everything - another example is locationEM2

are my options to either
1 - root the phone and uninstall these strange apps
2 - try flashing new stock rom

if there are any easier process please let me know. which of the above is easier? are either gaurenteed to get rid of these suspicious apps.

 

[svim]

Please give us more details -- the phone model and manufacturer, and which version of Android it's running.
As it sounds like the problem apps/processes are running as system apps, you'll need to root your phone to disable and remove them. Depending on what model phone the rooting process may be relatively quick and simple, or it could be a project that requires a lot of online searching with repeated attempts to find a procedure that finally works.

 

[svim]

If rooting your phone isn't a viable solution, chanchan05's blocking the errant processes is a good idea. Install a firewall app. I'd suggest NetGuard, it's Open Source, covers IPv4 and IPv6, and doesn't require root.
https://play.google.com/store/apps/details?id=eu.faircode.netguard

 

[little_green]

Please give us more details -- the phone model and manufacturer, and which version of Android it's running.
As it sounds like the problem apps/processes are running as system apps, you'll need to root your phone to disable and remove them. Depending on what model phone the rooting process may be relatively quick and simple, or it could be a project that requires a lot of online searching with repeated attempts to find a procedure that finally works.

Hi thanks for a helpful response. It's an infocus m560 (also know as m808 and v5) it's running Android version 5.1
I've found stock rom for it I could try flashing that but that assumes they aren't part of the original and that the 3rd party seller I got thee phone from put those malware apps on.
I've never rooted or flashed before so a noob but Willing to try anything that'll work and make the phone safe to use

 

[svim]

I don't see much online about rooting your M560, hopefully someone will reply to this with better info and knowledge. It's not something you want to do without having everything thoroughly researched first.
In the meantime give NetGuard some thought, a software firewall is nice way to filter a lot of things, not just troublesome things like your Pandora's Box.

 

[electricpete]

+1 for netguard in general. Lightweight and open source no-root firewall.

 

[little_green]

Thanks I'll probably give net guard a shot.
I read it only stops the app connecting to the internet though and my biggest concern is the apps recording audio by activating microphone when they shouldn't be and same with the camera and recording when they shouldn't be....how will disabling these apps to access the internet affect either of the above (or their app permissions for anything else)
- sorry as I say I'm a noob

Also if it helps the stock rom I found for the device is listed here
https://androidmtk.com/download-infocus-stock-rom
So maybe someone can comment about how trusty that source is?
There seem to be step by sstepp instructions of how too flash it, but again that's only going to help if the issue isn't built into the stock rom... I guess there's no way of checking that before hand?

Thanks for being so hellpful

 

[little_green]

Would root be required in order to flash the stock rom?

 

[svim]

A firewall app will block incoming/outgoing network traffic, typically apps/processes that you pick and choose to allow or block. So even though that Pandora's Box app will still be trying to do things on your phone, once you've blocked it from any online access it's ability to communicate is cut off, it won't be able to send out any of your data it's collected. NetGuard is just a suggestion pertaining to your specific issue, ideally it would be best to delete that Pandora's problem (although I think a firewall app is a pretty useful utility to have on your phone in any case).

As for that firmware site you linked, at the bottom of the page there are footnotes that state those are from InFocus. As the problem apps appear to be installed by InFocus I'm guessing that they're part of the firmware images, but again, that's just an assumption. Their instructions on flashing the firmware appear to be well-illustrated and thorough, and using their indicated utility doesn't indicate the need for rooting your phone.
If you feel up to it try and flash the firmware and if Pandora's Box is still there just block it with NetGuard. Don't forget to back up all your personal data first.

 

[little_green]

A firewall app will block incoming/outgoing network traffic, typically apps/processes that you pick and choose to allow or block. So even though that Pandora's Box app will still be trying to do things on your phone, once you've blocked it from any online access it's ability to communicate is cut off, it won't be able to send out any of your data it's collected. NetGuard is just a suggestion pertaining to your specific issue, ideally it would be best to delete that Pandora's problem (although I think a firewall app is a pretty useful utility to have on your phone in any case).

As for that firmware site you linked, at the bottom of the page there are footnotes that state those are from InFocus. As the problem apps appear to be installed by InFocus I'm guessing that they're part of the firmware images, but again, that's just an assumption. Their instructions on flashing the firmware appear to be well-illustrated and thorough, and using their indicated utility doesn't indicate the need for rooting your phone.
If you feel up to it try and flash the firmware and if Pandora's Box is still there just block it with NetGuard. Don't forget to back up all your personal data first.

Thanks I'll have a look at net guard properly tonight after work.
Just wondering why do you think the problem is from infocus themselves as I said I did get it from a third party seller who I've had no response from since telling them it's full of spyware/malware I want to return (not that I do but they don't know that) and it's convenientthe box was unsealed to removed the original plug and pit in a UK one..... But I could just be clutching at stares hoping the phones will become safe too use lol

 

[little_green]

As u say removing these strange apps would be best what Wouod be my options for doing so.

 

[little_green]

A firewall app will block incoming/outgoing network traffic, typically apps/processes that you pick and choose to allow or block. So even though that Pandora's Box app will still be trying to do things on your phone, once you've blocked it from any online access it's ability to communicate is cut off, it won't be able to send out any of your data it's collected. NetGuard is just a suggestion pertaining to your specific issue, ideally it would be best to delete that Pandora's problem (although I think a firewall app is a pretty useful utility to have on your phone in any case).

As for that firmware site you linked, at the bottom of the page there are footnotes that state those are from InFocus. As the problem apps appear to be installed by InFocus I'm guessing that they're part of the firmware images, but again, that's just an assumption. Their instructions on flashing the firmware appear to be well-illustrated and thorough, and using their indicated utility doesn't indicate the need for rooting your phone.
If you feel up to it try and flash the firmware and if Pandora's Box is still there just block it with NetGuard. Don't forget to back up all your personal data first.

right ok so i've put netguard on the phonein the list pandora's box is light orange and pandoras box service is full orange.
it lets me check both of them off for wifi & data but on doing so the following also then get scores through the wifi & data signs:
phone (i have 2 listed, one remains enabled the other gets the score through)
android system
apps cleaner
atci_service
backuptoolutil
battery protect
bluetoothle
caivs
cdasys
com.mediatek
com.mediatek.voiceextension
common data service
date & time set up
default app configure
device monitor control
fqc
fused location
g sensor calibration
input devices
keychain
lockscreen settings
mobile assistant
mtk thermal manager
mtkmd receiver
package installer
settings
settings storage
setting utils
setup wizard
smartcard sercive
stability monitor
system proection
voice unlock

why would this be happening? they must all somehow be linked?

 

[mikedt]

Infocus is a Chinese manufacturer of primarily DLP projectors, hence the name, and in fact they don't even list phones on their website.
www.infocus.com.cn

So this is likely a phone from some unknown OEM, and pre-installed malware can be a distinct possibility with things like this.

 

[little_green]

Infocus is a Chinese manufacturer of primarily DLP projectors, hence the name, and in fact they don't even list phones on their website.
www.infocus.com.cn

So this is likely a phone from some unknown OEM, and pre-installed malware can be a distinct possibility with things like this.

http://www.infocusphone.com/index.html isnt this the same company?
from what I know they are owned by american foxconn

 

[svim]

As u say removing these strange apps would be best what Wouod be my options for doing so.

Removing them requires you to root your phone. Whether the third-party reseller or InFocus installed Pandora's Box those two problems are running with privileges that you don't currently have. Even if you install some antivirus/anti-malware app to try and clean out Pandora's Box you'd be installing that utility as a general user so it won't be able to take care of your problem either.

right ok so i've put netguard on the phonein the list pandora's box is light orange and pandoras box service is full orange.
it lets me check both of them off for wifi & data but on doing so the following also then get scores through the wifi & data signs:

You don't want to block everything, just those two items.

 

[little_green]

Removing them requires you to root your phone. Whether the third-party reseller or InFocus installed Pandora's Box those two problems are running with privileges that you don't currently have. Even if you install some antivirus/anti-malware app to try and clean out Pandora's Box you'd be installing that utility as a general user so it won't be able to take care of your problem either.


You don't want to block everything, just those two items.

Yeah I know I only want to check off those to but what I'm saying is when I check off those 2 it AUTOMATICALLY checks off everything I listed above...i have no control over it. I can't unchecked them but still have Pandora's box checked

 

[svim]

Yeah I know I only want to check off those to but what I'm saying is when I check off those 2 it AUTOMATICALLY checks off everything I listed above...i have no control over it. I can't unchecked them but still have Pandora's box checked

Ahh, my mistake. Now I understand what you were originally stating. Those PB processes are definitely running as system apps (with root privileges). You could try that firmware re-flash option as is could be possible that the reseller is responsible for the bloatware and not InFocus, but again be sure to back up any personal data before trying it. Otherwise is appears as if rooting your phone is the only way to kill off your problem.
So far the references I've ran across doing a quick search online relative to your specific model point to some dodgy methods (rooting your phone will add their own bloatware), hopefully someone with more knowledge on this will chime in.

 

[little_green]

Ahh, my mistake. Now I understand what you were originally stating. Those PB processes are definitely running as system apps (with root privileges). You could try that firmware re-flash option as is could be possible that the reseller is responsible for the bloatware and not InFocus, but again be sure to back up any personal data before trying it. Otherwise is appears as if rooting your phone is the only way to kill off your problem.
So far the references I've ran across doing a quick search online relative to your specific model point to some dodgy methods (rooting your phone will add their own bloatware), hopefully someone with more knowledge on this will chime in.

Thanks for being so helpful really appreciate it. The seller messaged be back asking for photos to prove my claim it was infected...
Would it be possible too use net guard to stop pb accessing the web and just accept the other processes of also automatically restricts?
I'll probably try and reflash the stock rom but if that fails and assuming I don't brick the device I'd prefer to rely on netguard than attempt a root
....

 

[svim]

Part of the problem dealing with that seller might be they don't consider what they've added to be an 'infection' but more as an 'enhancement'. What's good for them isn't necessarily what's good for you.

For user installed apps you should be able to block/unblock individual apps but system apps (generally Android OS) are what should be considered essential phone to function. As NetGuard is a running with non-root privileges there are some things it can't do as opposed to if it was running with root privileges. In this case that PB crap is running as a system process so it's essentially safe from non-rooted apps.

 

[little_green]

Part of the problem dealing with that seller might be they don't consider what they've added to be an 'infection' but more as an 'enhancement'. What's good for them isn't necessarily what's good for you.

For user installed apps you should be able to block/unblock individual apps but system apps (generally Android OS) are what should be considered essential phone to function. As NetGuard is a running with non-root privileges there are some things it can't do as opposed to if it was running with root privileges. In this case that PB crap is running as a system process so it's essentially safe from non-rooted apps.

Ah OK so basically netguard has no effect on PB even if I doubled it's access to the web as it runs higher privalleges than netguard so basically over rides it. Is this correct?
I'll try flashing the stock rom tomorrow when I have time and see if that works knowing my luck I'll probably end up bricking thee device from that alone. By then the seller may have replied again.
I'm just not sure as from what I can see on xda people who've used the phone don't seem to have and malware/spyware. I've tried asking them over there for advice but not hard any replies. Thanks again for being so helpful.

 

[svim]

https://androidmtk.com/download-sut-l3-tool
The instructions they provided appear to be pretty well prepared. Read through it a couple of times to get familiar with each step, then just don't rush and don't take any shortcuts.

 

[mikedt]

http://www.infocusphone.com/index.html isnt this the same company?
from what I know they are owned by american foxconn

Same logo, so likely is same company, different division. I've seen their projectors before, but not their phones. FYI Foxconn is actually a Taiwan company, also called Hon Hai Precision. One of the world's largest OEM manufacturers.

Pre-installed, baked-in spyware in Chinese phones does happen from time-to-time. Lenovo got caught installing spyware on their PCs.

 

[ChangeOfJinzo]

Ah OK so basically netguard has no effect on PB even if I doubled it's access to the web as it runs higher privalleges than netguard so basically over rides it. Is this correct?
I'll try flashing the stock rom tomorrow when I have time and see if that works knowing my luck I'll probably end up bricking thee device from that alone. By then the seller may have replied again.
I'm just not sure as from what I can see on xda people who've used the phone don't seem to have and malware/spyware. I've tried asking them over there for advice but not hard any replies. Thanks again for being so helpful.

If its the Stock rom or an official update (via from a region that has the update and same phone specs and you havent gotten it yet, or a update from your region) you should be able to flash it without root via the stock recovery. Flashing it would be considering updating it. But if you wanted a Costume rom/firmware like CM or Blisspop, then you would need Twrp(or another custom recovery) and/or root access.