• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Spam publicity virus (hidden as Settings) com.chunmei.calculator

Jump to latest Follow Reply
Sort by date Sort by votes
jg2874

jg2874

Lurker
May 13, 2017
4
2
#1
Hello
Since this friday, I have some problems with my cell phone. Every 30 minutes I see a disturbing message, full screen, showing publicity, with a countdown... it is clear I have been infected by a spyware, the problem is I am unable to remove it.
I see there is a suspicious Settings application, that is different to the one coming with my device. I can uninstall this app, however, 30 minutes later, the app, magically, reinstall itself.
I did a virus scan, and it was detected a malware called com.chunmei.calculator
The thing is I cannot get rid off this "Settings" app, that reinstall, even if I uninstall it.
Should I have to reset to the factory settings the cell phone?
I have an Adroid 6.0 and I do not see any option to restart it as factory default?
Or should I clean this in anyway?
I tried Kaspersky, don't work, Malwarebytes, don't work... and now I tried AVG, it detects this "crap" sorry, but don't clean it.

Just to add: It was identified as: Android/AVT.RepMetagen
 
Last edited:
  • Like
Reactions: Max420
#5
Over the years we've seen many instances of off-brand or import phones come out of the box either with malware already installed as part of the system or rooted from day one, so root exploits can install to the system partition with impunity. Before Marshmallow, there were even apps that could take advantage of know root exploits to install their malicious components as part of the system, but that's not been an issue since.

On of the advantages of making rooting more difficult makes this sort of intrusion less likely.
 
  • Like
Reactions: Unforgiven
Upvote 0
#7
My phone was working fine and the maker did not install any kind of malware in it. I want to clarify this, because I was using the phone 7 months without problems. What Elijah_G said worry me, because he did a factory reset, and the malware problem continue.
I am going to do a factory reset this saturday, and if I continue with this, I think I will die.

Elijah_G? When was the first time you experienced this problem? Do you remember the exact day?

All Android phones are like laptops. The same as laptops, Android phones have a partition with the Operating System to restore it as it was by default, coming from the factory. This happen also with laptops. They have the Windows in a partition inside the hard disk, so you can restore the factory settings in case of virus, etc. Okay.

QUESTION: Could be possible a malware infect the phone, and also attack the factory partition with the operating system, to infect, also, the factory partition and make all the factory resets apply the publicity? In such case, what option could be possible, to download a clean firmware from the maker and install it from scratch?

And the second thing is... what the hell is (I am sorry) com.chunmei.calculator! The chunmei thing seems to come from a Chinesse restaurant or something like that.

The thing is, we have identified the virus: Android/AVT.RepMetagen

RepMetagen seems to explain the behaviour, you uninstall the app, it reinstalls again. RepMetagen, REPlicate.

How is it possible any single antivirus for Android be able to scan and clean a well identified virus, like this one?
Any antivirus is able to deal with the Android/AVT.RepMetagen?

Cheers

 
  • Like
Reactions: Max420
Upvote 0
#8
jg2874 said:
My phone was working fine and the maker did not install any kind of malware in it.
Click to expand...

This could be an instance of a recently installed app being infected with malware that was given permission to install apps as root. It's hard to tell without actually examining your phone. To make troubleshooting easier, what make and model is the phone? And, what version of Android is it running?

jg2874 said:
I am going to do a factory reset this saturday,
Click to expand...

If the offending app is installed in the system partition, then a factory reset won't help.

jg2874 said:
The same as laptops, Android phones have a partition with the Operating System to restore it as it was by default, coming from the factory.
Click to expand...

No, that's not quite the case. While it's true that the system partition is separate from the user data partition, and is protected (for the most part), what you are thinking of is a recovery partition on laptops/desktops where you can reimage a hard disk as if it were brand new. That is analogous to flashing the stock firmware on an android device. Factory resets simply wipe the user data from the device and allow you start fresh. And modifications to the system partition will remain, such as version updates, security patches and root apps.

jg2874 said:
And the second thing is... what the hell is (I am sorry) com.chunmei.calculator!
Click to expand...

As far as I can see it's a calculator app from China. It does have network access permissions, but that would make sense if it was ad supported. Now, if the app was downloaded from somewhere other than the play store, then it could have had malicious code inserted into it.

The only truly safe way to fix this is to get the original firmware from the phone manufacturer and flash it to the device, which is a complete wipe of everything currently on your phone.
 
  • Like
Reactions: Hadron and El Presidente
Upvote 0
#9
Let's pray I don't have to flash the device my God.
Is that very difficult to do?
My phone is a Leotec Titanium Print, is a Spanish brand, and the Android is 6.0
I really don't know how that stupid calculator entered inside my phone because I don't remember to have installed it.
 
Upvote 0
#10
jg2874 said:
Is that very difficult to do?
Click to expand...
Unfortunately most searches for your device are in Spanish (naturally) but it's one language I have never mastered.

While it can be tricky, flashing factory firmware is something a good shop should be able to do for you for a nominal fee, if you don't feel confident enough to try.
 
Upvote 0
#11
jg2874 said:
My phone was working fine and the maker did not install any kind of malware in it. I want to clarify this, because I was using the phone 7 months without problems. What Elijah_G said worry me, because he did a factory reset, and the malware problem continue.
I am going to do a factory reset this saturday, and if I continue with this, I think I will die.

Elijah_G? When was the first time you experienced this problem? Do you remember the exact day?

All Android phones are like laptops. The same as laptops, Android phones have a partition with the Operating System to restore it as it was by default, coming from the factory. This happen also with laptops. They have the Windows in a partition inside the hard disk, so you can restore the factory settings in case of virus, etc. Okay.

QUESTION: Could be possible a malware infect the phone, and also attack the factory partition with the operating system, to infect, also, the factory partition and make all the factory resets apply the publicity? In such case, what option could be possible, to download a clean firmware from the maker and install it from scratch?

And the second thing is... what the hell is (I am sorry) com.chunmei.calculator! The chunmei thing seems to come from a Chinesse restaurant or something like that.

The thing is, we have identified the virus: Android/AVT.RepMetagen

RepMetagen seems to explain the behaviour, you uninstall the app, it reinstalls again. RepMetagen, REPlicate.

How is it possible any single antivirus for Android be able to scan and clean a well identified virus, like this one?
Any antivirus is able to deal with the Android/AVT.RepMetagen?

Cheers
Click to expand...
I've been having having this issue since April the 25th
The malicious settings app was initially being installed from com.petsfamily what ever that is and last week it changed to com.chunmei.calculator and went from a medium threat to a high threat according to my McAfee phone security app.
I managed to find all the com.pets files and remove them but in 15 mins they were back.
I can force stop and remove all permissions but that only lasts a few hours before it's updated itself.

Maybe I need to ask Mrs Clinton for some advice on deleting files although she'll probably just blame the Russians.
 

Attachments

  • One_20170518_135452.png
    One_20170518_135452.png
    146.2 KB · Views: 441
Last edited:
  • Like
Reactions: Max420
Upvote 0
#12
Chunmei sounds to Chinesse more than Russian, but it's the same this is a nightmare.
Leotec allow to download the firmware in a ZIP file 909 MB
Is very difficult to flash the device? I mean, what do I need?
I download the firmware... I have the ZIP file and now what?
How do I make the phone get the firmware? should I connect the phone to the PC?
Probably the best solution for Elijah_G and me is to flash the device (I guess this is a hard reset).
So what's next please?
 
Upvote 0
#16
LV426
Looks like the ZTE guys have the right idea then, with locking down the Zmax Pro




That was a bad idea, but a job well done by them seeing as nobody broke into it, just yet. If not for the horrible UI, theming and CPU management programs running, I feel it wouldn't need root.

I feel the recent slew of 6/8 core CPU devices are as good as a marketing gimmick. Two different devices of mine (zmax pro and Kyocera Duraforce Pro) are octo-core and they are so bloody unstable right OTB because the manufacturer's CPU management programming pretty much cripple them and, compounded with Android's doze/optimization, makes them almost completely useless without root, which we CAN'T get at all.

I keep going back to my Nexus 5 because nothing I buy can outperform it.
 
Upvote 0
#17
Hi there.
I'm having the com.chunmei.calculator in Settings app problems with my NOMU S10 for a couple of days. The problem is detected by all major antyvir apps: NORTON, McAFFE, AVG and BitDeffender. They all uninstall it but it reinstalls itself somehow.
The phone wasn't rooted. I've installed only apps from the Google store. The funny fing is that before I delete the malware it (again) it is visible in my Google Store as chunmei.calculator installed on my device as I had downloaded it by myself (but never did).
The only thing I recollect suspicious is that a week or two ago the system of my android updated by firmware (S10) software (date of system safety updates: march 2017). My operating system is 6.0.1.
I wondered if restoring the factory settings could help but according to what Elijah_G claims it probably won't.
Could anyone suggest the most intrusive solution? Or any sensible at least.
 
  • Like
Reactions: Max420
Upvote 0
#18
Quite frankly I think this Nomu S10 might have actually come with chunmei baked into its firmware ROM. Nomu is only some trading company, and the actual device manufacturer is unknown.

Maybe worth trying to contact them about it, by email, webform or mobile phone numbers.
http://nomu.hk/contact

EDIT:

I suspect it's same problem with the "Spanish" Leotec phone, that also comes from an unknown Chinese manufacturer. Leotec are just some importer in Barcelona.
 
Last edited:
  • Like
Reactions: Piworzuop
Upvote 0
#20
Having the same problem with my Nomu S10...it got infected by a public WiFi portal in mid june. Same issue can't seem to remove it.

Elijah_G said:
I've been having having this issue since April the 25th
The malicious settings app was initially being installed from com.petsfamily what ever that is and last week it changed to com.chunmei.calculator and went from a medium threat to a high threat according to my McAfee phone security app.
I managed to find all the com.pets files and remove them but in 15 mins they were back.
I can force stop and remove all permissions but that only lasts a few hours before it's updated itself.

Maybe I need to ask Mrs Clinton for some advice on deleting files although she'll probably just blame the Russians.
Click to expand...
 
Upvote 0
#21
Did you ever find a solution?

jg2874 said:
My phone was working fine and the maker did not install any kind of malware in it. I want to clarify this, because I was using the phone 7 months without problems. What Elijah_G said worry me, because he did a factory reset, and the malware problem continue.
I am going to do a factory reset this saturday, and if I continue with this, I think I will die.

Elijah_G? When was the first time you experienced this problem? Do you remember the exact day?

All Android phones are like laptops. The same as laptops, Android phones have a partition with the Operating System to restore it as it was by default, coming from the factory. This happen also with laptops. They have the Windows in a partition inside the hard disk, so you can restore the factory settings in case of virus, etc. Okay.

QUESTION: Could be possible a malware infect the phone, and also attack the factory partition with the operating system, to infect, also, the factory partition and make all the factory resets apply the publicity? In such case, what option could be possible, to download a clean firmware from the maker and install it from scratch?

And the second thing is... what the hell is (I am sorry) com.chunmei.calculator! The chunmei thing seems to come from a Chinesse restaurant or something like that.

The thing is, we have identified the virus: Android/AVT.RepMetagen

RepMetagen seems to explain the behaviour, you uninstall the app, it reinstalls again. RepMetagen, REPlicate.

How is it possible any single antivirus for Android be able to scan and clean a well identified virus, like this one?
Any antivirus is able to deal with the Android/AVT.RepMetagen?

Cheers
Click to expand...
 
Upvote 0
#23
darkjoscha said:
i found a solution wich seems to work so far...

1. disable automated updates
2. freeze/disable the "com.chunmei.calculator" app
Click to expand...

I've tried it but doesn't seem to work for me. To clarify I've tried these solutions for my NOMU S10 so far:
1. I've flashed to the stock ROM.
2. I've rooted my phone to gain access to root folders.
3. I've disabled the com.chunmei.calculato app via "package disabler" app.
4. I've turned off the automatic google play updates (as well as the updates offered by NOMU).

After all of this it seems that after a few days at most and rebooting my phone the shitapp comes back over and over again.
I wonder if there is any tracking app, which could tell what on earth in my software installs it again and again.
As far I'm 100% convienced that the malware comes with the NOMU stock ROM.
I'm leaning towards installing some other's company ROM or some custom ROM.
Could anyone recomend some custom multipurpose ROM with Marshmallow? So far I've found a recommendation to install ARCOS 50 Saphire ROM but I would prefer installing some custom one if anybody could recommend something good...
 
Upvote 0
#24
The answer for S10 is to use that clean Arcos 50 ROM. The answer to S20 is more complicated as there is no easy alternative ROM and Over The Air (OTA) updates do not work with the settings and that above mentioned calulator app being infected. I contacted Nomu Tech support (got their email from their web page) and got a link for the updated ROM from them. Then I manually flashed it to the phone. That was just today, but so far it has stayed uninfected. I will keep on checking the situation. The manual flashing was not simple as ADB gave me pain as did fastboot so it is definitely not a every-man-job. I would suggest contacting your retailer and sending back the phone for them to fix as the best solution unless you can do the flashing yourself. A phone infected in factory with a trojan is not a valid product and is well within your rights to require the retailer to sort it out either with a clean replacement or sending it to manufacturer for fixing.
 
Upvote 0
#25
Well. I've installed the ARCHOS 50 ROM. It seems to work quite well, but still I can see some differences. To be honest I really think, that the orignal S10 ROM was much better (except the com.chunmei.calculator malware embeded). The phone seems to use battery about 25% faster and there are some important features missing like "double tap wake" (system setting). I wonder if they will ever update the software of NOMU S10 without the malware. If anyone knows, please let me know as I would gladly get back to the stock ROM. As for now I have to face quite a dramatic choice: to use the apparently worse ARCHOS rom or to use the stock one and live with the malware alongside...
 
Upvote 0
You must log in or register to reply here.

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones

Best Android Phones

See All
  1. Google Pixel 8 Pro Check Price
  2. Samsung Galaxy S23 Ultra Check Price
  3. Samsung Galaxy Z Fold5 Check Price
  4. Google Pixel 8 Check Price
  5. Samsung Galaxy S23 Check Price

Upcoming

See All
  1. Samsung Galaxy S24 Early Access

Best iPhones

See All
  1. Apple iPhone 15 Pro Max Check Price
  2. Apple iPhone 15 Pro Check Price
  3. Apple iPhone 15 Plus Check Price
  4. Apple iPhone 15 Check Price
  5. Apple iPhone SE (2022) Check Price

Upcoming

See All
  1. Apple iPhone 16 Early Access

Tablets

Best Tablets

See All
  1. Samsung Galaxy Tab S9 Ultra Check Price
  2. Apple iPad Pro (2022) Check Price
  3. Apple iPad Air (2022) Check Price
  4. Apple iPad Mini (2021) Check Price
  5. Microsoft Surface Pro 9 Check Price

Upcoming

See All
  1. Apple iPad Air 6 Early Access
  2. Apple iPad Fold Early Access

Laptops

Best Laptops

See All
  1. Apple Macbook Pro Check Price
  2. Apple Macbook Air (2023) Check Price
  3. Dell XPS 13 Check Price
  4. Acer Chromebook Spin 714 Check Price
  5. Dell Alienware m18 (2022) Check Price

Upcoming

See All
  1. Microsoft Surface Laptop 6 Early Access
  2. Microsoft Surface Pro 10 Early Access

Televisions

Best TVs

See All
  1. Samsung The Frame TV Check Price
  2. Samsung Neo QLED 4K QN90C Check Price
  3. LG G3 OLED Check Price
  4. LG A2 OLED Check Price
  5. ROKU Plus Series Check Price
  6. Samsung S90C OLED Check Price
  7. SunBriteTV Veranda 3 Check Price

Upcoming

See All
  1. Hisense 110UX ULED X TV Early Access

Game Consoles

Best Game Consoles

See All
  1. Nintendo Switch OLED Check Price
  2. Microsoft XBOX Series X Check Price
  3. Sony Playstation 5 Check Price
  4. Microsoft XBOX Series S Check Price
  5. Nintendo Switch Lite Check Price

Upcoming

See All
  1. Nintendo Switch 2 Early Access

Wearables

Best Wearables

See All
  1. Oura Ring 3 Check Price
  2. Apple Watch Series 9 Check Price
  3. Google Pixel Watch 2 Check Price
  4. Samsung Galaxy Watch 6 Classic Check Price
  5. Fitbit Inspire 3 Check Price
  6. Amazfit Amazfit Band 7 Check Price
  7. Apple Watch SE Check Price
  8. Apple Watch Ultra 2 Check Price

Upcoming

See All
  1. Samsung Galaxy Watch 7 Early Access

Smart Home

Smart Home Tech

See All
  1. Amazon Echo (4th Gen) Check Price
  2. Schlage Encode Smart Lock Check Price
  3. Amazon Blink Smart Cameras Check Price
  4. Google Nest Thermostat Check Price
  5. Phillips Hue Smart Lights Check Price

Upcoming

See All
  1. Apple Homepod Vision Early Access

Similar threads

S
Fast battery drain even with new bigger battery
Replies
10
Views
2K
Smartphones
svim
svim
RASelkirk
Help Migrating to new A54, q's!
Replies
32
Views
6K
Samsung
RASelkirk
RASelkirk
J
Can't uninstall Saphe app
Replies
4
Views
3K
Smartphones
Joe joe joe joe
J
Upvote 0
Samsung
  • Suggestion
Setting Boundaries Without Building Walls: Why Choice Means Stronger Security
Replies
0
Views
481
Breaking News
Samsung
Samsung
Upvote 0
Samsung
  • Suggestion
Samsung Introduces Latest Home Appliance Lineup Featuring Enhanced Connectivity and AI Capabilities at the ‘Welcome to BESPOKE AI’ Global Launch Event
Replies
0
Views
126
Breaking News
Samsung
Samsung
Top Bottom
Back
Jump to latest Follow Reply
Jump to latest Follow Reply