1. Download our Official Android App: Forums for Android!

Support A malware called "Android Services"

Discussion in 'Android Help' started by Seulyoon, May 15, 2016.

  1. Seulyoon

    Seulyoon Lurker
    Thread Starter
    Rank:
    None
    Points:
    6
    Posts:
    1
    Joined:
    May 15, 2016

    May 15, 2016
    1
    1
    6
    Female
    KPOP WORLD // Philippines
    I was scanning my phone if there were any viruses and the results are that a malware called "Android Services" is installed in my phone. At first, I decided to ignore it but then my browser's homepage is set to a website called coolsite99.com. There are also sites showing up in my bookmarks (2048 and sexy storm) even if I keep deleting it, it always reappears. Thankfully though, there's no ads popping up. I tried scanning in other antivirus apps it is also recognized as a malware/ghost push trojan. I tried to uninstall it but it was grayed out. So, I decided to initiate action and researched how to remove it.

    First, I used factory data reset and erased the contents of my memory. Then, I rebooted my phone to safe mode and unchecked "Device Administrators" so that I could be able to uninstall built-in apps. But was unsuccessful.

    Next, I installed "Stubborn Trojan Killer" and after scanning, it said that it was unable to uninstall it. It was said that I have no choice but to root my phone. I downloaded King Root and allowed STK. It said that the virus was successfully removed but I checked my app storage and it was still there! I decided to disable it (even though it will enable after rebooting) and repeated the process once again but to no avail.

    The browser problems is still there. I clicked 'default settings' in the setting in my browser, which turned everything back to normal for a few days only.

    I installed MalwareBytes next and said that I have 2 trojans (namely kinguser(?) and my file manager). Before, there were 3 of them (hopefully it's just not camouflaged). I scanned on STK but it said that my device is safe. I saw in my app storage that com.android.sycore (Android Services) is now gone (hopefully!). I just gave up and continued to use my phone instead like before. Except that I changed all my important account passwords. And for sure, I'm not going to log-in my important accounts since I'm still paranoid it might steal info.

    Should I continue to use this phone and ignore it or are there any other options that I could do? Except for going to a store to get it checked up. (scammers are everywhere in here...)

    P.S. Sorry if I seem to be overreacting...I'm just 13 and English is my second language.
     

    Advertisement

    scary alien likes this.
  2. chanchan05

    chanchan05 The Doctor
    Rank:
     #26
    Points:
    1,108
    Posts:
    15,124
    Joined:
    Jun 30, 2011

    Jun 30, 2011
    15,124
    4,795
    1,108
    Male
    Android Services is not necessarily a malware. There is indeed an actual Android Services process that comes with the OS. Same as there is Windows Services on Windows. There are possibilities that some malware may rename themselves to this to hide though.

    The best way to ensure the phone is clean though is to flash a clean ROM from trusted sources. Just get the official stock ROM and you're good to go.
     
  3. Xavier Black

    Xavier Black Android Enthusiast
    Rank:
     #141
    Points:
    113
    Posts:
    518
    Joined:
    Sep 21, 2015

    Sep 21, 2015
    518
    178
    113
    Male
    Bro I am sorry to hear what you are currently experiencing..I think one of the recommendations you will get here is do a second factory reset, and try to flash your rom..to kill any living parasite still breathing on your device..if this didn't help..hang in there..some one will come through..they always do..the guys here are awesome..its like a caring family..
     
  4. svim

    svim Android Expert
    Rank:
     #44
    Points:
    608
    Posts:
    3,738
    Joined:
    Dec 19, 2013

    Dec 19, 2013
    3,738
    2,781
    608
    Illinois
    From what you've described your phone does have some kind of exploit infecting it so I wouldn't say you're overreacting when you've stopped using it for some critical online tasks. Just to add some background info, the internal storage media inside your phone is divided into several partitions. Some of those are 'system' partitions reserved specifically for the Android operating system to function. The general user data partition is where your data, your apps, and your settings are stored. When doing a Factory Reset the general user partition gets wiped, but those protected system partitions are left as is. Most exploits and such affect only the user data partition but some are better written and much more problematic in that they are able to insert bad code into one of the protected system partitions. So when you did your Factory Reset in this instance it didn't clear up the situation because apparently the exploit is part of the operating system. The antivirus/anti-malware utilities you were initially using were installed as general user apps so while they could clean up your general user partition, the system partitions were protected by root privileges.

    Regarding Kingroot, it is likely that it added some background process of its own. The problem being some models of phones are really difficult to root and questionable rooting solutions like Kingroot are sometimes the only workable option. Here's previous thread with some informative links in one of the postings:
    http://androidforums.com/threads/kingroot-opinions.1029311/#post-7294618

    As for cleaning up your problem completely, that will require getting a factory ROM and re-flashing it to wipe the infected ROM from your phone. That itself can be a problem as finding the appropriate ROM for your phone might be a difficult. ROMs are very, very specific and only apply to each model they've been built for, there is no 'generic' ROM that can be used on multiple models. But if you've got a major branded model it could also be quite easy to find the ROM for your phone.

    If you can't find your phone's factory ROM, you could just live with as is. You've rooted it so you now have some options. Install 'Titanium Backup Pro' from Google Play. One of it's really great functions is you can 'freeze' and 'defrost' individual apps and background processes. Freezing disables the process from functioning, defrosting enables the process. As an example if there's some process you don't think you need but aren't sure if removing it will mess up your phone somehow, by freezing it with Titanium Backup you can always just defrost it if necessary
    Another option is to install firewall app, Take a look at NetGuard or Droidwall. Both will allow you block individual processes from online access using WiFi or cellular, or both.

    If you're really, really paranoid about personal data leaking out of your phone and you've got a computer/laptop that's using the same LAN as your phone, try the Wireshark program. Wireshark is a network packet sniffer. You install it, let it scan your network for a several minutes, and then filter the results to just anything that applies to your phone.
    https://www.wireshark.org/
    http://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

    (Oh, and your summary was quite thorough and well-written. English may be not be your native language but I know I'm impressed.)
     
  5. Kibaikasu

    Kibaikasu Well-Known Member
    Rank:
    None
    Points:
    38
    Posts:
    92
    Joined:
    Sep 18, 2015

    Sep 18, 2015
    92
    21
    38
    Male
    Seulyoon,

    What you are describing sounds very similar to spyware. I've experimented with certain spyware apps as a part of my job, and this is what I can tell you about how they work:

    1) The majority of the publicly available spyware apps require physical access to the phone to install. The ones that can be installed remotely are obscenely expensive and are usually only available on the dark web.

    2) The majority of the publicly available spyware apps will usually disguise themselves as a system app of some kind to camouflage itself from manual detection. You can usually find them sticking out like sore thumbs by going into Settings -> Security and check the following: Unknown Sources is turned on, Verify Apps is turned off, and there are apps you do not recognize in Phone Administrators which have permission to access your device.

    If this is the case, then rooting your device would probably do nothing but make matters worse, as with most spyware apps, rooting the phone will allow it complete access to not only basic functions, but more detailed apps like social media, email, chats, etc.

    If you have tried to factory reset the phone and the spyware/malware is still there, I would recommend a complete re-flash of your device's stock ROM. This could usually be done via Odin.

    If the problem persists after that, then the issue goes beyond your phone.
     
  6. svim

    svim Android Expert
    Rank:
     #44
    Points:
    608
    Posts:
    3,738
    Joined:
    Dec 19, 2013

    Dec 19, 2013
    3,738
    2,781
    608
    Illinois
    Note that a) OP already had an exploit that had installed itself into the system partition, then rooted phone trying to remove it and b) Odin only works with Samsung phones, as it's based off of a leaked Samsung utility. We don't know what phone the OP owns.
     

Share This Page

Loading...