Help Malware survives factory reset

[jusmee]

I have a cheap phone, Onix bought from an Aldi store, running Android 5.0. For a month or so, it has been fine, but lately it became unusable due to pop-up ads. After trying a few different virus checkers (Avast, AVG, Norton, Avira) finally one, Malwarebytes Anti-Malware, detected a problem, in a system file /system/app/OP_GoogleSearch/OP_GoogleSearch.apk.

This is found on a scan, and also the real-time detection, everytime an ad pops up. Trying to uninstall it fails (because it is a system file?) Anyway, nothing to lose, I did a full factory reset. After a reboot, I put my Google account in again, but told it to do a new setup, clean - i.e. no previous apps restored.

Very soon after, up pops a window claiming to be from airpush, and asking if I want to opt out. I say yes, but it comes back a few more times, and the other pop-up ads start again. I install Malwarebytes Anti-Malware, and it finds the same malware as before.

So, has the malware found a way to install itself in the factory image? I think, at this point, the phone is junk, because, being an unknown brand, I can't even root it, and/or install a custom ROM.

 

[AMOCO]

Have you looked for firmware for your device?Search and see if you can find it,Then you will need a way to flash to your device.
This would get you back to state like when you first got it.

 

[jusmee]

Yes. Nothing. It really is an unknown.

I guess Aldi bought a bunch of them cheap in Asia somewhere and rebranded them. Aldi are famous for their one-off "Special Buys". They'll probably never sell the same phone again.

 

[Hadron]

First rule: never respond to pop-up like that. They lie, and the most likely result is that you will install something unwelcome rather than opt out.

As for this, there are malware that can install to system. But that might imply that one of the rooting apps may be able to root your phone, as they will be using the same exploits. So there is nothing to lose by trying a few, especially if you are going to ditch the phone if not.

 

[jusmee]

I tried Kingo root, and it failed. Other suggestions for a good one to try are welcome.

Even if I get it rooted, I still can't find a custom ROM, nor an image of the original.

 

[mikedt]

Cheapo China phone with adware as system, unknown manufacturer. Not a lot you can do with the thing, except press Aldi for a refund.

 

[jusmee]

Cheapo China phone with adware as system, unknown manufacturer. Not a lot you can do with the thing, except press Aldi for a refund.

Yeah I know. Do you think it came with the adware in the system - or found a way to insert itself later? The phone didn't exhibit these popups for the first few weeks after I got it.

 

[mikedt]

You can confirm it's definitely not rooted? If it's not rooted, the only way the adware/could have got in to system, is if it was in there in the first place from the factory, or it had an OTA firmware update that put it in. And it's survived a factory reset. Cheapo China phone, unknown manufacturer, anything is possible with these things, including adware in system. I think "Onix" is a house brand of Aldi they use for their budget tech products, one week specials or whatever.

 

[jusmee]

Definitely not rooted. So I guess it lay dormant for some weeks before firing off all these popup ads.

 

[Lordvincent 90]

You can confirm it's definitely not rooted? If it's not rooted, the only way the adware/could have got in to system, is if it was in there in the first place from the factory, or it had an OTA firmware update that put it in. And it's survived a factory reset. Cheapo China phone, unknown manufacturer, anything is possible with these things, including adware in system. I think "Onix" is a house brand of Aldi they use for their budget tech products, one week specials or whatever.

That's not necessarily true anymore Mike.

Malware has began popping up that uses the same exploits that rooting apps do and installs itself to /system

Example: http://androidforums.com/index.php?threads/942374/

 

[Hadron]

If you've been installing apps from unknown sources you might have downloaded this inadvertently. There is malware out there that can install to system on unrooted phones using the same exploits that rooting apps use. That's why I suggested trying some of those (because if it succeeds then you can use root to uninstall the malware). If Kingo doesn't work, how about Towel Root?

Edit: ninja'd!

But yes, it is also possible that there is adware that was just baked into the ROM from the start if Aldi didn't check very carefully what they were selling.

 

[Pugs1957]

Check this thread out http://forums.whirlpool.net.au/archive/2299803

 

[lunatic59]

It's a pretty long thread @Pugs1957, but I was able to find some pertinent snippets ...

bought one on the day of release & played with it for @ 4 weeks then I started (after visiting the play store) to have annoying little adverts pop up on the bottom right of the screen.
These ads do not respond to the 'shut down' "X" and in some apps they mask the controls.
After about 2 days in frustration I reformatted back to factory default & lost my settings (not much to lose).

I visited the play store last night to get "wikicamps" and now whenever I open the browser those annoying little ads are back.

After a day or so, DU Battery Saver mysteriously re-installed itself. I uninstalled it again, and today DU Speed Booster has also reappeared by itself – it's installed a later version than was previously installed, too, so these apps are indeed being downloaded rather than installing themselves from the ROM.

Also yesterday I got a popup warning that said:

Google recommends that you do NOT install this app: ShareIt
It has been modified to include potentially harmful code.

So it's pretty certain that either these Onix devices are carrying the malware in the rom from day 1 or they are easily exploited to elevate installed apps to system installs. ... or both.

My guess (the sneaky little b***ards) is that there is a fairly benign app included in the original rom that at some point updates itself from a hacked repository and from that point on you're infected. Technically the malware is not part of the rom, but the delivery vehicle is.

If you can't find a root exploit that works, and you can't find a clean rom to flash, I'd take it back to Aldi and raise a very loud stink.

That thread @Pugs1957 linked also says that Aldi tends to be pretty good with returns of this nature.

Mike ... how do you say "caveat emptor" in Chinese?

 

[mikedt]

买者自负 In fact I do treat sales as buyer beware here, and many stores do go out of their way to demonstrate a new product is working before the purchase is completed. And after that it's down to manufacturer warranty and service, if applicable.

I would definitely make loud noises at Aldi about it. Don't know where the OP is, but in the UK there's "Sales of Goods Act, 1979" rather than caveat emptor, which basically states, goods must be of satisfactory quality and fit for purpose, and if it infects itself with adware/malware, then I would say that it isn't. Aldi is an EU supermarket chain, HQ in Germany.

Lenovo got rumbled for pre-installing Superfish adware/malware on their laptops a while back.