1. Check out our companion app, Forums for Android! Download from Google Play

Spam publicity virus (hidden as Settings) com.chunmei.calculator

Discussion in 'Android Devices' started by jg2874, May 13, 2017.

  1. jg2874

    jg2874 New Member
    Thread Starter
    5

    May 13, 2017
    4
    0
    5
    Hello
    Since this friday, I have some problems with my cell phone. Every 30 minutes I see a disturbing message, full screen, showing publicity, with a countdown... it is clear I have been infected by a spyware, the problem is I am unable to remove it.
    I see there is a suspicious Settings application, that is different to the one coming with my device. I can uninstall this app, however, 30 minutes later, the app, magically, reinstall itself.
    I did a virus scan, and it was detected a malware called com.chunmei.calculator
    The thing is I cannot get rid off this "Settings" app, that reinstall, even if I uninstall it.
    Should I have to reset to the factory settings the cell phone?
    I have an Adroid 6.0 and I do not see any option to restart it as factory default?
    Or should I clean this in anyway?
    I tried Kaspersky, don't work, Malwarebytes, don't work... and now I tried AVG, it detects this "crap" sorry, but don't clean it.

    Just to add: It was identified as: Android/AVT.RepMetagen
     

    Advertisement

    #1 jg2874, May 13, 2017
    Last edited: May 14, 2017
  2. Elijah_G

    Elijah_G New Member
    15

    May 17, 2017
    2
    0
    15
    Male
    Im having exactly the same issue on my Nomu S10 thats running Android version 6.0.1
    I did a factory rest but it didn't fix the issue as the spam app just reinstalled itself
     
  3. lunatic59

    lunatic59 Moderati ergo sum
    Moderator
    4,138

    Jun 12, 2010
    32,038
    26,233
    4,138
    Male
    IT
    Pennsylvania
    Unfortunately, if you have a device where the malware infection is part of the system, there's not a lot you can do, unless your device is rootable.
     
  4. LV426

    LV426 Illegitimi non carborundum
    Moderator
    738

    Oct 16, 2015
    3,834
    4,977
    738
    Male
    Software developer
    UK
    Just for my information, how would this malware have gotten on to the device, and what steps should be taken to prevent it?
    It does concern me, as my Nexus 5 is EOL now and doesn't receive any security updates.
     
  5. lunatic59

    lunatic59 Moderati ergo sum
    Moderator
    4,138

    Jun 12, 2010
    32,038
    26,233
    4,138
    Male
    IT
    Pennsylvania
    Over the years we've seen many instances of off-brand or import phones come out of the box either with malware already installed as part of the system or rooted from day one, so root exploits can install to the system partition with impunity. Before Marshmallow, there were even apps that could take advantage of know root exploits to install their malicious components as part of the system, but that's not been an issue since.

    On of the advantages of making rooting more difficult makes this sort of intrusion less likely.
     
    Unforgiven likes this.
  6. LV426

    LV426 Illegitimi non carborundum
    Moderator
    738

    Oct 16, 2015
    3,834
    4,977
    738
    Male
    Software developer
    UK
    Looks like the ZTE guys have the right idea then, with locking down the Zmax Pro :)
     
  7. jg2874

    jg2874 New Member
    Thread Starter
    5

    May 13, 2017
    4
    0
    5
    My phone was working fine and the maker did not install any kind of malware in it. I want to clarify this, because I was using the phone 7 months without problems. What Elijah_G said worry me, because he did a factory reset, and the malware problem continue.
    I am going to do a factory reset this saturday, and if I continue with this, I think I will die.

    Elijah_G? When was the first time you experienced this problem? Do you remember the exact day?

    All Android phones are like laptops. The same as laptops, Android phones have a partition with the Operating System to restore it as it was by default, coming from the factory. This happen also with laptops. They have the Windows in a partition inside the hard disk, so you can restore the factory settings in case of virus, etc. Okay.

    QUESTION: Could be possible a malware infect the phone, and also attack the factory partition with the operating system, to infect, also, the factory partition and make all the factory resets apply the publicity? In such case, what option could be possible, to download a clean firmware from the maker and install it from scratch?

    And the second thing is... what the hell is (I am sorry) com.chunmei.calculator! The chunmei thing seems to come from a Chinesse restaurant or something like that.

    The thing is, we have identified the virus: Android/AVT.RepMetagen

    RepMetagen seems to explain the behaviour, you uninstall the app, it reinstalls again. RepMetagen, REPlicate.

    How is it possible any single antivirus for Android be able to scan and clean a well identified virus, like this one?
    Any antivirus is able to deal with the Android/AVT.RepMetagen?


    Cheers

     
  8. lunatic59

    lunatic59 Moderati ergo sum
    Moderator
    4,138

    Jun 12, 2010
    32,038
    26,233
    4,138
    Male
    IT
    Pennsylvania
    This could be an instance of a recently installed app being infected with malware that was given permission to install apps as root. It's hard to tell without actually examining your phone. To make troubleshooting easier, what make and model is the phone? And, what version of Android is it running?

    If the offending app is installed in the system partition, then a factory reset won't help.

    No, that's not quite the case. While it's true that the system partition is separate from the user data partition, and is protected (for the most part), what you are thinking of is a recovery partition on laptops/desktops where you can reimage a hard disk as if it were brand new. That is analogous to flashing the stock firmware on an android device. Factory resets simply wipe the user data from the device and allow you start fresh. And modifications to the system partition will remain, such as version updates, security patches and root apps.

    As far as I can see it's a calculator app from China. It does have network access permissions, but that would make sense if it was ad supported. Now, if the app was downloaded from somewhere other than the play store, then it could have had malicious code inserted into it.

    The only truly safe way to fix this is to get the original firmware from the phone manufacturer and flash it to the device, which is a complete wipe of everything currently on your phone.
     
    Hadron and El Presidente like this.
  9. jg2874

    jg2874 New Member
    Thread Starter
    5

    May 13, 2017
    4
    0
    5
    Let's pray I don't have to flash the device my God.
    Is that very difficult to do?
    My phone is a Leotec Titanium Print, is a Spanish brand, and the Android is 6.0
    I really don't know how that stupid calculator entered inside my phone because I don't remember to have installed it.
     
  10. lunatic59

    lunatic59 Moderati ergo sum
    Moderator
    4,138

    Jun 12, 2010
    32,038
    26,233
    4,138
    Male
    IT
    Pennsylvania
    Unfortunately most searches for your device are in Spanish (naturally) but it's one language I have never mastered.

    While it can be tricky, flashing factory firmware is something a good shop should be able to do for you for a nominal fee, if you don't feel confident enough to try.
     
  11. Elijah_G

    Elijah_G New Member
    15

    May 17, 2017
    2
    0
    15
    Male
    I've been having having this issue since April the 25th
    The malicious settings app was initially being installed from com.petsfamily what ever that is and last week it changed to com.chunmei.calculator and went from a medium threat to a high threat according to my McAfee phone security app.
    I managed to find all the com.pets files and remove them but in 15 mins they were back.
    I can force stop and remove all permissions but that only lasts a few hours before it's updated itself.

    Maybe I need to ask Mrs Clinton for some advice on deleting files although she'll probably just blame the Russians.
     

    Attached Files:

    #11 Elijah_G, May 18, 2017
    Last edited: May 18, 2017
  12. jg2874

    jg2874 New Member
    Thread Starter
    5

    May 13, 2017
    4
    0
    5
    Chunmei sounds to Chinesse more than Russian, but it's the same this is a nightmare.
    Leotec allow to download the firmware in a ZIP file 909 MB
    Is very difficult to flash the device? I mean, what do I need?
    I download the firmware... I have the ZIP file and now what?
    How do I make the phone get the firmware? should I connect the phone to the PC?
    Probably the best solution for Elijah_G and me is to flash the device (I guess this is a hard reset).
    So what's next please?
     
  13. lunatic59

    lunatic59 Moderati ergo sum
    Moderator
    4,138

    Jun 12, 2010
    32,038
    26,233
    4,138
    Male
    IT
    Pennsylvania
    Leotec would be the best place to get the proper method to reflash the firmware. Every device is going to be a little different and some require a specific tool to do it.

    What you will need is most likely a PC and the proper drivers to connect to it in download or fastboot mode.
     
    Hadron likes this.
  14. darkjoscha

    darkjoscha New Member
    5

    May 19, 2017
    1
    0
    5
    hi,

    i have the same problem with the "chunmei" - app...

    i can frezze it i can deinstall it... a i keeps on coming back.

    my nomu s20 is rooted... if thats helps to find a fix..
     

    Attached Files:

  15. Spec2nirvash

    VIP Member
    233

    Jul 19, 2011
    1,596
    584
    233
    MA
    Being rooted is probably why its in there to begin with.
     
  16. Spec2nirvash

    VIP Member
    233

    Jul 19, 2011
    1,596
    584
    233
    MA
    LV426
    Looks like the ZTE guys have the right idea then, with locking down the Zmax Pro




    That was a bad idea, but a job well done by them seeing as nobody broke into it, just yet. If not for the horrible UI, theming and CPU management programs running, I feel it wouldn't need root.

    I feel the recent slew of 6/8 core CPU devices are as good as a marketing gimmick. Two different devices of mine (zmax pro and Kyocera Duraforce Pro) are octo-core and they are so bloody unstable right OTB because the manufacturer's CPU management programming pretty much cripple them and, compounded with Android's doze/optimization, makes them almost completely useless without root, which we CAN'T get at all.

    I keep going back to my Nexus 5 because nothing I buy can outperform it.
     

Share This Page

Loading...