Author Topic: Malware in Android Xiaomi  (Read 6980 times)

0 Members and 1 Guest are viewing this topic.

Offline ameboide0

  • Newbie
  • *
  • Posts: 6
Malware in Android Xiaomi
« on: October 12, 2015, 12:15:33 AM »
Hi,

I am a new member here and I have been looking for my problem but haven't found any solution so I am going to post a new post here.

Last week I bought a XIAOMI REDMI NOTE 2 (Lollipop 5.0.2) from China. It has been rooted by the shop I bought it with kingroot. Since the day I started using it, I downloaded Avast Mobile Security from Play Store and it detected several malwares that were solved. However, there are one malware that still persists.

When I ran virus scanner, it detects one issue in classes.dex located in GoogleSearch.apk whose directory is /system/priv-app/search.  Activity Log notifies this issue:
*Problem in: /storage/emulated/0/Android/data/com.estrongs.android.pop/tmp/zip/GoogleSearch/classes.dex
  Android:Agent-HNN [Trj]
  Android:Agent-HNN [Trj]


This problem still persists because when I ran antivirus, Avast still notifies me the issue  and I can't even delete that apk (GoogleSearch.apk nor classes.dex ) or that folder because it belong to the system (also I don't now if that apk is important for the smartphone).


Note: I have also ran Kasperky Internet Security and it detects in GoogleSearch.apk this:
*UDS:DangerousObject.Multi.Generic
*HEUR:Trojan-Spy.AndroidOS.Agent.el


I enclose one screenshot of Activity Log. (I enclose KIS Lot too in case it might be helpful).

Aditional: As Pondus told me, I scanned GoogleSearch.apk with www.virustotal.com and www.metascan-online.com and the results are these links:

https://www.virustotal.com/es/file/7edea678cd63c5ef8186c1555b20bdc387213b4476af4bc16bbb54805b8b7f94/analysis/
https://www.metascan-online.com/#!/results/file/9d840b8ee57b4453b3f187da38973bee/regular

It clearly seems to be an issue there but I don't know what to do now. Can you help me please?  :'( :'(

So much thanks in advance!!  ;D ;D
« Last Edit: October 12, 2015, 12:33:25 AM by ameboide0 »

Offline Filip Havlicek

  • Avast team
  • Massive Poster
  • *
  • Posts: 2637
Re: Malware in Android Xiaomi
« Reply #1 on: October 12, 2015, 08:10:31 AM »
Hi,

you should be able to delete whatever you want from /storage/emulated/0/, at least I didn't see a file/folder you couldn't delete from there. If it's not possible from your device directly, try connecting it to your computer and deleting it from there. The folder belongs to the ES File Manager, the directory should disappear if you uninstall that app if nothing above works.

Filip

Offline ameboide0

  • Newbie
  • *
  • Posts: 6
Re: Malware in Android Xiaomi
« Reply #2 on: October 12, 2015, 11:10:47 AM »
Hi thanks for your quickly response,

But do you know exactly what's GoogleSearch.apk for? I mean, it came preinstalled in the phone when I bought it but since I don't have far knowledge about smartphones I am scared to remove files that could affect to the performance of the phone.  :o  :'( :'(

So my question is if it is reliable for my XIAOMI to delete that file?

Thanks in advance!  ;) ;D ;D


Offline Filip Havlicek

  • Avast team
  • Massive Poster
  • *
  • Posts: 2637
Re: Malware in Android Xiaomi
« Reply #3 on: October 12, 2015, 12:58:32 PM »
Hi,

/storage/emulated/0 is path to your SD card (storage or whatever you want to call it). All the apps and the system itself should be designed to survive deletion of everything there. The /system/priv-app/search is other issue, you shouldn't be deleting anything from there. So I guess delete the infected files from /storage/emulated/0 and then do a full rescan and see what changed.

Filip

Offline ameboide0

  • Newbie
  • *
  • Posts: 6
Re: Malware in Android Xiaomi
« Reply #4 on: October 12, 2015, 04:17:50 PM »
Hi,

It is true that /storage/emulated/0 is path to my SD card but it is so weird, since I don't have any SD card in my smartphone.  :o

Besides, it is strange because the suspicius object isn't in that folder that Avast indicates. Classes.dex is inside of GoogleSearch.apk which is located on system/priv-app/search (I enclose screenshot of GoogleSearch.apk). Sometimes when I open GoogleSearch.apk (I just open to verify if Avast have removed the suspicious file) Avast keeps warning me that there is a Android:Agent-HNN [Trj] in classes.dex located in GoogleSearch.apk but seems to me that Avast does not delete that file.

So? What should I do? Maybe a false positive? Maybe a legitimate Trj?  :o :o

Thanks so much in advance!  :D

Offline ameboide0

  • Newbie
  • *
  • Posts: 6
Re: Malware in Android Xiaomi
« Reply #5 on: October 13, 2015, 04:56:55 PM »
Hi,

Nobody can answer me??  :'( :'( :'( :'( :'(

Pleaseee!  :-[ :-[ :-[

Offline Nikolaos Chrysaidos

  • Avast team
  • Avast team
  • *
  • Posts: 15
  • SEC.MALW/ANDROID
Re: Malware in Android Xiaomi
« Reply #6 on: October 14, 2015, 01:29:15 PM »
Hello ameboide0,

You can delete the application with your favorite file manager that can grant superuser access.
Then you can navigate to the system/priv-app/search folder and delete the GoogleSearch.apk.
Nikolaos Chrysaidos - avast! VirusLab | Android Malware Analyst