Built In Malware in My OnePlus 2 ?

[ZaphodBeablebrox]

I only started using a smart phone about a month ago so have little experience of them or Android.
I have a OnePlus 2 and Dr.Web Security Space has found the following:

--------------------------------------------------------

not a virus Adware.Airpush.31.origin
com.aforapps.kazsportstv

Android.Downloader.171.origin
/system/app/KKBrowser/KKBrowser.apk

Android.Downloader.204.origin
Android.Downloader.205.origin
/system/app/MeiPai/MeiPai.apk

Android.Gmobi.1
/system/app/Go2ReachSvc-may1-v2/Go2ReachSvc-mayi-v2.1.apk

Android.Downloader.225
/system/priv-app/Processor/Processor.apk

Android.Downloader.290/origin
/system/priv-app/DCshare/DCshare.apk

--------------------------------------------------------------

According to Dr Web, this malware cannot be removed because it is in the system folder. I presume I must replace the O/S with a clean version (and "root" it) so I would like some links to articles on how to do this.

However, another app "360 Security" says No Threats Found. I find this worrying!

In "About phone" it says:

Android version
5.1.1

Oxygen version
2.0.2

Baseband version
MPSS.BO.2.5.c9-00006-M8994FAAAANAZM-1

Kernel version
3.10.49-perf-gc091731
OnePlus@ubuntu-21 #1
Fri Aug 21 18:23:06 CST 2015

Build number
ONE A2001_14_150821


Any help would be appreciated.

 

[gearhead1703]

IMHO, this may be because of the way different antivirus software treat file behaviour.

I don't think it's really anything to worry about. You really don't need antivirus software for phones. For these reasons:

Android now has a toggle whether or not you can unlock the bootloader. Without access to an unlocked bootloader, malware can't do anything.

Linux based systems are more secure as well. (SELinux policies)

Actually, if you keep updating your phone, you're fine. That's because the OP2 gets reasonably regular updates which include the latest Google security updates.

You're on Oxygen 2.0.2, which you ideally should update at the earliest.

There may be people who would know differently, and please correct me if I'm wrong. However, these are my two cents to the best of my knowledge.

 

[ZaphodBeablebrox]

Thanks for your quick reply.

It's getting quite late here - after midnight - so what I would like to do tomorrow, or later, is list what other antivirus products report after scanning my phone. Most find the same 4 to 6 items of malware and report it. Some do not.

So thanks again and I'll do some more posting later.

 

[fuzzylumpkin]

First off, your phone is quite out of date, the current oxygen OS version is 2.2.1.

Now, where did you get your phone, has it been rooted, and have you been downloading apps from outside the play store?

Going from the "Dr web" report it looks like you or someone else has rooted and installed/flashed a bunch of stuff that doesn't belong in the system partition... A factory reset *should, probably*solve this, and allow you to update the device. Although a factory reset will wipe all your data.

If you're a novice user you do not want, and should not have, root access.

Posted via the Android Central App

 

[ZaphodBeablebrox]

First off, your phone is quite out of date, the current oxygen OS version is 2.2.1.

Now, where did you get your phone, has it been rooted, and have you been downloading apps from outside the play store?

Going from the "Dr web" report it looks like you or someone else has rooted and installed/flashed a bunch of stuff that doesn't belong in the system partition... A factory reset *should, probably*solve this, and allow you to update the device. Although a factory reset will wipe all your data.

If you're a novice user you do not want, and should not have, root access.

Posted via the Android Central App

Thanks for your reply.

I received the phone about 5 weeks ago from Lazada.co.th. I live in Thailand and Lazada is a well known online "shopping mall". Of course, the stuff for sale on that site is provided by other companies. My OnePlus 2 came from a company called "My Novation".

As a "newbie" with less than 10 posts, I can't post links. I have uploaded 8 images to Imgur showing the scan results of 8 antivirus apps but can't post the links. I could write the details in a post, but for now I'll just answer as well as I can the questions you have asked.

All my apps have been downloaded from Playstore. Not many - just Drive, Dropbox, Antivirus, Line, Evernote, Timely, Firefox, Feedly, VLC..., stuff like that.

I don't believe my phone is currently rooted. A friend told me to download and run "Terminal Emulator" and enter the "date" command to check the Emulator was working, and then enter "su". But I didn't get a "#" prompt - just an error saying "su: not found".

I can quite believe that it was rooted, apps installed and then "unrooted". (Not sure of the terminology).

I don't mind doing a factory reset and losing all my data as I haven't even yet put my SIM card into the phone. My only concern is that I do it the correct way so I don't end up with an expensive door stop.

So if the consensus is that my "friend in China" has put some malware/adware in the system partition, I would like to know the procedure to follow to install a genuine version of Android and Oxygen. I hope there is already this procedure written somewhere, as I am both a newbie to Android, smart phones and this forum.

If only this phone was running Windows XP I'd be happy as Larry.

Thanks for any help you can give re. the rooting / re-installation procedure and I hope I can post some links soon.

Mike
a.k.a. Zaphod

 

[fuzzylumpkin]

Hi mike, no problem, I'm glad if I can help.

From your terminal emulator report it would seem you're not rooted, but you do need to get rid of that stuff in your system partition (even if it's not harmful, it will make system update fail) if there's nothing on the phone you care about that's good, you can just factory reset.

Open settings, go to "backup and reset" and the last option should be "factory data reset". Tap it.

This is completely safe, and won't hurt your phone (beyond wiping all your data) and it should return your device to a completely fresh state as if you'd just received it from the factory.

Once you've set your phone back up you should go to settings, about phone and tap system update to get it running the latest software from OnePlus.

Posted via the Android Central App

 

[fuzzylumpkin]

Oh, and like it says on my lock screen...

Posted via the Android Central App

 

[charleski]

The apps you list definitely should not be present in /system/app, and shoudn't be installed there even if you were rooted. Someone has flashed your phone with a malware ROM.

Doing a factory reset is the simplest thing to try first, but run the scan again afterwards to check. If you want to be absolutely sure (which might be a good idea), then you could download the latest image from the official site and manually flash it using the instructions given on that page. There's no need to install a custom recovery or root the phone. In fact, if you don't have a specific need for root access it's best not to even consider it.

Since I can't post links (/rolleyes) I can't give you the direct link, but just got to oneplus .net, click on support, then downloads, then on the link to OxygenOS 2.2.1 on the right side. This leads to a page that gives you instructions and a link to the official system image.

 

[gearhead1703]

Hey, most welcome. But I think what fuzzylumpkin said is far more probable.

You should download the image from this link: https : //s3. amazonaws. com/oxygenos. oneplus. net/OnePlus2Oxygen_14_OTA_012_all_1602261837. zip

(Please copy and remove spaces before following the URL)

This is the official oneplus ROM from the boys in China themselves. Absolutely clean, what is actually supposed to be on there.

Charleski, isn't this the link you were talking about?

 

[fuzzylumpkin]

I can link.

http://downloads.oneplus.net/2016-02-26/op2/OnePlus_2_OxygenOS_2.2.1/

This will definitely do the job, but I was trying to keep it simple and keep recoveries and system images out of the mix if possible seeing as it's his first smartphone.

Posted via the Android Central App

 

[ZaphodBeablebrox]

Hi mike, no problem, I'm glad if I can help.

From your terminal emulator report it would seem you're not rooted, but you do need to get rid of that stuff in your system partition (even if it's not harmful, it will make system update fail) if there's nothing on the phone you care about that's good, you can just factory reset.

Open settings, go to "backup and reset" and the last option should be "factory data reset". Tap it.

This is completely safe, and won't hurt your phone (beyond wiping all your data) and it should return your device to a completely fresh state as if you'd just received it from the factory.

Once you've set your phone back up you should go to settings, about phone and tap system update to get it running the latest software from OnePlus.

Posted via the Android Central App

Sorry to be a pain, but I have some more questions...

Does the "Factory Reset" operation reset both the Android and the Oxygen firmware to the "original factory" versions?

Is it possible that whoever added these malware-containing apps (e.g. KKbrowser, DCshare) also put them in the "original factory" version(s) or is that location not accessible to them?

In the "Backup & Reset" setting, I have "Back up my data" turned on. Do you know what data is backed up and will it be restored after I reset the phone by doing the "Factory data reset".

Maybe the question should be: "What data is NOT backed up?" so I can save it myself.


Once again, thanks very much for any help you can give.

Mike

Edit:

Once you've set your phone back up you should go to settings, about phone and tap system update to get it running the latest software from OnePlus.

Currently, I see no "System Update" in "About Phone".

First line is "Status", then "Legal Information", "Model Number" ... "Kernel Version" , "Build Number".

Mike

 

[fuzzylumpkin]

No problem, that's what the forums are for.

The android and oxygen OS software are actually the same thing... OnePlus takes android and modifies it, and it becomes oxygen OS. It's one piece of software, not two.

The data that's backed up is contacts, WiFi passwords and app data. To be honest it's not super reliable, that particular system doesn't back up your data like pictures or files you've downloaded.

It is technically possible that someone could have installed a modified version of the software, I really don't think that's what you're dealing with here.

System update not being available is another side effect of these modifications (iirc it was the same on my phone which I bought from a third party, it's actually quite possible my device had similar malware installed, but one of the first things I did was a factory reset) the option to update should appear once the wipe is complete.

Posted via the Android Central App

 

[ZaphodBeablebrox]

No problem, that's what the forums are for.

The android and oxygen OS software are actually the same thing... OnePlus takes android and modifies it, and it becomes oxygen OS. It's one piece of software, not two.

Thank you! Nobody has explained that to me before in such clear terms! (I feel such a newbie :-\ )

The data that's backed up is contacts, WiFi passwords and app data. To be honest it's not super reliable, that particular system doesn't back up your data like pictures or files you've downloaded.

OK. I'll make sure I keep a copy of anything I think is important, even if it means photographing the screen.

Do you know if there is a "Backup" app that actually dumps/copies data from your phone to your PC, and can restore it?

I'm very used to copying my documents/files/data from my PC to an external drive as a backup, and I'm used to saving system images on an external drive for a later restore if something disastrous were to happen to my Windows.

I was wondering if there's anything equivalent for an Android/Oxygen O/S. Or can I just connect it to my PC and copy files?

It is technically possible that someone could have installed a modified version of the software, I really don't think that's what you're dealing with here.

System update not being available is another side effect of these modifications (iirc it was the same on my phone which I bought from a third party, it's actually quite possible my device had similar malware installed, but one of the first things I did was a factory reset) the option to update should appear once the wipe is complete.

Posted via the Android Central App

Yes, my friend has an identical OnePlus 2 phone (bought from a different supplier) and has the "Update" option in "About Phone" and has updated his O/S to a newer version.

He also ran a full scan using "Dr Web Security Space" and it reported none of the malware that mine did.

So I'll be doing the factory reset probably after the weekend because I have a relative from Singapore staying and the only way we can keep in touch is by the "LINE" app!

Thanks very much again for all your help and I'll report back later what happens.

 

[fuzzylumpkin]

Yeah, if you plug into your computer you can copy everything (I'm pretty sure everything) in your data partition. I'm not really familiar with any non root catch all apps for backing up, sorry. But you can back most things up manually to a PC or the web.

Posted via the Android Central App

 

[ZaphodBeablebrox]

Current situation:

I tapped "Factory data reset" in "Backup & reset". As the name suggests, it is a DATA reset.

After rebooting, there is still no "Update" in "About Phone", and Malwarebytes still reports 5 malwares present.

So what to do?

Rooting?
Downloading a genuine version of Oxygen O/S?

Any step-by-step instructions or links to such would be appreciated.

- Mike

 

[fuzzylumpkin]

Hmm... You might try factory resetting from the recovery... Or just install the factory image from here:

http://downloads.oneplus.net/2016-02-26/op2/OnePlus_2_OxygenOS_2.2.1/

You don't really need to bother downloading it to your PC and transferring the file, you can just download it to the phone.

Posted via the Android Central App

 

[ZaphodBeablebrox]

Hi FL,

I logged in to OpenPlus.net on my phone using Firefox and went to the link but got a "forbidden" message:

Again, I can't post a link to a picture, so here it is:

403 Forbidden
* Code: AccessDenied
* Message: Access Denied
* RequestId: 003F2AED4E5E5001
* HostId: ksDLunrr+AnmuRYihHtv2bDG...........and lots more

The link works fine on my PC and I have downloaded the file:

OnePlus2Oxygen_14_OTA_012_all_1602261837.zip
size: 969 MB (1,017,106,241 bytes)


Sorry for being such a newbie!

Mike.

 

[ZaphodBeablebrox]

UPDATE:

I have managed to update my phone to Oxygen 2.2.1!

Whoopee!

It was quite a brain-testing day, but it is done now.

I downloaded Oxygen 2.2.1 from OnePlus a few days ago, but their instructions on how to update were not very clear.

A link from a friend (not sure if I can post it, but will if you want) was much better, with links to other information.

I downloaded and installed the "Minimal ADB and Fastboot Drivers v1.3.1 setup". That allowed me to copy the Oxygen 2.2.1 zip file to my phone.

Initially, my phone got stuck on the "Fastboot" screen, until I discovered that some instructions were wrong - "volume up+power on" should've been "volume down+power on" - and wait a long, long time. Eventually, I got it to the "Recovery" screen and got it to update Oxygen.

So now I'm fully updated, there's "System update" as the first item in "About phone" (it was 'missing' before) and the two AV apps I tried now report no malware. Phew!

Thanks for all your help,

- Mike