Question Trojan

[MrSweck]

Hi All,

Today my wife's Galaxy S7 (with Android 8) started to behave strange. It started to want her to install Google Pay (and ask for credit card number) and various things stopped working correctly. It also showed a second Chrome icon (looked a little bit different than the other one).
We suspected something malicious, so we tried to run through with different antivirus apps. Bitdefender picked up a 'Chrome.apk', that it got rid of, and 'Trojan.Banker.XO', which it cannot get rid of. We're not sure what it is or what it does, but we do trust Bitdefender's opinions to the fullest and would want to get rid of it before we use that phone for any more logins or bank stuff.

Anyone who can provide some help or further info about it (i.e. other than total factory reset)?

 

[fuzzylumpkin]

I understand not wanting to, but this is a factory reset situation. Did you run Google Play Protect's scan? Assuming Android 8 even has it,it's a system level app so should be more powerful than BitDefender.

Honestly, if finances allow I would highly recommend a phone upgrade. The S7 is very old at this point, and I dread to think what it's security patch level is.

 

[mb7b64]

Start by uninstalling any recently installed apps that you don't recognize or that seem suspicious. In your case, the 'Chrome.apk' file might be associated with the issue, so remove it if it's still present.

 

[MrSweck]

mb7b64: The Chrome.apk was removed by Bitdefender, but the Trojan.Banker.XO issue remained when we ran it again.

fuzzylumpkin: She can't run Play Protect, since she cannot reach Play Store anymore (leads her straight to 'install Google Pay'). But the problem is solved now, in a both simpler and better way: I just stumbled on a refurbished Galaxy S9 to a very(!) good price, which I will buy for her.
I'm aware of that it's not the newest Galaxy either, but I've got one myself and know that everything with it will be better than the S7... so the choice between factory restore the S7 and paying only $170 for a much better phone is very easy.

 

[MrSweck]

I continued to play with the S7 though and managed to get rid of that issue. I noticed that the phone, at boot, said that 2 apps were running in the background... Bitdefender and Chrome. The trojan blocked various things in settings, so I couldn't uninstall that Chrome from there.

But remembering that Bitdefender had been deactivated in Safe Mode (together with all the other apps that weren't preinstalled), I checked if maybe that false Chrome was blocked too... and it was. So in Safe Mode it didn't launch at boot and everything in settings was open to me again, so I could uninstall it from there. After that everything worked as it should...

(But I had to buy her the S9 anyway, since I had told her about it.)