Why cant I delete trojans from Allwinner A23 tablet?

[AC Question]

Why cant I delete trojans from Allwinner A23 tablet

My daughter has had this tablet for a year now and its always had connection issues (keeps dropping the connection every few mins) i thought it was because it was a cheapy but I've just bought one for my son (diff brand) and its absolutely fine. Over the last few months its been doing weird things and the latest is a facebook pop up on the main screen but she doesnt have facebook installed. It has also downloaded DU booster and a battery saver by itself which I cant remove and is now saying it has high risk threat via mcafee mobile security trojan com.android.server which mcafee cant remove along with com.android.popup and com.android.configservice.plugin. Mobomarket has also installed itself.

I've done a factory reset but they've all just come back, and I'm sure they were not there when I first set the tablet up.

My daughter is really upset that all her photos and games are gone and I dont know what to do.

I read somewhere about root access, I tried to do this with Kingo but it wouldnt connect to the tablet.

Please help.....

 

[B. Diddy]

Re: Why cant I delete trojans from Allwinner A23 tablet

Welcome to Android Central! With these off-brand devices, hardware and/or firmware problems are much more common, but it doesn't mean that every single unit they make has them. It just means there's a higher chance of encountering them.

It's hard to know if those processes that McAfee is identifying as trojans are truly malware. Security apps can come up with false positive, sometimes frequently. Clearly, there's something unwanted on your device, but the point is to be cautious when a security app tells you that you have a virus, because it might not be.

Popup ads and automatically installing useless apps like DU Booster can all be due to adware that was installed along with some other app (usually a game), so the user always has to be cautious when installing something--even if it's on Google Play. Adware in itself isn't illegal, just annoying. It may be in your situation that after you did the factory reset, Google Play Store automatically started installing all of the previous apps (which is what happens if you have "Automatically Restore" checked in Settings>Backup & Reset.) So uncheck that setting, and do another factory reset. Once you're done with the Setup Wizard after the reset is complete, go immediately to Google Play Store and stop any automatic installations that might still be occurring. Now look in your apps--are Mobomarket, DU Booster, and those other apps still there? If so, then they were preinstalled, and you probably just weren't aware of them to begin with.

 

[stj2015]

Thank you for your response

I unchecked "automatically restore" and did another reset but the apps are still there, when i swipe down on the downloads bit, the du battery saver thing is in there like its downloading straight away?

Mobomarket and the so called trojans are also still there and the internet still keeps dropping out.

What do you think? Did I buy a piece of rubbish lol

 

[B. Diddy]

Those apps were probably preinstalled bloatware--you may just not have noticed them before. An easy way to tell is by going to Settings>Apps>All, and selecting one of them. If there's no Uninstall button, and only a Disable button, then it's preinstalled bloatware.

Is Google Play Store preinstalled? If not, then the tablet isn't certified for Google Play (and the Play Store will likely be incompatible, even if you try to manually install it), and you're expected to use Mobomarket.

As for the wi-fi connection, does it have trouble only on your home network, or on any network? See this guide: http://forums.androidcentral.com/am...roubleshooting-wi-fi-connection-problems.html

I won't comment on whether or not your device is rubbish, but I will say that off-brand budget devices are much more likely to have hardware or software problems. Good luck!

 

[stj2015]

Haha, I understand!

Yes there is no option to uninstall only disable but I am so sure they weren't there before, especially this DU thing, its got a little circle on the side of the screen that was never there before.

Google Play Store is pre installed, and thats the only place I've downloaded anything from urgh its gutting :-(

Its on any network we have problems but I will have a look at your link, thank you,

Oh, one more thing, would rooting this tablet be of any benefit to us?

 

[B. Diddy]

I don't think an app can install itself and have only a Disable option--that's for preinstalled software. One other thing is to go to Settings>Security>Device Administrators, and see if DU Battery Saver is listed there. If so, make sure it's unchecked, and then see if you can uninstall it.

You could try Greenify to see if it lets you freeze or hibernate those apps. I don't think it requires root.

Otherwise, rooting would allow you to freeze or uninstall preinstalled apps or system apps. I'm not sure if there is a reliable rooting process for your tablet, though, because it can be device specific. Yours may not be common enough for there to be an established root process. You could try something like TowelRoot. Be careful, though--deleting the wrong thing could irreversibly brick the device.

 

[j_a_m_i_e]

I realise this is an old topic, but on the offchance you haven't given up on this tablet, I can answer these questions.

I've already replied about this here. Search the forum for 552863-why-can-t-i-uninstall-com-android-google-settings-app-where-saying-its-high-threat-risk (sorry, I can't post direct links, even to the same site!)

but here are more details I've since discovered, and a response to points raised here:

I have an Allwinner A23 too, after upgrading from an A13. My A23 also came with the same trojan, and it was mainly how reliable the A13 was that I suspected something suspicious going on.

(I actually have 2 A23s so was able to double-check these results on an unused machine. I also have an A31 which has a slightly different (updated?) version of the same thing, but your description matches the version on my A23)

Anyway, the tablet does indeed come *preinstalled* with this. It goes by the name cloudsService.apk (note the plural 'clouds'), and baidu browser, and a few others (details in my linked post above)

The reason you didn't notice it originally is that it sneakily lays dormant for a while - I'm not sure if it's timer is based on total power on time, or number of power-ons or something else, but there is a long delay before it does anything.

cloudsService is the main baby - it regularly connects to a Chinese registered server, passing along your tablet id, your google id, and a few other things (that don't look too risky - probably just used as a way to uniquely identify your device)

Since I've been monitoring, the response is a list of apps to install and deinstall.

These are regularly downloaded/updated directly into the /system/app/ folder, which is why DU booster etc. appears preinstalled (it cannot be deleted) even though as you observe, it's a recent addition.

The A23 version is easy enough to be removed, and it improves the tablet tremendously.

McAfee has correctly identified some of the malicious apps it's installed, but you must also delete cloudsserver, or they will just come back!)

So yeah, a factory reset won't help, because these are all stored on the 'system' disk rather than the 'user' disk, and yes, you need root-access to delete them (you don't need to 'root' your device in a permanent sense)

I hope this has addressed all the points raised. Basically, you aren't going mad. 'pre-installed' apps arrive from nowhere and get updated.

Now, my tablet gives root access via ADB. Assuming yours does too, the fix is easy (though as B Diddy warns, a mistake could be fateful, so don't try this whilst drunk!)

ADB is a method to get full access to the device from your computer via the connecting USB cable. Whilst running, you effectively (in this case) have "root" access, without needing to permanently root the device (when not connected to the computer, the tablet is still unrooted)

Now, this is 'old school' workings! black text boxes with lots of typing, no mousey-mousey point and clicks!

First, download ADB for your computer from google, and enable USB debugging on your tablet. Instructions here:
h t t p : / /developer.android.com/tools/help/adb.html

Don't bother reading the usage instructions. Simply install the program, run it, connect the computer to the tablet and type:

adb shell

You should get some text back, saying something like :

polaris_u0#

 

[LoadingHUN]

ugggh, thats all jamie? i got the same problem too, but i dont know what to do, can you write the whole process here?

 

[Iamsideshowbob]

Is it possible just wipe the hard drive, download Android and do a clean install thereby deleting the offending infections?

 

[lexxie1]

I am having the same problem got mine online from china android 4.4.2 V2.0, and I complained they sent me a new one same problem. Why in the world would this come pre-installed with com.android.popup, googlecalenderplkugin & googlpluginservice which they also came rooted but i can not delete, disable or anything. Please help!!

 

[tqc16]

I have similar problems with my 10” tablets based on Allwinner Quad core A33 Android 4.4.2 Firmware 2.0 Kernel 3.4.39. I installed only one app (clean one) and let it run for about 7 days or so, ads just started popping up automatically in full screen. If you close it, it will come back shortly after. This adware runs under the app name Tasks version 1.0.0. There is no way to get rid of it as it’s self installed.
I think it boils down to the malware called “Cloudsota” pre-installed in the tablet. If you search the net, you will see more people talking about it. The good news is if we can remove it, I think that would get rid of the problem. The not so good news is I have tried to remove it but no luck. I hope someone with software knowledge can help out with file permission and so on, as I am not a software guy. Below is what I have found out and done:
I use ADB tool on my PC to talk to the tablet via USB debugging port. I see the Cloudsota directory.
C:\adb>adb shell
root@astar-y3:/ # ls –l
ls –l
drwxr-xr-x root root 2016-07-09 22:48 acct
d--------- system system 2016-07-09 22:48 bootloader
drwxrwx--- system cache 2016-07-09 06:34 cache
-rwxr-x--- 400 401 280684 2015-12-28 02:33 charger
drwxr-xr-x 400 401 2015-12-28 02:33 cloudsota
…..
Under Cloudsota, I see:
root@astar-y3:/ # ls -l /cloudsota
ls -l /cloudsota
-rw-r--r-- 400 401 6757 2015-12-28 02:33 06ab80c8.0
-rw-r--r-- 400 401 113753 2015-12-28 02:33 CloudsService.apk
-rw-r--r-- 400 401 687 2015-12-28 02:33 checkota.sh
-rw-r--r-- 400 401 13524 2015-12-28 02:33 libshellcmd.so
-rw-r--r-- 400 401 17772 2015-12-28 02:33 shell_cmd_service
The script file “checkota.sh” is the one that keeps re-installing the adware. Its content below:
root@astar-y3:/ # cat /cloudsota/checkota.sh
cat /cloudsota/checkota.sh
#!/system/bin/sh
OTA_APK="/system/app/CloudsService.apk"
OTA_MD5="00a46780cb123dff97eb98cd080f5a0e"
mount -o remount,rw /system
if [ ! -f "$OTA_APK" ]; then
/system/bin/cp /cloudsota/CloudsService.apk /system/app/
/system/bin/chmod 644 /system/app/CloudsService.apk
else
echo "the same apk"
# /system/bin/mkdir /data/CloudsService
# TMP_MD5=`/system/bin/busybox md5sum /system/app/CloudsService.apk | /system/bin/busybox cut -d " " -f 1`
# if [ $OTA_MD5 = $TMP_MD5 ]; then
# echo "the same apk"
# else
# echo "not the same apk"
# /system/bin/cp /cloudsota/CloudsService.apk /system/app/
# /system/bin/chmod 644 /system/CloudsService.apk
# fi
fi
As someone mentioned earlier, the CloudsService looks like a server somewhere that the tablet automatically connects and downloads stuffs from. You can easily see all kinds of apks being added to the /system/app directory.
In case you want to know, I also rooted this tablet (at least Root Checker app says so anyway) using iRoot and then KingoRoot app. The process installed su binary under /system/bin (not there before rooting). After rooting, I can use Kingo Super User app to delete Tasks (system app) but it comes back again after reboot. So rooting looks like working Ok.
When I try to remove or change file permission of the checkota.sh script file, it always says failed.
root@astar-y3:/ # rm /cloudsota/checkota.sh
rm /cloudsota/checkota.sh
rm failed for /cloudsota/checkota.sh, Read-only file system
255|root@astar-y3:/ # /system/bin/chmod 644 /cloudsota/checkota.sh
/system/bin/chmod 644 /cloudsota/checkota.sh
Unable to chmod /cloudsota/checkota.sh: Read-only file system
From what I understand I have root but I guess I have to use super user (su command somehow) to trick it to change and remove file somehow. This is the wall I am hitting and I hope someone with Android/software knowledge can help. Thanks.

 

[Clog]

tqc16

If not too late you will find commands for deleting files below; unfortunately best guess is this will not resolve the problem since files will return as soon as tablet is re-started (and/or re-booted). All evidence is that the Trojan is inbuilt and is extremely difficult to eradicate (with out re-image or similar).

Based on two tablets which I have come across Trojan can go under the name 'GoogleCalendarPluginServices' . Malwarebytes finds Trojan but is unable to kill. Stubborn Trojan app will find and kill Trojan (and others that might be lurking) but will not prevent it from re-loading.

Only work round I have found is to delete 'Preinstall' which is in the System/Bin directory. This does not prevent Trojan from reloading but does seem to limit it's capability. I have insufficient knowledge of android/Trojans to be sure that the device is then 'safe' but have had a A33 running for two or three days now and can see no evidence that it is active (MBAM and Stubborn Trojan report clear but that may not be conclusive) (note have seen some reports that Trojan may be time locked so need to wait). I will continue to monitor and research to try and prove/find conclusive result. I would be grateful if you can do same.

Windows command prompt given ADB installed, rooted, device connected via USB, in safe mode.
Commands below should remove files, but as said above only temporary.

Adb devices [check returns correct device ID]
Adb shell [prompt should change to # indicating you have root]

su
mount -r -w -o remount /
cd cloudsota
rm checkota.sh
rm CloudsService.apk

Remove back up of checksota.sh: -

cd /
cd System
cd Bin
rm checksota.sh

To repeat myself the above will only delete files on a temporary basis.

The next step is entirely up to you, that is removal of 'preinstall', to be honest I haven't a clue what it's intended for, that is if it has a 'legitimate' purpose, but found by trial and error that if removed it effects behaviour of Trojan; have not seen any detrimental effects but have not subjected machine to intensive functional checks, all major apps OK (Play, Google , Chrome, Gmail, Virus checkers, updating, retart, reboot etc, no new unannounced arrivals!)

Given still in System/bin directory

rm preinstall

Device should now start and be fully active without evidence of Trojan (note evidence it is still their but is it doing anything? Any expert comment welcome).

If you have any problems feel free to get back to me.

For completeness : -

(example machine - Chinese, low cost, many go under many different names)
A33-GA10H, quad core, Android 4.4.2, Firmware 2.0, Kernal 3.4.39.

Thank you to these guys who gave outline of how to deal with problem: -

Manual removal instructions of CloudSota - The world’s leading mobile tools provider

Sharp eyed will notice two things. First CMCM recommend installing a new CloudsService.apk, I've tried it and could see no difference, that is after removing 'preinstall', couldn't get it to install before removal but that may have been me! Second, idea for removal of 'preinstall' taken from post by Dorian Laurent.

Links give outline of what we are dealing with: -

Android Tablets Sold on Amazon Infected with Cloudsota Trojan - eSecurity Planet

[Q] Allwinner A23 with preinstalled Virus | Android Development and Hacking

For those that need to root device KingRoot, worked for me, machine has to be in safe mode.

Good luck, any feed back welcome!