1. AC Question's Avatar

    I'm afraid my phone might have malware. Hopefully it's a false alarm but I would appreciate any insight into the behavior:

    Last month I saw a notification with the EMUI icon (stylized red "UI") but when bringing up the notification panel all I saw was a green "down" arrow and no text. I've had apps with bugs creating broken notifications before so I tapped it to check. It sent me to a webpage flagged as a source of malware "d1.3gmimo.com/handpet/wallpaper/...<can't remember rest>". I closed the page and since Chrome showed the warning before loading the page I think it's safe to assume I didn't download anything.

    I don't know the origin of the notification though so I'm afraid there might be some malware already present. It had the EMUI icon but that can be faked or may be the default when no icon is configured (not sure how it works).. The notification appeared over mobile data so no router redirect infection. Searches gave me only one hit I could make sense of - a forum thread with the poster describing a similar event. They got not explanation but see here for their screenshots: Google Translate on thread-5858387-1-1.html on club.huawei.com/ (I can't post links)

    I am very careful with the apps I install and I only allow Google Play as a source. The phone was only ever used by me except briefly by a family member which I trust not to download anything sketchy. Still, I uninstalled the most recent 2 apps: Hashi and Nonogram Katana (has ads), though these had been installed a week before. The list of installed apps shows nothing new/strange. I also installed AVL, Bitdefender, and Avast but they found nothing.

    Any thoughts?
    Thank you in advance!

    Phone details:
    Huawei P7-L10
    Android 4.4.2
    EMUI 2.3 (V100R001C02B129)
    Branded by Vodafone and with their uninstallable apps - using it on different network though.
    02-04-2017 10:26 AM
  2. sigtstp's Avatar
    [OP here]

    After doing more digging and learning to use adb to look at the logcat, I think the notification might have been created by VLife, which is Huawei's wallpaper distribution service.
    On my phone I have VLife 2.23.3 installed (seems to be stock) as a system app. The title is in Chinese but the icon is the EMUI logo. (I figured out which app it is by the icon and version number, after I found the app hosted on aptoide.com while googling for "vlife".)

    I presume what happened is that VLife tried to download a new wallpaper (no idea why all of a sudden) and it went to 3gmimo.com, which might serve as a mirror for apps. The site is flagged as having malware. This might be a false alarm or the site might have been hijacked since my version of VLife came out.

    So the app might be ok. Though I'm still worried why the sudden update. Maybe there's a central message that was sent to the app to update? (The logcat below mentions a receiver.) The only suspicious thing about the app otherwise is that it has the permission to record sound along with changing sound settings. The latter isn't so surprising since it provides multimedia wallpapers. Maybe recording comes with the rest of the sound permissions. I've disabled the app and disabled its notifications for now. It can't be uninstalled since it's a system app.

    These lines come up quite often in my logcat:
    I/am_proc_start( 604): [0,18761,10089,com.vlife.huawei.wallpaper:main,broa dcast,com.vlife.huawei.wallpaper/com.vlife.receiver.PetMainReceiver] - the link I got referred to a "handpet"
    I/am_proc_start( 604): [0,18907,10089,com.vlife.huawei.wallpaper:main,broa dcast,com.vlife.huawei.wallpaper/com.vlife.receiver.InstallEventReceiver]

    Does anybody know more about this app or service?
    02-10-2017 02:36 PM

Similar Threads

  1. Replies: 1
    Last Post: 02-04-2017, 01:32 PM
  2. My screen keeps flashing black or the time screen
    By AC Question in forum Samsung Galaxy S6 edge
    Replies: 1
    Last Post: 02-04-2017, 09:52 AM
  3. Replies: 1
    Last Post: 02-04-2017, 09:42 AM
  4. Replies: 0
    Last Post: 02-04-2017, 08:56 AM
  5. Replies: 0
    Last Post: 02-04-2017, 08:20 AM