My first phone virus

[Mustachio]

Today I just finished making a call to one of the people in my contacts, when I suddenly was presented with the screen in the attached image.

I got my EVO 3D back in September and I've never set a lock code or anything like that. In fact, I usually use No Lock so I don't have to lock it.

This lock screen persisted through a hard boot, even through a battery pull and reboot. Because of the sudden nature of its appearance, the bad grammar (10 attempt remains), and the explicit threat to delete my data, I have to assume that this lock screen is the product of a virus, or some other form of bad-behaving malware. The techies at the Sprint store had never seen this lock screen before, which lends credence to my belief. I find it near impossible to believe that a legitimate app would threaten to "delete my device data" simply because of incorrect password entries.

I never thought I'd get bitten like this so of course I'd never installed Lookout, and of course I allowed app installation from sources other than the Android Market. I'm betting that an app I installed from some other source than the Market is the culprit.

Needless to say I didn't attempt to enter any passwords...I wouldn't trust such a malicious lock screen to allow me 10 attempts. I just took it to my local Sprint store and they wiped it for me (they insisted there was no other way to get by the lock screen).

Now I have to reinstall all of my apps, contacts, and messages...and this time I'll install Lookout or something similar, and limit my app installs to Market, Amazon, and GetJar.

Has anyone else seen this malicious lock screen? Do you know what causes it? If it truly is caused by a "legitimate" app, please let me know so I can direct my b*tching productively.

 

[CarrieK]

That is awful! I hope you find out what caused it and if nothing else, your post will remind us to be careful.

 

[Stelv]

I don't think it is a virus because Android is based on linux. It may be malware. It would most likely be from something you download and/or accepted. Check permissions and reviews carefully. I would NOT use Getjar...only download apps from Android market, Amazon or a trusted developer. Malware prolly will not damage phone but its object is to steal data. Most likely wanted to steal a password...probably would have unlocked with anything you typed in and assumed it was a password it could on one of your accts.

Sent from my DROID BIONIC using Tapatalk

 

[Thrillhouse617]

probably would have unlocked with anything you typed in and assumed it was a password it could on one of your accts.

This is a very good idea.


Good Job to OP for not falling for it too!

 

[cgardnervt]

That sucks! I hope you can figure out what it is. Wonder if its something that lives on your SD card or just the space on the phone. May have to hard reset to find out!

 

[Stelv]

Yea good idea. You may want to format sdcard too.

Sent from my DROID BIONIC using Tapatalk

 

[Mustachio]

I don't know which app the malware was, but the app I last installed from a source outside the Market was from here:

[Download] Android Market 3.3.11 Adds New Settings - Default Auto-Update, Update Over Wi-Fi Only, Shortcuts, And More

Yep, Android Market 3.3.11. I don't know if that is the culprit, and it probably wasn't (I'm still going through my (poor) records), but the lock screen took over less than a week after I installed it.

I'll keep checking...

 

[debitsohn]

This is a very good idea.


Good Job to OP for not falling for it too!

i bet a ton of people fall for it too. great job OP and sorry that happened to you. any idea where it might have come from?

 

[vegeto999]

Today I just finished making a call to one of the people in my contacts, when I suddenly was presented with the screen in the attached image.

Click to view quoted image


I got my EVO 3D back in September and I've never set a lock code or anything like that. In fact, I usually use No Lock so I don't have to lock it.

This lock screen persisted through a hard boot, even through a battery pull and reboot. Because of the sudden nature of its appearance, the bad grammar (10 attempt remains), and the explicit threat to delete my data, I have to assume that this lock screen is the product of a virus, or some other form of bad-behaving malware. The techies at the Sprint store had never seen this lock screen before, which lends credence to my belief. I find it near impossible to believe that a legitimate app would threaten to "delete my device data" simply because of incorrect password entries.

I never thought I'd get bitten like this so of course I'd never installed Lookout, and of course I allowed app installation from sources other than the Android Market. I'm betting that an app I installed from some other source than the Market is the culprit.

Needless to say I didn't attempt to enter any passwords...I wouldn't trust such a malicious lock screen to allow me 10 attempts. I just took it to my local Sprint store and they wiped it for me (they insisted there was no other way to get by the lock screen).

Now I have to reinstall all of my apps, contacts, and messages...and this time I'll install Lookout or something similar, and limit my app installs to Market, Amazon, and GetJar.

Has anyone else seen this malicious lock screen? Do you know what causes it? If it truly is caused by a "legitimate" app, please let me know so I can direct my b*tching productively.

now was this a remanufactured if so it could of been the other persons who had thought their phone was lost or stolen and reported it to sprint as that sprint probably didnt take the block off and if u get the passwords wrong so many times it automatically bricks the phone its a security issue sprint feels is a customer satisfaction if u cant use ur phone then they cant either i only say this bc my phone was stolen and i called it in and they said that if i lock it up they will need to know my password if they do it too many times my info would be locked in the phone never to be retrieved literally forever locking the phone and erasing sd card thats what i was told by sprint thats all i thought i let u know so u could find out if it was a remn u need to let them know so they can unlock the phone for u

 

[gonk24]

I don't think it is a virus because Android is based on linux. It may be malware. It would most likely be from something you download and/or accepted. Check permissions and reviews carefully. I would NOT use Getjar...only download apps from Android market, Amazon or a trusted developer. Malware prolly will not damage phone but its object is to steal data. Most likely wanted to steal a password...probably would have unlocked with anything you typed in and assumed it was a password it could on one of your accts.

Sent from my DROID BIONIC using Tapatalk

You wouldn't use Getjar based on what? From everything I've found, it's a legitimate app market and should be perfectly safe. When Cut The Rope was released for Android it was an exclusive to Getjar for the first week. That wouldn't happen if it wasn't trusted. Getjar has been around for a long time.

From the Getjar site:

About GetJar

GetJar is the world?s largest free app store with more than 1.5 billion downloads to date. The company distributes more than 150,000 mobile applications across a variety of operating systems including Android, Blackberry, Java, Symbian and Mobile Web. In 2010, GetJar was named a Technology Pioneer Award Winner by the World Economic Forum and listed by TIME magazine as One of the 10 companies that will change your life. GetJar is headquartered in Silicon Valley with offices in the UK and Lithuania. For more information, please visit GetJar | Mobile | and follow us @GetJar.


McAfee thinks it's fine:

getjar.com | McAfee SiteAdvisor Software



Here's a link to the Cut The Rope exclusive article on Endgadget:

GetJar gets Cut the Rope exclusive, candy-craving monster makes Android debut -- Engadget

 

[Stelv]

Yes you are right. I guess I don't know much about GetJar. I was just saying that the Android Market or trusted developers are the safest route.

Here is some more info on GetJar http://forum.xda-developers.com/showthread.php?t=1356356

 

[cgardnervt]

I haven't installed any AV on my phone. I just download apps that I know. Then again I am looking into it to see if I really need it.

Plus I think the virus came from the market apps. Google found a few apps that had the virus's in the app. So people did download them from a known source. So maybe I do need one lol. I dunno. I don't download a ton of apps but it only takes that ONE download sadly.

 

[Mustachio]

Story recap:

The malware took over my phone, and to fix it the Sprint tech had to reset it back to factory defaults, erasing all of my data. However, the reset did NOT touch my SD card. Everything there was intact, and I didn't make any changes to it. I then reinstalled all of my apps, both from Android Market and from Amazon Market. I did NOT reinstall any of the apps from GetJar.

Story Update:

Today the malware took over my phone again. SIGH. This time I decided to experiment with it.

First I entered a password that was imaginary but well-formatted: Hold58# (used a Capital letter, a number, a punctuation mark, and had more than 6 characters total). The malware said the password was wrong.

Next I entered garbage characters, whatever was beneath my fingers at the time. Again it said it was wrong. I quickly continued, and after the 5th time rejection it told me I was entering them to fast and that I should wait 30 seconds. It wouldn't let me enter more passwords.

I pulled the battery, removed the SD card, waited, and then restarted it. When the desktop finally displayed the malware prompted for a password. After the 10th rejection malware cycled the power on the phone.

When the desktop returned following the reboot, the malware prompted me again for a password. The message saying I had 10 attempts to left was still displayed.

Again it rejected my (fake) password, and again it cycled the power. But this time when the phone came back, all of my data was gone and the phone entered the first-usage configuration screens.

At least it saved me a trip to the Sprint store.

NEXT STEP:

This time I plan to format the SD card and reinstall only my Android Market apps.

I bet the culprit is something I downloaded from there, but I'm just guessing. Or it might be something dormant on my SD card. Which might be more likely? I dunno.

I'll keep you posted.

 

[cgardnervt]

Story recap:

The malware took over my phone, and to fix it the Sprint tech had to reset it back to factory defaults, erasing all of my data. However, the reset did NOT touch my SD card. Everything there was intact, and I didn't make any changes to it. I then reinstalled all of my apps, both from Android Market and from Amazon Market. I did NOT reinstall any of the apps from GetJar.

Story Update:

Today the malware took over my phone again. SIGH. This time I decided to experiment with it.

First I entered a password that was imaginary but well-formatted: Hold58# (used a Capital letter, a number, a punctuation mark, and had more than 6 characters total). The malware said the password was wrong.

Next I entered garbage characters, whatever was beneath my fingers at the time. Again it said it was wrong. I quickly continued, and after the 5th time rejection it told me I was entering them to fast and that I should wait 30 seconds. It wouldn't let me enter more passwords.

I pulled the battery, removed the SD card, waited, and then restarted it. When the desktop finally displayed the malware prompted for a password. After the 10th rejection malware cycled the power on the phone.

When the desktop returned following the reboot, the malware prompted me again for a password. The message saying I had 10 attempts to left was still displayed.

Again it rejected my (fake) password, and again it cycled the power. But this time when the phone came back, all of my data was gone and the phone entered the first-usage configuration screens.

At least it saved me a trip to the Sprint store.

NEXT STEP:

This time I plan to format the SD card and reinstall only my Android Market apps.

I bet the culprit is something I downloaded from there, but I'm just guessing. Or it might be something dormant on my SD card. Which might be more likely? I dunno.

I'll keep you posted.

Thank for the update! Sorry it deleted all of your stuff. I know I would be pissed. Oh well maybe its best to just start over fresh. I hope it will fix your issue.

Are you gonna format VIA your PC or let the phone do it?

Good luck with the virus!

 

[scrosler]

Have you ever tried booting into safe mode?

 

[Mustachio]

Another quick update. I forgot to mention earlier that I had installed Lookout after the factory reset, and even that didn't help because Lookout didn't stop the malware from taking over the second time.

Here's the weird thing: as I mentioned before I removed the SD card (so I could format it on my PC) and rebooted the phone without it. After the malware wiped my data, I rebooted into the HBOOT menu (had to turn off Fastboot before it would recognize the Down Volume+Power button combo) and there I performed a manual factory reset. (I didn't trust the malware's reset.)

When the phone booted back up and went through the new user configuration, I entered my Market ID and started resyncing the apps recorded in my Android Market app library. About a half hour later the malware TOOK OVER AGAIN! With no SD card in the phone, even!

I'm convinced that either this is some Sprint or HTC security app, or one of the apps in my Android Market library is a malware app.

Now I have to weed through the library...sigh. lots of apps there and not much way to determine which is the culprit.

BBL folks.

 

[Mustachio]

Have you ever tried booting into safe mode?

Is there a safe mode on the HTC EVO 3G? Can I get into it on a non-rooted phone? How? Bad thing is, the malware doesn't let me access the HBOOT menu (VolDown+Power doesn't work), so if a safe menu is there, I can't get to it.

 

[jsorryman]

I installed tje barcode scanner just called "Barcode Scanner" from the Android market, and right after that, my Google account was accessed from Thailand.

 

[jsorryman]

Oh, and safe mode is vol up+power. You shouldn't have to be rooted to do it. You can't access non-factory apps in safe mode, tho, I don't think.

 

[Mustachio]

Oh...well "safe mode" is what I've always thought of as the HBOOT menu. That menu/mode doesn't support running any apps (that I know of). If there's a way to use it to get rid of the malware app I don't know about it.