Autoinstalling APP...

[rewolff]

My tablet from "idea-usa" auto-installs an app that shows up in the "downloaded apps" list as "Tap black tile". Once that is installed and runs (auto-runs too) it sometimes pops up full-screen ads, it creates new tabs in my browser with an annoying "home page" etc etc.
It seems as if the auto-install is triggered by something on the system. Charging the tablet seems to be one of them. Another is "update of google-assistant".
I haven't figured out what triggers the auto-run.

The tablet is IMHO unusable when the app runs. The tablet remains usable by going to settings->apps every time I turn it on and then uninstalling "Tap black tile" from "downloaded".

Anyway, today I managed to get the tablet connected to adb and see a bit of what is going on.

When I uninstalled that app, the file " com.android.running-1.apk " disappeared from /data/app . So I think that's the apk that holds this app. The string "Tap black tile" occurs in this APK and in none of the others.

If anybody has tips on how to permanently solve this, it would be very much appreciated.
If you say: "just install an antivirus app", I will tell you: I tried that and things got worse by that. So at the minimum give me an exact pointer of the one you recommend because last time I picked one that was no good.

Searching for the APK name did not give any sensible results. (say others that have this APK auto-install).

Hardware: IdeaUSA 10" CT 1080
Android: 4.4.4

 

[treetopsranch]

It's malware. Look here for some help: https://www.geekzone.co.nz/forums.asp?forumid=97&topicid=223730
Also google 'tap black tile virus' to get more info.

 

[rewolff]

Your link tells me to uninstall the infected apps. I have done a full factory reset and the malicious tap-black-tile app keeps coming back.
I have done the google search. So I see listings of the <number game name removed because this forum marks it s name as spam> virus. In the past it used to install either <number-game> or tapblacktile but lately the <number game> remains absent.

I find several pages that recommend THEIR tool to clean my tablet from these malicious apps. I will get to install such an app grant them MANY MANY permissions and then I'll have to wait for it to work, right? Or it starts out with "YOU HAVE TO ROOT YOUR DEVICE".

As I said: I tried finding an antivirus thing before and after installing the whole tablet turned "slow as ****" all the time. Not helpful. (without that antivirus program when the tablet turns slow I can hurry to settings->apps and uninstall tap-black-tile to get it responsive again). So... I'm not good at selecting antivirus apps and I'm getting a bit hesitant to grant all sorts of permissions to apps that I don't think need them.

(e.g. I refuse the "weather" app on my phone permission to make phone calls. That makes it abort with: "you refused me a required permission, aborting").

 

[B. Diddy]

It certainly could be some shady or outright malicious app that the manufacturer or seller actually preinstalled on the device. It wouldn't be that surprising for these cheap no-name/off-brand devices.

Does the problem also happen in Safe Mode? If so, then this malware is installed to the system root. You'd either have to root the device and try to uninstall the app that way (not sure if there's a root exploit available for this device), or install a clean firmware for the device. Since I'm guessing the only firmware available for the device is from the manufacturer, it will probably still have that same malware.

 

[rewolff]

The thing is: it takes a few days for it to reappear. So debugging this takes a lot of time. About half a year ago suddenly it stopped auto-installing. But after something like two months it came back. It's keeping quiet right now. Or I've fixed it. I don't know.

I have installed that addon-checker that someone recommended. I browsed all the permissions and there was one permission that puzzled me a bit: "download without user confirmation". That certainly looks like the permission that is being mis-used.... This permission was granted to the app "Sheets". I installed that a long time ago because I needed to look at one of my google docs sheets. Thinking it was from Google, it was never on my suspicion list. I removed it. Lets wait-and-see if that fixes it.

 

[rewolff]

"its baaack!!!!"

So this time it decided to stay dormant for three weeks before reappearing. So I removed the permission-rich "sheets" app, but still the bad app reappears.

One of the things that I notice seems to trigger it is that I charge my tablet. I have the impression that someone is using the "notify me when charging starts" as a trigger to do the nasty stuff. Can someone point me to where that sort of stuff is documented.

Under plain Linux you'd have a directory and anyone wishing to be notified of an event puts a script in that directory. /etc/ppp/ip-up.d is an example. How does this work in Android? Then I might be able to find the hook that is being used.

 

[rewolff]

It certainly could be some shady or outright malicious app that the manufacturer or seller actually preinstalled on the device. It wouldn't be that surprising for these cheap no-name/off-brand devices.

Right. My first hunch was that I had picked it up during the first few weeks/months of use, but I later tried a factory reset and that didn't help. This enhances the theory that it's installed with the device.

Does the problem also happen in Safe Mode?

Not sure if my tablet does safe mode, but as "chrome" and "opensudoku" are close to the only apps that I use on this device and both are downloaded. That would mean that I'd have little use for the tablet and it would just lie idle. As I have the impression that it triggers on SOMETHING, I would expect that leaving it idle would not trigger the install anytime quick.

And going without the thing is also not attractive to me.

If so, then this malware is installed to the system root. You'd either have to root the device and try to uninstall the app that way

The app? The malicious app auto-installs. I can uninstall it from the settings-> apps menu quite easily. The problem is it keeps coming back. Something is triggering the auto-install of this app. And wether "whatever does that" is an app or not I don't know.

(not sure if there's a root exploit available for this device), or install a clean firmware for the device.

I asked "IDEAUSA" for the formware image for my device. They said they hadn't sold one of these tablets in over a year and no longer had the firmware.

Since I'm guessing the only firmware available for the device is from the manufacturer, it will probably still have that same malware.

Looks like it.

Update: Since my last message on the 25th, it has reinstalled twice.

 

[methodman89]

If you have the one pictured, loaded with adware running the latest jelly bean os, I think either put it in safe mode then dedicate it as a monitor or similar and buy something from a reputable company with current os. Are you really trusting this thing?

 

[B. Diddy]

The app? The malicious app auto-installs. I can uninstall it from the settings-> apps menu quite easily. The problem is it keeps coming back. Something is triggering the auto-install of this app. And wether "whatever does that" is an app or not I don't know.

I should rephrase what I said -- the malware or adware that's responsible for that app auto-installing is on the system root, so if you want to prevent the auto-installation, you'd have to identify the malware/adware that's causing the auto-installation. All of that can be challenging. You could try showing us a list of all apps in the Settings>Apps menu, including system apps (you may have to tap Menu>Show System for that), and we could see if any of those apps looks suspicious.

 

[rewolff]

You could try showing us a list of all apps in the Settings>Apps menu, including system apps, and we could see if any of those apps looks suspicious.

That, my friend, is an offer I can't refuse.

Downloaded:
addons detector
barcode scanner
calendar
chrome
google
google PDF viewer
google play services
google play store
google text-to-speech engine
hackers keyboard
juicessh
life reminders
maps
octodroid
opensudoku
puzzles

My menu shows "sort by size" and "reset app preferences", nothing more.
I have "disabled apps":
android live wallpapers
assistant
basic daydreams
black hole
browser
bubbles
cloud print
configupdater
email
face unlock
gmail
google partner setup
google pinyin input
google play music
idea apps
ideewelcome
magic smoke wallpapers
market feedback agent
music visualization wallpapers
musicfx
photo screensavers
talkback
videoplayer

--
Under "all" I'll list only the ones I cannot remember typing above:
android keyboard (AOSP)
android system
bluetooth share
calculator
calendar storage
camera
certificate installer
clock
com.android.backupconfirm
com.android.browser.provider
com.android.keyguard
com.android.providers.partnerbookmarks
com.android.provision
com.android.sharedstoragebackup
com.android.wallpaper.holospiral
com.android.wallpapercropper
contacts
contacts storage
dev tools
documents
download manager
downloads
exchange services
external storage
file manager
fused location
gallery
google (the one above is 162Mb, this one 181. Same name as far as I can tell).
google account manager
google backup transport
google contacts sync
google one time init
google services framework
html viewer
input devices
key chain
launcher
live wallpaper picker
media storage
mobile data
online update
package access helper
pacprocessor
phase beam
print spooler
proxy handler
settings
settings storage
shell
sound recorder
system ui
user dictionary
vpndialogs.

Way more than I expected....

While I'm at it, I have disabled "google backup transport". It too had the permission to download without asking.
I have disabled "google one time init". It was a) running b) had the "run at startup" permission. If it's one time, it should not require running all the time.

Apps like "mobile data" seem unnecessary to me. But although the app was running ("force stop" was available), the "disable" button is grayed out.

While we're at it, the biggest battery-drain is: "Cell Standby" any idea which app that would be?

Hey! It seems my tablet is rooted: When I type "id" in adb shell, I get uid=0. This should at least mean that I have the permissions to fix things if I ever find out what to fix.

I've done an "ls -lR / " and the resulting file is 3.4 million lines long. That of course includes virtual directories like /proc. Would that be of any use? Where should I look?

Is /system/xbin/cpueater suspicious?

 

[B. Diddy]

If the tablet doesn't have a SIM slot, then you're right, system apps like Mobile Data won't be useful. However, you probably can't uninstall it, or even disable it. I see the same thing on my daughter's Lenovo Tab 4 8" -- it's a wi-fi only device, but has a bunch of system apps related to phone and mobile data services. It's probably due to there being an LTE version, and the company didn't bother to get rid of the useless system stuff -- or it could also be that they just decided to port over the firmware from one of their phones, made a few modifications to make it work on a tablet, and didn't bother to get rid of the stuff that wasn't necessary.

Cell Standby on a phone often means that cell signal is poor (which can lead to more battery drain, as the device works harder to get signal). If your device is wi-fi only, then you might be able to get rid of the Cell Standby usage by turning on Airplane Mode. (After turning on Airplane Mode, you can simply turn wi-fi and/or Bluetooth back on.)

I can't help you with the rooting part, since I don't have experience with that.

Of the apps in that list, the ones that make me wonder are "idea apps" and "ideawelcome." Are either of those uninstallable, or can you disable them?

 

[rewolff]

As the tablet is from "idea", those are the vendor specific "stuffs" that come with the device. My "mi red 5" also has a bunch of mi-rebranded apps.

But you're right. If I claim that this auto-installing-app might have come with the tablet itself it might come from those apps. I'll disable and/or uninstall them when I can. Thanks for the tip.

My tablet doesn't have the "phone" option that I know of. So yeah, that part is "dead".
It can't be trying to reach cell towers as it doesn't have the hardware for that. I suspect that some "handle the phone" app is constantly getting errors when talking to the non-existant phone hardware and therefore not sleeping but spinning the CPU.

The trick by switching to airplane mode and then enabling wifi has been in-use for a couple of years now, without any change to the "cell standby" battery drain....

P.S. I'm not a regular user here. I remember to come and look if there are replies every now and then. This time after one-and-a-half weeks. If you quote me in your reply I get an Email. I can't find a "follow topic" button.

PPS: I have now found the subscribe button.