A few months ago I purchased a couple of Chinese phones online, which all came with malware installed 
Thankfully I was able to obtain the ROM, extract the system.img, remove all the malware, rebuild the system.img, then flash the phones.
However I noticed some suspicious activity in NoRoot Firewall last week where an app was trying to access the internet, but by the time I came to deny it, it was showing as "Uninstalled App".
Yesterday Sophos notified me that a recently downloaded file was "Low Popularity" and could potentially be a risk. This actually happened on ALL the phones, and in fact when I came to look there were several files all the similar filenames. They started with a minus symbol followed by a random number .jar. For example -1645982102.jar
I don't suppose anyone has seen these JARs before or know what they are?
I am going to extract the system.img again and scan everything though VirusTotal (again). However due to the extremely large number of files I don't think it's possible to scan everything in the system.img. I intent to scan all the APKs, and JARs. Is there anything else I need to consider?
My final question is, apart from the system.img could there be malware hidden elsewhere, such as boot.img, recovery.img, or the kernel?
Thankfully I was able to obtain the ROM, extract the system.img, remove all the malware, rebuild the system.img, then flash the phones.However I noticed some suspicious activity in NoRoot Firewall last week where an app was trying to access the internet, but by the time I came to deny it, it was showing as "Uninstalled App".
Yesterday Sophos notified me that a recently downloaded file was "Low Popularity" and could potentially be a risk. This actually happened on ALL the phones, and in fact when I came to look there were several files all the similar filenames. They started with a minus symbol followed by a random number .jar. For example -1645982102.jar
I don't suppose anyone has seen these JARs before or know what they are?
I am going to extract the system.img again and scan everything though VirusTotal (again). However due to the extremely large number of files I don't think it's possible to scan everything in the system.img. I intent to scan all the APKs, and JARs. Is there anything else I need to consider?
My final question is, apart from the system.img could there be malware hidden elsewhere, such as boot.img, recovery.img, or the kernel?
Facebook
Twitter
Instagram