Finding Malware Within A ROM

  • Thread starter Thread starter AC Question
  • Start date Start date
A

AC Question

A few months ago I purchased a couple of Chinese phones online, which all came with malware installed :( Thankfully I was able to obtain the ROM, extract the system.img, remove all the malware, rebuild the system.img, then flash the phones.

However I noticed some suspicious activity in NoRoot Firewall last week where an app was trying to access the internet, but by the time I came to deny it, it was showing as "Uninstalled App".

Yesterday Sophos notified me that a recently downloaded file was "Low Popularity" and could potentially be a risk. This actually happened on ALL the phones, and in fact when I came to look there were several files all the similar filenames. They started with a minus symbol followed by a random number .jar. For example -1645982102.jar

I don't suppose anyone has seen these JARs before or know what they are?

I am going to extract the system.img again and scan everything though VirusTotal (again). However due to the extremely large number of files I don't think it's possible to scan everything in the system.img. I intent to scan all the APKs, and JARs. Is there anything else I need to consider?

My final question is, apart from the system.img could there be malware hidden elsewhere, such as boot.img, recovery.img, or the kernel?
 

Forum statistics

Threads
956,794
Messages
6,970,063
Members
3,163,626
Latest member
glastek16