At the end of 2017 I decided to reset my Android tablet. I used it as an auxiliary on-field device. There was no important data on it, but it could do with a clear down, a fresh start. The factory reset is a very easy task on Android devices.
I ran the reset task, it restored my device to a clean state and everything looked fine. I spotted McAfee anti-virus on it and ran it just for fun. It updated itself, started the scanning process and alerted me of the threat. I had a Trojan virus on the factory reset device.
What?! How? Are you kiddin’ me? This is a clean device… OK, calm down! Let me think.
Hunting for a Trojan
I found the name of the process (UpgradeSys) and done the search. It appears that Trojans inside the factory reset software do exist! Aside from the fact that you probably don’t need many of preinstalled applications on the device, you can also capture the virus or Trojan.
To be sure, I downloaded Malware Bytes from the Google Store. I ran it and it marked the same process as the Trojan. So, I confirmed that this is not a legal application.
Whenever you see that small green Android icon near the process name, you will associate that application with the operating system. Plus, the name indicates that this is the auxiliary application for the upgrade process. As you can see, it’s so easy to trick you with malware pretending it’s a legal application.
I left my tablet for a week. After the New Year, I decided to clean it and prepare for the upcoming year. I opened the AV interface and selected the threat. Let AV remove it.
I clicked on OK, expecting that the AV will remove it.
This is the Android OS (a kind of Linux based OS). And I am currently logged in under the user profile. The Trojan is at the OS level, so I won’t have access to it in this account. I will need to be logged in with a root account to have such level of access.
Know your enemy
As Master Sun said:
If you know the enemy and know yourself, you need not fear the result of a hundred battles.
Therefore, I began to learn about my “enemy”. I went to Apps > All applications and scrolled down until I found this process named UpgradeSys.
I touched this process and opened its properties. At first glance it was clear that I can’t disable this application. Another thing is a list of permissions and it’s very long.
This Trojan can do anything behind my back and I can’t stop it.
Fortunately, there is a tool that can help us here. It’s intended for experienced users to either block or completely remove unwanted applications from any Android device.
There’s a great chance that you will not need them, but it’s better that you have them on your computer. The Google USB drivers are necessary only when your Android device is not recognized on a Windows PC. You will need to unzip this archive on the disk so you may use these drivers.
Install the Debloater tool on your PC. The installation process is simple.
I connected my Android tablet to the PC. If you use a laptop, I recommend you to plug it in to a power source, as the tablet will start charging its battery, which will eventually empty the laptop battery.
Additionally, you need to connect your Android device as a Mass Storage device. Also, don’t forget to turn on the USB debugging mode.
Windows will recognize that there is a new device and will start installing the necessary drivers. This may take a few minutes.
When Windows completes the driver installation, you should see that your device is properly recognized.
We can also see this from the Device Manager console.
In the event you see a yellow exclamation mark, you need to manually install the Google USB drivers. Just start the Update driver Wizard, point it to the folder where you unpacked the drivers and let Windows install them.
If you didn’t enable the USB debugging mode before you connected your Android device with PC, finish the rest of the device installation process and reconnect the device. Otherwise, Debloater will not be able to recognize it.
Now, you’re ready for the battle.
This is Sparta!
Before I explain this process, I need to warn you. I performed this process as I think it is safe. It may be officially unsupported by your device’s vendor or carrier. Therefore, if you proceed with the below steps you must accept all responsibility for any consequences; this author cannot be held accountable for any negative impacts.
I started the Debloater application. It searched for Android devices connected to my PC.
It may pop-up the dialog that the device can’t support the block mode. Just confirm that.
My device is recognized and ready to be used.
I clicked on the button named Read Device Parameters. This caption will scroll like a ticker. It will be alternatively replaced with the Click here to begin caption.
After I clicked on this button, Debloater read all packages on the device and displayed them in a list.
There is no application named UpgradeSys. However, I found one named FWUpgradeProvider.apk. I already spotted that name in this post during my investigation.
I clicked on the checkbox in front of the APK file name. The button in the top left corner of the application window is now renamed to [Apply]. Don’t touch any other package, if you don’t recognize it or you can completely lock up your device.
I clicked on the [Apply] button and Debloater start the process to disable selected packet.
If the device is not rooted, you can only block the .apk package. Although it will still stay on the device, it’ll be completely unusable.
That’s it! I just blocked the virus.
Check it again, McAfee!
I closed Debloater and detached my tablet. I started McAfee again and ran the scan. As this Trojan is now blocked, McAfee didn’t report any problem.
I re-opened the applications list. This Trojan is still there (remember, it can’t be removed from non-rooted devices), but it’s disabled and doesn’t have any permission.
My tablet is ready to be used in my upcoming projects. One more pest has been removed and another case has been successfully closed.