Trojan on my Android tablet after the factory data reset

At the end of 2017 I decided to reset my Android tablet. I used it as an auxiliary on-field device. There was no important data on it, but it could do with a clear down, a fresh start. The factory reset is a very easy task on Android devices.

I ran the reset task, it restored my device to a clean state and everything looked fine. I spotted McAfee anti-virus on it and ran it just for fun. It updated itself, started the scanning process and alerted me of the threat. I had a Trojan virus on the factory reset device.

clip_image001

What?! How? Are you kiddin’ me? This is a clean device… OK, calm down! Let me think.

 

Hunting for a Trojan

I found the name of the process (UpgradeSys) and done the search. It appears that Trojans inside the factory reset software do exist! Aside from the fact that you probably don’t need many of preinstalled applications on the device, you can also capture the virus or Trojan.

clip_image002

To be sure, I downloaded Malware Bytes from the Google Store. I ran it and it marked the same process as the Trojan. So, I confirmed that this is not a legal application.

Whenever you see that small green Android icon near the process name, you will associate that application with the operating system. Plus, the name indicates that this is the auxiliary application for the upgrade process. As you can see, it’s so easy to trick you with malware pretending it’s a legal application.

I left my tablet for a week. After the New Year, I decided to clean it and prepare for the upcoming year. I opened the AV interface and selected the threat. Let AV remove it.

clip_image003

I clicked on OK, expecting that the AV will remove it.

clip_image004

This is the Android OS (a kind of Linux based OS). And I am currently logged in under the user profile. The Trojan is at the OS level, so I won’t have access to it in this account. I will need to be logged in with a root account to have such level of access.

 

Know your enemy

As Master Sun said:

 

If you know the enemy and know yourself, you need not fear the result of a hundred battles.

 

Therefore, I began to learn about my “enemy”. I went to Apps > All applications and scrolled down until I found this process named UpgradeSys.

clip_image005

I touched this process and opened its properties. At first glance it was clear that I can’t disable this application. Another thing is a list of permissions and it’s very long.

clip_image006

This Trojan can do anything behind my back and I can’t stop it.

 

The tool

Fortunately, there is a tool that can help us here. It’s intended for experienced users to either block or completely remove unwanted applications from any Android device.

You can download the Debloater tool from this link. In addition, you should download the Google USB drivers.

There’s a great chance that you will not need them, but it’s better that you have them on your computer. The Google USB drivers are necessary only when your Android device is not recognized on a Windows PC. You will need to unzip this archive on the disk so you may use these drivers.

Install the Debloater tool on your PC. The installation process is simple.

clip_image007

I connected my Android tablet to the PC. If you use a laptop, I recommend you to plug it in to a power source, as the tablet will start charging its battery, which will eventually empty the laptop battery.

Additionally, you need to connect your Android device as a Mass Storage device. Also, don’t forget to turn on the USB debugging mode.

clip_image008

Windows will recognize that there is a new device and will start installing the necessary drivers. This may take a few minutes.

clip_image009

When Windows completes the driver installation, you should see that your device is properly recognized.

clip_image010

We can also see this from the Device Manager console.

clip_image012

In the event you see a yellow exclamation mark, you need to manually install the Google USB drivers. Just start the Update driver Wizard, point it to the folder where you unpacked the drivers and let Windows install them.

If you didn’t enable the USB debugging mode before you connected your Android device with PC, finish the rest of the device installation process and reconnect the device. Otherwise, Debloater will not be able to recognize it.

Now, you’re ready for the battle.

 

This is Sparta!

Before I explain this process, I need to warn you. I performed this process as I think it is safe. It may be officially unsupported by your device’s vendor or carrier. Therefore, if you proceed with the below steps you must accept all responsibility for any consequences; this author cannot be held accountable for any negative impacts.

I started the Debloater application. It searched for Android devices connected to my PC.

It may pop-up the dialog that the device can’t support the block mode. Just confirm that.

clip_image013

My device is recognized and ready to be used.

13 - Debloater found device

I clicked on the button named Read Device Parameters. This caption will scroll like a ticker. It will be alternatively replaced with the Click here to begin caption.

After I clicked on this button, Debloater read all packages on the device and displayed them in a list.

14 - FWUpgradeProvider

There is no application named UpgradeSys. However, I found one named FWUpgradeProvider.apk. I already spotted that name in this post during my investigation.

I clicked on the checkbox in front of the APK file name. The button in the top left corner of the application window is now renamed to [Apply]. Don’t touch any other package, if you don’t recognize it or you can completely lock up your device.

I clicked on the [Apply] button and Debloater start the process to disable selected packet.

15 - App is hidden

If the device is not rooted, you can only block the .apk package. Although it will still stay on the device, it’ll be completely unusable.

That’s it! I just blocked the virus.

 

Check it again, McAfee!

I closed Debloater and detached my tablet. I started McAfee again and ran the scan. As this Trojan is now blocked, McAfee didn’t report any problem.

clip_image020

I re-opened the applications list. This Trojan is still there (remember, it can’t be removed from non-rooted devices), but it’s disabled and doesn’t have any permission.

clip_image021

My tablet is ready to be used in my upcoming projects. One more pest has been removed and another case has been successfully closed.

Stay tuned.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s