Apps installieren sich von selbst

Bei einigen China-Geräten ist Malware vom Werk aus drin, ich würde auf sowas tippen.

Doogee ist allgemein bekannt dafür Spyware mit zu liefern.
Hast jetzt halt ein halbes Jahr Ruhe gehabt. Da ist irgendwo in der Firmware diese Spyware versteckt welche jetzt aktiv geworden ist und weitere Apps nachinstalliert.
Hatte Mal so ein Teil von Doogee von einem Arbeitskollegen in die Hand bekommen der auch dieses Problem hatte.
Dort wurden laufend irgendwelche Apps nachinstalliert sobald es mit dem Internet verbunden war.
Einfach unbenutzbar am Ende.

Könntest höchsten Mal schauen ob es dafür eine Alternative Firmware gibt und falls ja diese zu flashen.
Wenn nicht dann halt ab in den Müll und etwas mehr Geld für ein etwas besseres Smartphone investieren.
Oder es halt vom Internet getrennt lassen und es nur zum telefonieren und SMS senden benutzen.

Sorry aber bessere Lösung kann ich dir nicht anbieten.

Lucky-Jack

Wie gesagt ist das Problem erst seit kurzem und auch seit kurzem werden diese installierten Apps aufgelistet deswegen kann es eigentlich ausgeschlossen werden, dass diese Malware-Apps von Anfang an mitinstalliert waren.

Nein, kannst du nicht ausschließen. Vorinstallierte malware wird oft nach einer bestimmten Zeit aktiv (habe ich selber miterlebt), damit der Verdacht eben nicht kommt. Mit ganz viel Glück gibt es eine saubere Firmware.
Ansonsten könntest du dich mit einer custom Rom anfreunden (findest du mit ein wenig Glück bei den xda devs)

— geändert am 04.11.2017, 18:03:55

Hallo Lucas, super dass noch jemand das Problem hat.

Ich besitze seit einem Monat ebenfalls ein Homtom HT 16 (bei ebay gekauft) und bei mir passieren seit einer Woche die selben Dinge. Apps versuchen sich von allein zu installieren. Wegklicken geht nicht, nur über den Taskmanager.
Die von dir aufgezählten Apps kann man zwar löschen, kommen nach einiger Zeit jedoch wieder und das Spiel beginnt von vorn.

Ich hab versucht, sämtliche Malware-Scanner durchlaufen zu lassen. Es nützt jedoch nichts.
Eine Lösung habe ich nun aber hoffentlich gefunden, mit der "Norton Clean" - App.

Versuche hiermit wie folgt fortzufahren:
Norton Clean öffnen -->
Apps verwalten -->
öffne com.android.losce2.fulls -->
"Zuletzt verwendet" -> Berechtigung erteilen -->
Häkchen bei "Google Play Store" und "Google Play Dienste" auf "Aus" stellen.

Das ganze bei den anderen Malware-Apps ebenfalls durchführen.

Bis jetzt lassen mich die Pop-Ups in Ruhe, hoffe das bleibt so.

Vermutlich kann man mit anderen Cleaner-Apps die selben Funktionen durchführen (Zugriff auf Play-Store verweigern).

viele Grüße und Danke für dein Problem, Homtom-Bro

Ich muss ehrlich sagen, wenn ihr das Handy ernsthaft benutzen wollt, solltet ihr durchaus saubere Roms finden.
Eine infizierte Rom ist nicht vertrauenswürdig. Es kann durchaus sein, dass es noch andere Dienste gibt, die sich nicht zeigen, aber dennoch Daten im Hintergrund sammeln.

Hi,
Same situation here. HomTom HT16Pro, firmware (1.1.7) from directly from homtom.cc
Timeline:

• Malwarebytes and ESET reported them as Gourrilla.AM variant trojans
• I contacted the Hungarian service: was not helpful: they can reinstall a new firmware (this is not a solution, but a workaround, maybe less)
• I contacted and reported this behaviour to Homtom (contact from their website, maybe the final destination is /dev/null). No answer until now.
• From yesterday, Malwarebytes did not recognise them as trojan (suspicious), ESET still found them
• Today, I tried AVIRA: it did not find them, only ESET

This morning I sent these packages to ESET for further investigation, I am waiting for their answer.

In general, I do not really trust in Android and its advertising based ecosystem, even in Apple (hell, no). There are no really user friendly platform, so, I stuck with Android.

I tried Lineageos 14.1, it was a disaster. It was slower, less functionality, gapps was not working (I use my phone with MY ecosystem and I needed some apps from google play and working google services). So, I spent almost two days to learn to hack the phone, flash it etc., but in the end, I am back to the beginning: working factory firmware with suspicious softwares. Sucks. On the bright side: I learned how to hack firmwares, how to restore IMEI etc.

So, I will try to report back here, when I get some answer from ESET.

Bye,
István

István Pongrácz

I tried Lineageos 14.1, it was a disaster. It was slower, less functionality, gapps was not working

LineageOS comes without GApps. You have to flash them seperately. Download the GApps from http://opengapps.org/

I contacted the Hungarian service: was not helpful: they can reinstall a new firmware (this is not a solution, but a workaround, maybe less)

Why is a clean flash only a workaround? If the new ROM is clean, it is a solution!
But smartphones like Homtom shows the described behaviour long years ago. Many chinese manufacturers installed malware after a while. Some of them delivered a clean ROM, some not.

— geändert am 04.11.2017, 23:26:22

Thank you for your answer, I tried from nano up to stock. Even from google services from apkmirror.
It seems (I also found other forum threads), 14.1 and gapps are not working together. It just does not work.
I spent a whole day just to try to get it work, but it definitely does not work.
Of course, there was internet connection, even I tried older gapps, same situation.
Anyway, the camera was almost dead, so, LineageOS was not a success story on this phone. For a limited usage it should be ok, but for me that way without google services just not ok (pushbullet, my paid carddav, caldav, torque etc.).

Why is a clean flash only a workaround? If the new ROM is clean, it is
a solution!

In my own specific case maybe a solution, if I will get a clean firmware and not a new firmware with new spyware. Even I pay for installing new spywares

In general it should be better to dig to the root and if HomTom put a spyware into their firmware, everybody must know it and avoid the company. So, I try to gather as many information I can and inform ESET with the new softwares packed.
So, I fight for the homtom user's (or victims) community ))))))

Meanwhile I zipped and sent the Print Spooler to ESET with some information, including the link to the firmware.
I hope they can analyze them and finally we will have some idea, what the heck is going on.

Hi,
Did you install ADGUARD into the phone?
Check you Running services under the Developer tools. You can see my example. It is in Hungarian, but do not worry, the important part is in bold text.
In the past I installed adguard to get rid of commercials. Interesting thing, after I reinstalled my phone, these apps come back. Sucks, how? Google install them automatically from a backup?

Simple Just uninstall DocsToGo, and after that stop and uninstall:
com.android.losce2.fulls
com.wdi.adnroid.ys.nw
Print Spooler

Problem should dissapear.

— geändert am 09.11.2017, 20:03:21

Thank you Adam!
How did you figure out, DocsToGo is the source of these applications?
Are these really trojans of just false positives?
Thanks again, I just uninstalled the docstogo, we will see.

I restored phone to default (checked running apps), and turn wifi on. Then again I checked running apps and see that
com.android.losce2.fulls
com.wdi.adnroid.ys.nw
Print Spooler
and NetworkLocation (which i know it shows Ads it should be stopped and uninstalled too) appeared.
The only app which wasn't right in stock rom was DocsToGo. I uninstalled it and other crap, turned wifi on and checked how it's work. Bang there it was.

I think these are trojans (malwarebytes shows in internal storage in hidden folder "core", that many .apk are being downloaded and should be deleted). Due to security reasons phone should be restored to defaults and DocsToGo should be deleted immediately!!!

— geändert am 09.11.2017, 20:04:23

Thank you Adam!
Meanwhile I contacted DataViz and they confirmed, the DocsToGo is their product, but losce2, wdi and print spooler are not parts of the DocsToGo.

Yes, Docs To Go is our product. Make sure it says Docs to Go by Dataviz. If it does, it's a legit app. However, if it was installed on your phone when you purchased it, it may not be ours and you should delete it.

They also wrote me:

Those aren't related to Docs to Go or Dataviz.

DataViz seems correct, I got the answer almost immediately. And the Docs To Go itself seems fine: reading and writing M$ office files on Android....

I also found that, the .core folder filled with apk-s, but it seems they never installed. I never found, which application downloaded these apks.

So, I also removed the preinstalled DocsToGo and these craps (losce2, wdi, print spooler, network location) and until now it is working (they did not come back). Anyway, regarding to NetworkLocation, I am not sure.

So, up to now it is ok

Apk's in core folder started to appearing in the same time when those "cr"apps showed up in applications. Malwarebytes scanning made me sure that something was wrong. One week earlier "cr"apps wasn't in applications and core folder was clean. Those core apk's could wait for trigger which was not activated yet.

— geändert am 09.11.2017, 19:42:35

so,
ich hatte mal ein Blackview BV5000 da war auch bekannt dass malware drauf vorhanden ist..
ich habe mit verschiedenen virenscannern eine apk gesehen die infiziert war ABER sie hängt im root drinnen.
Also Ganz einfach, Gerät rooten und Apk neu aus dem internet ziehen und neu installieren oder deinstallieren für immer (bei mir war es eine unnötige app) und seitdem war Ruhe..

Unfortunately no luck.
They come back.

I deleted the DocsToGo.
Disable the wireles update completly.

They are here again. Driving me crazy.

Thank you Randomboy2543, my personal problem, I have no idea, which application downloads them.

Check the fresh scan result below. Malwarebytes did not report losce2 and wdi, but confirmed Print spooler is safe to use (that message does not respond to "clicking" on it).
ESET mobil security reported losce2 and wdi.

Still sucks.

Hi,

Just a quick follow up.
As I was not able to remove permanently these apps, even using adb (adb shell -> pm uninstall -k --user 0 ...).
I was able to disable them (only via adb shell), disallow mms/email, after a short time (some hours) if internet was accessible, they come back again.

Finally I installed the Resurrection Remix for HT16Pro without gapps.
Only the gps is not working, otherwise it is working as expected.
I also changed from Pixel launcher to Trebuchet, due to that, Pixel launcher has a completely useless, unremovable Date widget on the home screen (how pointless, unbeliveable, and they -google- called it pure android experience). Otherwise pixel could be fine.

I downloaded the RR from needrom (google it, url not allowed for me yet - Home - DOOGEE - HomTom - T16 Pro).

Hints:
- I used total commander to save applications from the official firmware, like: waze, proprietary bank applications, etc.
- I use FDroid to maintenance supported packages.

Cons:
- GPS is not working, it seems a common problem (I did not care about it yet, maybe later)
- slow charging, comparing to the official firmware
- if there is no working gapps (google services), there is no Play or some applications cannot run without google service (youtube, pushbullet, waze - only login)

Pros:
- android 7.1.2
- there are no google services (for me it is an advantage)
- there are no unremovable google search bar on the home screen (for me it was a pain in the *ss)
- no malware/trojan
- almost everything customizable, really. I just gave up, too much choices, even I changed the clock font on the top-bar.

Unknown:
- I just forgot to install any gapps package and I will not use it, maybe never, so, no idea yet. Maybe later, maybe never.

Used applications:
- Barcode reader
- Brave browser
- Bank applications
- DAVdroid
- Exchange rates
- FDroid
- K-9 Mail
- Kodi
- Kore
- Labcoat
- LG TV Remote
- Linkedin
- Magic Home
- Messenger (facebook)
- ESET Mobile security (it was crying about google play, but it is working)
- MX Player
- Nextcloud
- OSmand (no gps)
- Pushbullet (cannot authenticate without google, sucks)
- Quickpic
- Skype lite
- Total commander
- TrackChecker
- Viber
- Waze
- Youtube - denied to run without google service - who cares

hello all, I also had the problem with the com.wdi.adnroid.ys.nw. so, I solved it. I installed the app NetGuard which act as a firewall and VPN, very nice app. Basically with the VPN the internet conectivity changed so the malware isnt able to download. Then I have monitored the net with DFNDR and seems solved. I hope this helps to all of you too.

Hey guys,
this is a german forum. We have a english forum on this Page https://www.nextpit.com