Hi all,
A while ago I managed to install LightJB thanks to this forum; the phone became a lot snappier because that ROM had ditched a bunch of bloatware.
Just now, I ran a PC system scan with Ad-Aware which detects in the file "LightJBv1-2.zip", a trojan called "SMSspy". The ROM is too big to upload, but its size is reportedly 417 MB (437.476.670 bytes), and the size on disk is 417 MB (437.477.376 bytes). Unfortunately I have not written down from what mirror I downloaded the ZIP file, but it was a link listed here as I slavishly followed all suggested steps. I did a search for 'virus' and for 'LightJBv1-2' and did not find any report on this. This leads me to believe that more people have downloaded the file. Possibly the ROM has been used as a basis for other ROMs (I am quite a n00b, so perhaps this is a dumb remark:cyclops.
I was wondering whether this might be a false positive, or perhaps if someone that has the LightJB v1-2 installation file on his/her PC could try to verify if the Ad-Aware scan was correct or not?
I am using some government services that require an SMS verification system, which makes me worry a bit..
Kind regards and please do let me know if more info is required,
Wouter
wouterwp said:
Hi all,
A while ago I managed to install LightJB thanks to this forum; the phone became a lot snappier because that ROM had ditched a bunch of bloatware.
Just now, I ran a PC system scan with Ad-Aware which detects in the file "LightJBv1-2.zip", a trojan called "SMSspy". The ROM is too big to upload, but its size is reportedly 417 MB (437.476.670 bytes), and the size on disk is 417 MB (437.477.376 bytes). Unfortunately I have not written down from what mirror I downloaded the ZIP file, but it was a link listed here as I slavishly followed all suggested steps. I did a search for 'virus' and for 'LightJBv1-2' and did not find any report on this. This leads me to believe that more people have downloaded the file. Possibly the ROM has been used as a basis for other ROMs (I am quite a n00b, so perhaps this is a dumb remark:cyclops.
I was wondering whether this might be a false positive, or perhaps if someone that has the LightJB v1-2 installation file on his/her PC could try to verify if the Ad-Aware scan was correct or not?
I am using some government services that require an SMS verification system, which makes me worry a bit..
Kind regards and please do let me know if more info is required,
Wouter
Click to expand...
Click to collapse
Whats the file name which antivirus find it as virus?
Force said:
Whats the file name which antivirus find it as virus?
Click to expand...
Click to collapse
thanks for the reply. I have made a screendump to prove my point about the ZIP (attached). I then unpacked and scanned the contents hoping Ad-aware would pinpoint the file containing the SMSspy.GD trojan. However, it did not find anything Does this mean it is a false positive? I don't know, but Ad-aware does continue to find this Trojan in the ZIP file...
F-Secure has written about the SMSspy trojan and what the code does. Unfortunately I'm not allowed to post a link there, but searching Duckduckgo with this "On Android threats Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D." does bring up the site immediately. I'm reckoning someone could change some values in that code to make a phone running the hacked app send data to himself. Perhaps someone on this forum recognizes where this code may be put and help with this search. Anyone with the F-secure virusscanner could also download the LightJBv1-2.ZIP file and go through the contents.
I have scanned several more times since then and no suspicious file was found... I downloaded the Avira scanner hoping that it would find SMSspy.GD too, but to no avail. Avira does find code of Rootor.RH (listed as a virus in their database) in the Superuser.apk files, but I'm guessing that is a false alarm that has to do with the function of the Superuser app.
wouterwp said:
thanks for the reply. I have made a screendump to prove my point about the ZIP (attached). I then unpacked and scanned the contents hoping Ad-aware would pinpoint the file containing the SMSspy.GD trojan. However, it did not find anything Does this mean it is a false positive? I don't know, but Ad-aware does continue to find this Trojan in the ZIP file...
F-Secure has written about the SMSspy trojan and what the code does. Unfortunately I'm not allowed to post a link there, but searching Duckduckgo with this "On Android threats Spyware:Android/SndApps.A and Trojan:Android/SmsSpy.D." does bring up the site immediately. I'm reckoning someone could change some values in that code to make a phone running the hacked app send data to himself. Perhaps someone on this forum recognizes where this code may be put and help with this search. Anyone with the F-secure virusscanner could also download the LightJBv1-2.ZIP file and go through the contents.
I have scanned several more times since then and no suspicious file was found... I downloaded the Avira scanner hoping that it would find SMSspy.GD too, but to no avail. Avira does find code of Rootor.RH (listed as a virus in their database) in the Superuser.apk files, but I'm guessing that is a false alarm that has to do with the function of the Superuser app.
Click to expand...
Click to collapse
My antivirus ( G Data antivirus) find in harshjelly rom a virus too in MobileTrackerEngineTwo.apk and at description was writing something like Android.Riskware.sms... I scaned with same antivirus same apk from system folder from stock jb firmware and it doesnt find any virus. So i dont know what to think or what to say...
Force said:
My antivirus ( G Data antivirus) find in harshjelly rom a virus too in MobileTrackerEngineTwo.apk and at description was writing something like Android.Riskware.sms... I scaned with same antivirus same apk from system folder from stock jb firmware and it doesnt find any virus. So i dont know what to think or what to say...
Click to expand...
Click to collapse
I have it!! That is, Avira did find it this time:
--> system/app/DSMLawmo.apk
[5] Archieftype: ZIP
--> classes.dex
[DETECTIE] Bevat code van het virus ANDROID/SmsSpy.S.Gen
Click to expand...
Click to collapse
(Dutch version, reporting "[DETECTION] Contains code of the virus ANDROID/Smsspy.S.Gen")
Apparently, the classes.dex file in the DSMLawmo.apk contains the Trojan code. What does this file do and who can open the APK file and check whether the code from the SMSSpy trojan (see my previous post about the F-secure forum message) is actually being misused??
best regards, Wouter
Attached:
- screendump showing Avira found the virus in the DSMLawmo.apk file,
- the Avira log (also finding code of another virus in Superuser.APK - I am guessing this has to do with the fact that Superuser is root-related and therefore scares the virusscanner),
- and.. the infected APK file. I renamed this file to make sure people don't run it unintentionally. SO please, only run the APK if you know what you're doing! I take no responsibility for any damages coming from running it (as a matter of fact, I might be a victim myself as I installed and am still running JBLightV1-2 on my Samsung Advance S). I do think the importance of uploading this file outweighs the risks as developers may have unwillingly and unknowingly contributed to spreading malicious code through this great community. It may - after all - also be a false positive, but two scanners have now found the SMSSpy trojan independently.
Please tell me how to remove G data Internet security ? When I try to remove from Goole Play, tell me to the this application is Administrator on device, and I must deactivate first , and try remove ?
How to deactivate???
Try in Settings --> Security (on CM11, on Stock look for something similar)
Wysłane z mojego GT-I9070 przy użyciu Tapatalka
XDADev Forum i9300 ROMs contain trojans
Just bumping this post as it appeared on google when I looked up the smsspy.s.gen virus. The Avira database had this to say:
The file is a malicious Android application that undermines the security of the device or the privacy of the user. Typically, Android malware attempts to steal personal or account information, gain access to device functions via backdoors, send text messages or dial premium numbers, and lock or encrypt the device so the user must pay to unlock the device.
Operating System: Android.
This piece of malware is able to steal sensitive information.
Aliases
AVG: Android/G2M.R.FB4923BB003A
Avast: Android:SmsSpy-KB
Dr. Web: Android.SmsBot.439.origin
ESET: Android/TrojanSMS.Agent.AAJ trojan
Kaspersky Lab: HEUR:Trojan-Spy.AndroidOS.SmsThief.es
So in general, this isn't some harmless adware and what is more disturbing is that my anti-virus didn't detect the trojan when I downloaded the I9300XXUGNH4.LiteROM zip file. The trojan also appears to remain dormant for several weeks before activating. It's damage isn't limited to Android since it was hijacking Java files on my PC and dropping a Bladabindi backdoor virus into them. I also found that another APK file called DSMLawmo contains the same virus. So in short, the xdadeveloper forum is a minefield of trojan software which the administrators really need to do something about since it undermines the trust of it's users.
Related
I'm trying to customize a few Extended ROMs here and I'm running into some stubborn CABs. When installed manually, everything works fine. No warnings, no errors. Just click the CAB, let it do its thing, then click OK.
Put these same ROMs into an Extended ROM and hilarity ensues. Some will work, others will not and I don't know why. Any suggestions on what I might be missing will be greatly appreciated.
Quick question?
Are the CAB's signed, if not are you installing the 'signed' unsign CAB 1st .
Edit: Thinking more about this (and realising that the 1st thing you do is disable signing in your ROM's ) can you provide a little more info about the CAB's (maybe an offending CAB if the content is not private?).
I managed to replicate this issue with a CAB that had a warm reset as part of it's install process (seems to bork the autoexec batch process) and I have had a similar issue with a CAB that just contained some simple OMA in the _setup.xml.
John
yes, that's the point. But how to make any Unsigned CABs become Signed?
huangyz said:
yes, that's the point. But how to make any Unsigned CABs become Signed?
Click to expand...
Click to collapse
Without wanting to sounds facetious you sign them ;-)
You would use a private key to generate an Authenticode signature for the CAB (and maybe the apps inside if you need to) however you would still need to install the ROOT certificate into the code stores on your device. Or get your app signed by a 3rd party with a certificate that has it's ROOT already on the device (MS's MobileToMarket and things like that take care of this for ISV's that need it).
Once you have the ROOT cert on the device in the correct store signing is trivial, you either use SignTool.exe from many of the MS SDK’s or just use the GUI options if Visual Studio is your poison. All you need is an export of the PKF (Private key) and the password to the certificate.
In enterprises one of the 1st things people often do before giving Windows Mobile devices out to users is to install a ROOT certificate for the enterprise onto the device in both the code and transmission stores. This means from then on you can sign in-house apps and CAB’s and they behave as signed commercial apps and you can use features like internal signed SSL for ActiveSync etc. etc.
Don’t forget you can also do away with a lot of this by installing the HTC signed “Disable Certificates” CAB 1st and then the signatures are not checked on subsequent CAB’s, EXE’s or anything code related for that matter.
djwillis said:
huangyz said:
yes, that's the point. But how to make any Unsigned CABs become Signed?
Click to expand...
Click to collapse
Without wanting to sounds facetious you sign them ;-)
You would use a private key to generate an Authenticode signature for the CAB (and maybe the apps inside if you need to) however you would still need to install the ROOT certificate into the code stores on your device. Or get your app signed by a 3rd party with a certificate that has it's ROOT already on the device (MS's MobileToMarket and things like that take care of this for ISV's that need it).
Once you have the ROOT cert on the device in the correct store signing is trivial, you either use SignTool.exe from many of the MS SDK’s or just use the GUI options if Visual Studio is your poison. All you need is an export of the PKF (Private key) and the password to the certificate.
In enterprises one of the 1st things people often do before giving Windows Mobile devices out to users is to install a ROOT certificate for the enterprise onto the device in both the code and transmission stores. This means from then on you can sign in-house apps and CAB’s and they behave as signed commercial apps and you can use features like internal signed SSL for ActiveSync etc. etc.
Don’t forget you can also do away with a lot of this by installing the HTC signed “Disable Certificates” CAB 1st and then the signatures are not checked on subsequent CAB’s, EXE’s or anything code related for that matter.
Click to expand...
Click to collapse
I am NOT a software developer so, most of your opinions sound enigmatic to me except that the last one: put the HTC signed "Disable Cert" in the 1st place of the ext-rom config.txt.
Thanks very much! I'll try later on.
gamescan said:
I'm trying to customize a few Extended ROMs here and I'm running into some stubborn CABs. When installed manually, everything works fine. No warnings, no errors. Just click the CAB, let it do its thing, then click OK.
Put these same ROMs into an Extended ROM and hilarity ensues. Some will work, others will not and I don't know why. Any suggestions on what I might be missing will be greatly appreciated.
Click to expand...
Click to collapse
most problably you forgot to set some cab file to read-only before saving the extende-rom.check the cabs atrebutes and the config.text file while inside de program that you are using to edit the extended-rom.its not because they are not signed as long you got the cert .cab set to be the first to be installed.also cab files that require user input will not work.this is from experience, as posted above.
huangyz said:
I am NOT a software developer so, most of your opinions sound enigmatic to me except that the last one: put the HTC signed "Disable Cert" in the 1st place of the ext-rom config.txt.
Thanks very much! I'll try later on.
Click to expand...
Click to collapse
So, where did you found the signed Disable_Cert.cab?
faria said:
most problably you forgot to set some cab file to read-only before saving the extende-rom.check the cabs atrebutes and the config.text file while inside de program that you are using to edit the extended-rom.its not because they are not signed as long you got the cert .cab set to be the first to be installed.also cab files that require user input will not work.this is from experience, as posted above.
Click to expand...
Click to collapse
Sorry to ping an old thread - flogging to proceed immedietly after...
Being that this is a windows device, isn't there a flag that can be passed when executing the cab - like you can on a windows installer application? Similar to setup.exe -q or whatever you're trying to do. Some flags set the answers to yes, admin mode... you get the picture. Does the cab installer engine allow similar flags to get passed with the cab execution command?
In PPC, it calls wceload.exe to install and uninstall a cab.
As shown in http://msdn2.microsoft.com/en-us/library/ms926281.aspx , the only possible argument is to ask or not ask for destination, but no quiet mode.
How can you call wceload.exe manually at ExtROM installation may be a question.
Hello there,
I wanted to use the ShellTool I found at the FTP. But, after executing the file, I get an error, followed by opening a profile from friendster.com . After that, my Symantec AV is trying to search for the installation files and other strange stuff. When I give the computer a reboot, my computer tells me that NTLDR is missing. So, this file is some kind of windows wrecker instead of a usefull tool.
Not only the NTLDR was missing, also HAL.dll, ntoskrnl.exe and other files.
I tested it also on a virtual machine with Windows XP SP2, and the same thing happened. Please remove that kind of crap.
Its in the directory: Uploads/WIZARD/Unlocking/
i have had no problems at all...on vista ultimate and windows xp on a virtual machine and i flash with this tool...it works like a charm on my side...a charmmmmmmmm
i had the same thing happen to me, I had to re-install windows on two different computers after it crashed the,, pretty weak, pretty weak
someone deleted the original file and changed to a wrecker one.. owner please check the file if its your original or altered one by someone..
I'm going to have to say that someone removed the original ShellTool file and replaced it with the current one.
I downloaded the original file and have used it without any problems to flash several devices. So, don't go blaming the developer of this tool. There have been SEVERAL corrupted/virus-laden files uploaded to that folder recently.
The general rule of thumb on downloading from the ftp is to wait until the files have been checked by the admins and mods and moved to the "safe haven" and to NOT download anything from the "Uploads" section. Downloading from the "Uploads" directory is done at YOUR OWN RISK. (There are SEVERAL threads on the forums about this.)
BTW -- if you had read the entire thread in the G4 forum about the ShellTool, you would have known ahead of time about the virus-infected file. That discussion start with post #285 in the thread. http://forum.xda-developers.com/showthread.php?t=293480&page=29
We seem to be plagued by virii at the moment. :-(
If you look in the G4 forum (as I remember it) and find the original thread for ShellTool you will see later on virus warnings and some MD5 checksums for the original.
I'm going to write a thread this weekend on MD5ing files you publish and how users verify them.
Got it
OK. I've just deleted the Shelltool_bufixed.zip and replaced with the uninfected Shelltool_bugfixed in a RAR archive. I know that since I haven't posted before, but believe me that there is no virus on this one. Atleast, not at the time of me uploading it. (Don't know what people will do with it later)
Unfortunately I read this thread too late... I had my NTDLR deleted by this proggy. Might be a virus, might not be one... What makes me suspect its not is that it bypassed my corporate AV.
I recovered from the "virus" almost instantly (I dont know if it was posted or not, but I think it wont hurt anyone to read this):
1- Run the WinXP SP2 (if u have SP2 already installed) and AFTER you get to the license agreement, select REPAIR.
2- Use the recovery console google it or go here =) http://www.webtree.ca/windowsxp/repair_xp.htm
So much for Norton Corporate AV with all the latest updates bells and whistles
Cheers!
Candanga said:
Unfortunately I read this thread too late... I had my NTDLR deleted by this proggy. Might be a virus, might not be one... What makes me suspect its not is that it bypassed my corporate AV.http://www.webtree.ca/windowsxp/repair_xp.htm
(...)
So much for Norton Corporate AV with all the latest updates bells and whistles
Cheers!
Click to expand...
Click to collapse
There is nothing a AV can do (even the most powerful and expensive) to avoid infection by a 'cooked-in-5-minutes' malicious file.
In order to detect the file its signature/characteristics must be added to the scan engine and that will only happen after someone gets 'infected' and reports the fact
Anyone with a little skill can make an executable to delete system files and upload it to the ftp. That's why i prefer to post files in threads instead in ftp server; at least the previous can't be changed except by the poster or by mods/admins
cheers
Wanna kill u'r XP..?? Ask me how...
ftp://[email protected]/Upload/ShellTool_VIRUSFREE_beaware.zip
TRUELY IS A TOTAL XP KILLER!!!! I KNOW, AN EXPERIENCE IS UNADVISEABLE (GRANDMA, U R ABSOLUTELY TRUE) ,THOUGH IF U DON'T BELIEVE AND WANNA TRY, JUST SAVE ALL YOUR DATA FROM THE SYSTEM DRIVE BEFORE U HIT IT.... (and as far as my experience goes, huge amount of people spare their most important and intimate data on the system drive with no backup...and they cry)...AND GET READY AT LEAST EITHER FOR ANOTHER SYSTEM INNOVATION OR EVEN NICE AND CLEAN INSTALLATION.
THATS ALL
I don't get it, why should you guys use ShellTools, when you can already CID Unlock your G4 using HardSPL ?! That way you can flash you wizard in about 6 minutes vs the 30 minutes on ShellTools!
Technical sense, it is not a virus. The person who made this is lame enough to just make a BAT-EXE conversion which, delete stuff from your WINDOWS directory only. So, most of your stuff are generally safe (that's the common one that I've know appearing randomly in the FTP).
I have problems unzipping the file anyway, so I cant confirm this. If you are sure it is a fault, just delete it. Thanks.
dferreira said:
I don't get it, why should you guys use ShellTools, when you can already CID Unlock your G4 using HardSPL ?! That way you can flash you wizard in about 6 minutes vs the 30 minutes on ShellTools!
Click to expand...
Click to collapse
Sheeltools is safer for inexperienced. You can never brick the phone by it. You do not need to check the safety of ROM (since shelltool will never flash anything else than OS).
Faking unlocking the CID by SoftSPL/HardSPL is quicker, but it enables to flash IPL/SPL which is not a good idea (newbie eagerness or just a stupid oversight of somebody who flashes daily can lead to disaster).
There are cases of people who bricked their Wizards by using SoftSPL without reading properly (for example I remember one Polish guy not so long ago).
I use shelltools. It gives me peace of mind when flashing.
(Changing a genuine program for a malicous one can be done regardless of what program it is. So this has nothing to do with shelltools. Just be careful what you run on your computer).
Mirek
Im a medical student and I really would love to be able to use the newly available Android Medscape app (free from the market) on my phone.
Unfortunately, it says in description of the app that it may have problems with "rooted" phones. Im assuming it means our HD2's running android on NAND as well, because after installing the App on my phone, I am unable to update/download the Clinical reference data required for the app to work offline.
It gives the error "Internet connectivity was interrupted..Please try again"
Any help from the developers or anyone else would be very greatly appreciated
dude0014 said:
Im a medical student and I really would love to be able to use the newly available Android Medscape app (free from the market) on my phone.
Unfortunately, it says in description of the app that it may have problems with "rooted" phones. Im assuming it means our HD2's running android on NAND as well, because after installing the App on my phone, I am unable to update/download the Clinical reference data required for the app to work offline.
It gives the error "Internet connectivity was interrupted..Please try again"
Any help from the developers or anyone else would be very greatly appreciated
Click to expand...
Click to collapse
Looking at the description and the error you gave, have you tried disabling any ad-blocking software? It may be something cooked into the ROM - if so, try asking the dev how to disable it. DLing now - i'll post back what I find.
.............................
EDIT:
Ok, having found this question asked on the thread for the ROM I use, you can remove medscape from the adblock 'hosts' list. (find it in \system\etc).
Original Post URL: http://forum.xda-developers.com/showthread.php?p=11521445&highlight=block#post11521445
I had to copy the file to PC before editing and copied back again using droidexplorer.
kinsago said:
Looking at the description and the error you gave, have you tried disabling any ad-blocking software? It may be something cooked into the ROM - if so, try asking the dev how to disable it. DLing now - i'll post back what I find.
Click to expand...
Click to collapse
Thanks for the reply. I forgot to mention the ROM im using. Its Core Droid DHD 1.5, and it seems you may be right. It says in the description of the ROM that the "Adds are Blocked (Host files modified)". Is there any way to reverse this host file change?
Fixed it with the help of the developer of the Core Droid ROM. Just opened the app "Add free" and hit "revert". Restored the original host file. Medscape works now.
im having the same issue and clicking the "revert" bottom on AdFree did not fix it
I have uninstalled AdFree and have the same problem all the time. Anybody fixed this?
i had the same problem!
After i revert the hosts file in ad-free, medscape did not update the reference!
So what i did:
I did not unistall ad-free, but:
- i revert the host file 3 times in a row;
- i stopped the access of AD Free from SuperUser (root access);
- and i restart medscape (i killed the process with automatic task killer) and start it again;
- and voila, my htc g1 is updating the reference while i text.
(i don't know what are the steps that make medscape update, but i guess, is the revert host file and restart the app, to it starts didn't knowing that can't access that host to update)
I hope this help you!
Good luck
It works for me, reverted host files, stopped Adfree acces to Superuser and voila!! Medscape is updating again. Thanx
how to correct medscape installation please?thx\
SOLVED!
Just got an OTA update for my flyer and software got updated to version 2.27.1540.32
The android version is 2.2.4 while sense is 1.0
Just for the record, AdFree only works on ROOTED devices. i mentioned in another thread on xda that adfree does not work for me. with this OTA update, my Medscape is finally installing as i type this - - -
Just kill the AdFree app and immediately run Medscape app,it'll definitely take the update.I did the same and it worked
i try looking for file in \system\etc
in use editor to open file host.. thera are a lot of files,
and it make me confuse, where the file "medscape from the adblock 'hosts' list" is ???
wisnu19 said:
i try looking for file in \system\etc
in use editor to open file host.. thera are a lot of files,
and it make me confuse, where the file "medscape from the adblock 'hosts' list" is ???
Click to expand...
Click to collapse
i had found problem solve
copy host file from \system\etc (in yr device) to PC
[*]and open using worldpad in pc
[*]use search from worldpad..type medscape
[*]and delete all file which has name medscape
[*]save !!
[*]move and replace host file which edit from pc to \system\etc in yr device (use es file explorer)
[*]install again medscape
[*]and the update reference should work again..done !!
not solved for me!
Hi everyone!
Well, I've experienced the same "connectivity error" as everyone with a root cellphone, after reinstalling medscape app at my cell. I never had AdFree, and even though I'm able to found the hosts file and take a look of it with my pc it says absolutely nothing about medscape (only 127.0.0.1 localhost and emptyness after), so I guess I must be getting the wrong file or not accesing to it correctly?
I've tried everything you said, but is still not working.
I'm pretty new with android, and I would really aprecciate you help, given the fact that this is one of my favorities app!
lalauri089 said:
Hi everyone!
Well, I've experienced the same "connectivity error" as everyone with a root cellphone, after reinstalling medscape app at my cell. I never had AdFree, and even though I'm able to found the hosts file and take a look of it with my pc it says absolutely nothing about medscape (only 127.0.0.1 localhost and emptyness after), so I guess I must be getting the wrong file or not accesing to it correctly?
I've tried everything you said, but is still not working.
I'm pretty new with android, and I would really aprecciate you help, given the fact that this is one of my favorities app!
Click to expand...
Click to collapse
i just rename file host in /system/etc via root explorer..then it works like a charm
note: ypu can rename it by any programs that's can mount and write root folder and explore (es file explore,x-plore,etc)
Rename?
ivaneris said:
i just rename file host in /system/etc via root explorer..then it works like a charm
note: ypu can rename it by any programs that's can mount and write root folder and explore (es file explore,x-plore,etc)
Click to expand...
Click to collapse
i have got a file in /system/etc called "hosts" , so what should i rename it after? im using root explorer.
Thanks
Thanks Ivaneris
Iam on CM 7.2 LG p500.I had same probs and ur method really worked like a charm.I thought I almost lost it but thanks to you.BTW I renamed hosts file as explorer
In \system\app directory what is functionality (purpose) of the "DataCreate.apk"
what does it do?
what is the result of removing it?
before saying anything about searching read the below statement:
I've searched in google, XDA and other forums about this apk but none seemed to know what is it so I am going to ask here.
Thanks in advance.
EDIT: Inside the apk there is a sound file inside res/raw called mp3_1khz.mp3 which has very annoying sound any idea why does the app need this?
EDIT2: link to the mp3 file I was talking about http://www.mediafire.com/?2zay7j6xrlfyjs1
WARNING: The file is really annoying
Request: if the file is important can someone delete that sound file from the apk and re-upload it (JVH deodexed )
Google is watching us ? what the hell and why is there such a sound file in this ap p.... i delete it.... For me it is google spy ...
sebBastian3 said:
Google is watching us ? what the hell and why is there such a sound file in this ap p.... i delete it.... For me it is google spy ...
Click to expand...
Click to collapse
I deleted now and I am going to report if there are any negative consensuses
don't think that it is use (spying on us)
Ok
In first reboot (phone rebooted it self)
Second reboot (Email crashed)
EDIT: Doing some reboots and dalvik cache cleaning to see what will happen.
EDIT2: It seems that its needed for phone without it phone will reboot itself.
I though someone knew about this apk so I posted here.
I found what I wanted to know so this thread is officially CLOSED.
Conclusion for future reference this file is necessary for EACH boot.
However I could delete the annoying mp3 file which is 1.8mb by using this method http://forum.xda-developers.com/showthread.php?t=681633
It's from Samsung. Have a look into classes.dex, there are lots of sample contacts (near the end of it). There are references to samsungtest. Maybe this app can be used to create demo or test data.
Good day,
I recently discovered malware in the root directory under the / prism folder that installed an app called Yandex into my system and contained various hidden APKs. (and files with .sogou at the end).
These manipulated my internet browser in some way and I was only able to remove them by flashing the stock rom.
Now I get the message from TWRP that the partition / prism could not be mounted. Even so, everything seems to be working fine on the device.
Now there is no more content in the / prism directory. What is usually stored there and what is its purpose?
Do I have to rework something?
I can't find an explanation anywhere else on the Internet ...
Thank you and best regards
According to https://github.com/PrismLibrary/Prism
Prism provides an implementation of a collection of design patterns that are helpful in writing well-structured and maintainable XAML applications, including MVVM, dependency injection, commands, EventAggregator, and others.
Click to expand...
Click to collapse
In short Prism is a framework to build applications which in turn it's built on top of another framework called Xamarin (XAML for Android).
As of why it's in the root directory I suspect is part of AppCloud, Samsung's system app, that basically does remote installation of apks.
If it is correlated to AppCloud (Big IF) then:
If you are rooted and on stock OS and have that app enabled it's not far fetched to think that there is an exploit for it out there and basically anyone could remote install any APK through root privileges and the backdoor that AppCloud system app gives the.
It's could be as easy as editing a file from within the malicious app which could change the behaviour and URL from which it fetches the needed apks. Whereas installing apks from within the malicious app needs explicit OS permissions (which AppCloud has).
I too had apps installed post-upgrade by the AppCloud system app, but I don't have root to analyse this further so all the above are just speculations based on the two things you said and my previous observations.
In the end you could have contracted the malware in a million different ways. That's how it goes with root access on OS and careless root management.
I have to admit that I was too careless with root privileges and experimented with little knowledge.
Hope that helps others to deal with it more intensively beforehand.
Your explanation helped me, the problem is a bit more serious, it is probably about corrupt security certificates in the system that are administered from outside
In this case, is it even possible to reset or delete the CA certificates? I guess I fell into a spoofing trap.
Maybe flash the stick rom again through Odin?
Is that embarrassing: D
Sorry for the graveyard post but I don't see any other threads about this.
Prism is the name of the NSA surveillance program. I guess that this is exactly that.
It's hidden because you can only see that it exists with root and most people don't have root.
I have this folder too on my rooted Galaxy Fold 4. It was already in the stock ROM and I cannot remove it because the directory is mounted as read only.
If found the mounts file (which is also read-only) and it says:
Code:
/dev/block/platform/soc/1d84000.ufshc/by-name/prism /prism ext4 ro,seclabel,relatime,i_version 0 0
I tried to give me the permission to write / delete the folder but "permission denied" ... and yes I did that as root.
Nexariuss said:
Sorry for the graveyard post but I don't see any other threads about this.
Prism is the name of the NSA surveillance program. I guess that this is exactly that.
It's hidden because you can only see that it exists with root and most people don't have root.
I have this folder too on my rooted Galaxy Fold 4. It was already in the stock ROM and I cannot remove it because the directory is mounted as read only.
If found the mounts file (which is also read-only) and it says:
Code:
/dev/block/platform/soc/1d84000.ufshc/by-name/prism /prism ext4 ro,seclabel,relatime,i_version 0 0
I tried to give me the permission to write / delete the folder but "permission denied" ... and yes I did that as root.
Click to expand...
Click to collapse
did you ever find anymore about this? ive found it on two of my phones. both samsung. cant find much online about it...