Installation from unknown sources, riskware

Ziggy

Here i am again .. and i am more pissed than before to say it honestly!
Yes i know there is Chinese New Year but soon after this we have to hear something positive.
Here is the latest analysis i did :

Got into the phone with adb shell when the phone was booted and found the spende.zip in an unencrypted Version laying in
/data/data.com.android.systemui
.. copied it to the external sd-card and this time i could open it .. its an apk compressed with zip as all apk.
Uploaded it in this state to Virustotal.com again :
Thats the results :
https://virustotal.com/en/file/c ... nalysis/1485473420/
29/57 Scanners detect it as Trojan now not only one!
This File is not an false positive its an Trojan and its no bug! That nasty little thing is knowingly packed into the SystemUI.apk by UMI and thats a scandal!
Honestly i dont care if they have holidays or if the easter bunny is mating with bugs bunny that device is infected with a Trojan and i dont believe by an error thats knowingly done by Umi!
I will investigate deeper what it does and let anyone know if know more!

Dirtyharry

Ziggy replied at 2017-1-27 07:48
Here i am again .. and i am more pissed than before to say it honestly!
Yes i know there is Chinese  ...

Interesting find mate, thnx!

The developer sure made an effort to include this trojan. Maybe its UMI, but i guess they bought the customized os from a other party they makes these custom OS file.  There are allot of cases known where the chinese low budget devices contains malware.

Does anyone know if its possible to edit the IMG file from the ROM and replace the system-ui.apk file with the system-ui file form other UMI model like Diamond x or Super? or is more complex then that?

iamthecustomer

Ziggy replied at 2017-1-27 07:48
Here i am again .. and i am more pissed than before to say it honestly!
Yes i know there is Chinese  ...

• That's what I wrote pages before: the presence of this malware is a shame.
• I don't care if it wasn't a UMI engineer who compiled it into the official ROM or another one from a 3rd party, UMI was responsible in general for the quality of their products.
• It may sound like a conspiration theory, but the nasty behavior of the low budget Chinese phones is well known. The worst is their reaction: first they try to understate the problem and give you some studip answers. Later on they just keep in silence.
• All these make me believe that this issue is not a coincidence.
  

Ziggy

Yep have seen that in the Umi London Thread, first they tell lies about its not their fault then they say nothing more. The same Trojan is in the Umi Diamond X too, had a look in the Rom just for fun.
I truely believe they compiled that in on purpose, i for myself will never buy anything from this company again as its fraud what they do!

Herewith i give Umi a suitable period of time until 15.02.2017 to deliver a Trojan/Virus free Version of the ROM or i will show that issue to any consumer magazine in germany that i can find, tv and print, to warn other customers that Umi is a company that should not be trusted!

garbageman5000

do you guys have list of the apps which get installed? i know i got My Apps and Super Locker, but also few others can't remember anymore... maybe its a good idea to make a list and contact developers as these apps are available on play store? maybe they know something?

horeee

There are some more weird things with this phone.
I have turned off the OTA application, when I realized, that it contains malware.
Afer a week or so, the OTA app is allowed to run.
I didn't turned it on, so not just the "unknown sources" lives an own life, but the OTA app too.
It's impossible to disable... What a shame...

FilSan

\n\n

I also have this problem. When I did the factory reset the APP wasn’t there and, for the record, I didn’t installed anything out of Google Play Store, the APP appears as

BaBel Font - Free Font Manager

It just suddenly appears out of nowhere like it was installed through the Play Store and the “developers” are saying that "If BaBel Font has been installed without any download from Google Play--It’s pre-installed in system by the manufacturer" Since I didn't installed and I don't have the option to uninstall it means that it came from the manufacturer. But it is strange because any APP from the manufacturer that is not from the system can be disabled and this one doesn’t allow that just “updates”.

I almost belevied in that but then I went to see the necessary permissions for the app and it asks access to everythingt that you could think about like the ability to search through your contacts, disable your locked screen, send SMS and make calls. When I saw this I noticed that this APP didn’t appear in the Installed APPs of Play Store but only in All Apps and didn’t appear in the APPs of the phone, I couldn’t find it anywhere in the system option APPS it seems camouflaged and it only appears after the option to allow installion from unknown sources is toogled on which I didn't do it, I toogled it off.

This isn't a simple glitch but a secutiry problem.

horeee

We are still waiting.
Where is our new and clean Firmware?
No answer? It wasn't an accident then?

bencebacsi

1. Don't mix up an app called Systeem-UI (with double 'e' in the filename) with SystemUI. An app called Systeem-UI is not contained by the system.
2. I extracted the whole content of the ROM and scanned for viruses (42,198 files) but nothing was found. About the spende.zip file: that's also virus free but sorry, I don't know the types and functions of all the 42,198 files. The spende.zip file doesn't have an identifiable header.
3. My UMi Diamond is continuously turned on and connected to the internet via WiFi connection but any kind of third party app has never got installed from out of nowhere.

Possible reasons:
That's confirmed, the 'Unknown resources' switch turns on automatically after a while. If you install unreliable apps on your phone, this case can hide a vulnerability since later a such app will be able to install further apps without asking for your permission.
So please be careful until the next update will fix this issue but anyway you still can use your phone with confidence.

Ziggy

You are not telling the truth! I dont mix up the file, i am speaking off SystemUI.apk and that apk contains the virus/malware in an encrypted archiv called spende.zip. When you boot up the phone its encrypted by the system and laying then in /data/data/com.android.systemui/files in its unencryptedversion on the phone! Copy it from there and you clearly see its and zip archive / apk then. Scan that file for virus you get 29 hits from virustotal.com. also i decompiled that file and it contains some intresting code. I know Umi pays your bills but please dont try to make us look like idiots the file is there anyone with root can copy it from his phone and look at it