System Priv-APP: Youtube_Z5268 malware friendly

xiiihyou

I accidently tapped on a nasty advertisement, and my phone is compromised
When opening any browser, an 'intent' launch a website, that will either: open an ads, download and install software automatically

after several days of research and adb logcat, it is found that the youtube_z5268 is the culprit

1. I/ActivityManager(  723): START u0 {act=android.intent.action.VIEW dat=http://global.ymtracking.com/trace?offer_id=110833&aff_id=27742 flg=0x10000000 cmp=com.chrome.dev/com.google.android.apps.chrome.Main} from uid 10150 on display 0
   

Copy the Code

and checking the UID 10150 yields:

1. <package name="com.google.android.youtube" codePath="/system/priv-app/youtube_Z5268" nativeLibraryPath="/system/priv-app/youtube_Z5268/lib" flags="1075363405" pkgFlagsEx="0" ft="150d75c0ed0" it="15202d97f21" ut="150d75c0ed0" version="1599000099" <font color="#ff0000">userId="10150"</font> installer="com.android.vending">

Copy the Code

removing this app via shell solves the problem.

1. su
   
2. mount -o remount,rw /system
   
3. rm -r /system/priv_app_youtube_Z5268

Copy the Code

and restart the phone.

bencebacsi

Could you tell us which ROM version you're using? I checked the v3.01 version but no such file in it.

xiiihyou

bencebacsi replied at 2016-2-8 08:13
Could you tell us which ROM version you're using? I checked the v3.01 version but no such file in it ...

all other rom aside the stock rom from the rom downloader

bencebacsi

Yes, I see now and the com.supercleaner.apk app in the systam/app folder is another malware, that should be removed. Thank you for your warning notification.

Lakid

Hi, this is the situation that your phone is vulnerable to cyber attacks. There are very dangerous malicious programs, for example, ransomware http://myspybot.com/ykcol-locky-ransomware/