How to remove "Ghost Push" trojan from Android phone without reflashing ROM

Hello Android users.

Yesterday I experienced "Ghost Push" trojan (also known as "Monkey Test" or "Time Service") infection directly from Google Play on my Prestigio phone with Android 4.4.2. After updating couple of apps I noticed two new apps in list which I didn't installed (Hotvideo and 360Optimizer). Avast antivirus started to warn about enabled installation from unknown sources. Processes "engrils" and "MobileOcr" then pointed me to trojan...

I found lot of discussions about "Ghost Push" removal, but most described that antivirus apps can't remove it and ended with flashing original ROM. I also tried Ghost Push Removal Tool app, which found trojan, bud didn't help as well. The problem was "engrils" and "MobileOcr" system apps, which all tools failed to uninstall from device.

Finaly I found this article describing removal procedure, but with phone rooting (so better than trojan in device).

I used slightly different procedure, but it was successful as well. It took about 30 minutes:

1) Install file manager on your device (e.g. Total Commander)
2) Disable Wifi and mobile data on phone
3) Uninstall unwanted applications
4) Enable Developer Options and USB Debugging Mode and connect to PC (link, link)
5) On PC install Minimal ADB and Fastboot (link)
6) Install and root device with KingoRoot (link)
7) With file manager check trojan files in system/priv-app folder. For me it was playstoreupdate.apk and Models.apk (files have similar new creation date and time). For eample Malwarebytes Anti-malware show infected files with full path in storage.
8) From PC connect to phone with ADB and run following commands:
     adb devices
     adb shell
     su 
     mount  -o remount,rw /system
     cd system/priv-app
     chattr -iaA playstoreupdate.apk
     rm playstoreupdate.apk
     chattr -aA Models.apk
     rm Models.apk
9) If there are any hidden files (starting with ".") in system/xbin folder, dele them as described in article noted upper. I had no such files in my device.
10) Reboot your device (trojan should be gone now)
11) Disable installation from unknown sources (if you don't use it)
12) Remove root by KingoRoot

I hope it help you as well.

Useful scripts - Processguard

Sometimes it is needed to watch running process and in case of termination execute it again. Here is simple WSH script, which uses WMI to check process name in the list of runnung processes and if "Process1name" isn't found, "Process1cmd" is executed.
Script checks processes each 10 seconds (Sleep command on the end of script). Check runs in infinite loop, so to terminate it, you have to kill it in task manager (wscript.exe or cscript.exe).

Dim strComputerName ' The Computer Name to be queried via WMI
Dim strWinMgt ' The WMI management String
Dim Processes1 'Hold Processes
Dim Count1
Count1 = 0

Const Process1name = "notepad.exe"
Const Process1cmd = "c:\windows\notepad.exe"

Set WshShell = WScript.CreateObject("WScript.Shell")

strComputerName = "LOCALHOST"

strWinMgt = "winmgmts://" & strComputerName

'connect to processes
do

Set Processes1 = GetObject(strWinMgt).ExecQuery ("Select * from Win32_Process where Caption="& chr(39) & Process1name & chr(39) &"")
'Loop through process
        for each Process in Processes1
                count1 = count1 + 1
        next

        if count1=0 then WshShell.Run Process1cmd

Set Processes1 = Nothing
 count1 = 0

  WScript.Sleep(10000)

loop until false



Save stript to file with VBS extension and HAVE FUN!

F15C fully finished

Revell plastic model F15C - Fully finished

See detailed photos of my modell after moths of hard work!