Sunday 13 December 2015

How to remove "Ghost Push" trojan from Android phone without reflashing ROM

Hello Android users.

Yesterday I experienced "Ghost Push" trojan (also known as "Monkey Test" or "Time Service") infection directly from Google Play on my Prestigio phone with Android 4.4.2. After updating couple of apps I noticed two new apps in list which I didn't installed (Hotvideo and 360Optimizer). Avast antivirus started to warn about enabled installation from unknown sources. Processes "engrils" and "MobileOcr" then pointed me to trojan...

I found lot of discussions about "Ghost Push" removal, but most described that antivirus apps can't remove it and ended with flashing original ROM. I also tried Ghost Push Removal Tool app, which found trojan, bud didn't help as well. The problem was "engrils" and "MobileOcr" system apps, which all tools failed to uninstall from device.

Finaly I found this article describing removal procedure, but with phone rooting (so better than trojan in device).

I used slightly different procedure, but it was successful as well. It took about 30 minutes:

1) Install file manager on your device (e.g. Total Commander)
2) Disable Wifi and mobile data on phone
3) Uninstall unwanted applications
4) Enable Developer Options and USB Debugging Mode and connect to PC (link, link)
5) On PC install Minimal ADB and Fastboot (link)
6) Install and root device with KingoRoot (link)
7) With file manager check trojan files in system/priv-app folder. For me it was playstoreupdate.apk and Models.apk (files have similar new creation date and time). For eample Malwarebytes Anti-malware show infected files with full path in storage.
8) From PC connect to phone with ADB and run following commands:
     adb devices
     adb shell
     su 
     mount  -o remount,rw /system
     cd system/priv-app
     chattr -iaA playstoreupdate.apk
     rm playstoreupdate.apk
     chattr -aA Models.apk
     rm Models.apk
 9) If there are any hidden files (starting with ".") in system/xbin folder, dele them as described in article noted upper. I had no such files in my device.
10) Reboot your device (trojan should be gone now)
11) Disable installation from unknown sources (if you don't use it)
12) Remove root by KingoRoot

I hope it help you as well.

Vystavil v
Štítky: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)