Help with eliminating malware surviving a factory reset

jj004 · November 3, 2024, 7:32am

Hi forum,

I have been dealing with adware that has survived two factory resets, and an image flash using these batfile flash instructions.

After each reset I kept the apps I installed to major brands or banks (I’ll admit it’s still possible I overlooked something), but I’m still getting full page ads inserted when loading up other apps, as well as notification ads masquerading as coming from apps that should never have ads. The pattern has been that the ads reappear 13 days after the reset. The symptoms seem to match the behaviour of CopyCat which circulated in 3rd party app stores in 2017, but which articles report never made it into the Play Store. However CopyCat is old, and all the antivirus apps are reporting I don’t have anything. And I’ve never downloaded apps from anywhere other than the Play Store.

So my questions for you are:

How many partitions does this phone have and what are they?
How many places could a malware hide if 1) I’ve never unlocked my bootloader and 2) I’ve never rooted my phone.
What steps do I need, or which combination of instructions already posted here do I need to be sure I eliminate this thing on the next flash?

Saijin_Naib · November 5, 2024, 7:00pm

Welcome!

Not a good time. Sorry you are experiencing this.

We have A/B System and Super, so try cmd flashing once, letting it load up fully, login without restoring backups, flash again, andfinally load without restoring backups or apps.

Use it 13 days and see. If it works fine, one of your user-installed apps is a trojan, which given how often new ones are found on Play Store, is unfortunately not impossible.

Edit:
Just for completeness, though it should not matter, make sure any microSD card you may have from prior usage is not installed during testing.

Is this tenable for you?

jj004 · December 9, 2024, 8:37pm

Thank you for your assistance!

I’m sorry to report this did not work. Although in rereading your post now I realize I did several things wrong. I restored from one of Android’s cloud backups (which for the record I have never done before). But my understanding there is that would only restore settings, SMS messages and call logs. I also installed apps, but with the tightest selection yet.

I did remove the microSD card, and did not put it back. I did flash twice, back to back, without restoring backups in between. I thought those were the key part.

I didn’t think I could function for two weeks with zero apps installed. If I had to do this again I guess I would look at borrowing a different phone to use for the 2 week period.

Apps:
Disney+
Netflix
Prime Video
Spotify
Walmart
Fitbit
Google Watch
Google Home
Google News
Google Slides
Google Clock
Google Authenticator
Discord
Firefox
Facebook
Facebook Messenger
Instagram
WhatsApp
LinkedIn
Microsoft OneNote
Microsoft Authenticator
Microsoft Outlook
TD Bank
CIBC Bank (there would be millions of Canadian customers up in arms if either of these two were spreading adware)

I feel silly now. I didn’t use or need most of those. But as you can see, none of them look particularly suspicious either. Harmful in other ways maybe, but not at fault for the adware.

Do you have any other suggestions? Would it help to know if the firmware partition is locked?

Saijin_Naib · December 10, 2024, 3:00am

Yes, knowing if it is in locked/green state is important.

Yes, none of those look suspicious if they are the official apps from the Store, as you noted.

BalconyGardener7 · December 15, 2024, 5:01pm

Hello! I just wanted to pop in here to say it appears multiple users are having this issue. Myself included.
https://www.reddit.com/r/AndroidQuestions/comments/1d9n0ut/popup_ads_in_random_apps_adware_solutions_ive/

Saijin_Naib · December 16, 2024, 7:28am

Welcome!

Thanks for surfacing that discussion.

I have passed it along to the dev team to review, as we have not yet been able to replicate the user reports, but we have taken note of the few instances reported to us in the past.

jj004 · December 16, 2024, 9:32pm

Full disclosure: I am already in that thread. Though I do find it a weird coincidence that I am not alone in my struggle with this.

I think the next step is probably to use another kit to flash Android 12 or 13. Maybe security upgrades are the answer.

Saijin_Naib · December 17, 2024, 1:22am

I assumed you were, and that is fine! You are counted with the other two or so reports, so no worries, and again, thanks for bringing that discussion to this Community.

Are you able to use our SPFlash method to flash Android 13 on it to test?

Sharad · December 17, 2024, 1:58am

@jj004 @BalconyGardener7 - this is indeed a red flag. Can you install our Android 13 update and see if the Ads go away.

[Certified] Android 13.1.0 for Teracube 2e Emerald (SN:2021)
[Certified] Android 13.1.0 for Teracube 2e Zirconia (SN:2020)