How to remove a Trojan from Android: getting rid of the virus

Virus threats have long gone beyond desktop computers and become commonplace on mobile devices. And the Android operating system, due to its prevalence, is attracting more and more attention from virus developers. Because of its popularity, it is the absolute leader in the number of Trojan infections. Therefore, in this article we will look at how to remove a Trojan from an Android phone or tablet .

It is important not to put off cleaning your device from viruses, because their actions are not limited to changing settings in phones and tablets. And the occurrence of lags and glitches is far from the worst thing that can happen. The Trojan threat is much more dangerous. It can intercept the user's personal data and forward it to the attacker. Not only logins and passwords for accounts on social networks and various services may be under attack, but also bank data linked to the device and personal photos. Therefore, you need to take timely measures and remove the Trojan virus from your Android phone or tablet.

What kind of viruses are these?

But let's start from the beginning. Often, when using various programs, the user encounters a number of problems. In most cases, these are pop-up windows that warn about threats from third-party programs. This is where the notorious HEUR:Trojan viruses come into play. These are the viruses that Sberbank Online often warns about. You might have seen another name, for example, Win32.Banker or AndroidOS.Agent.EB - these are all the same viruses.

What viruses are these and what threats do they pose? HEUR: Trojan combines particularly dangerous viruses for Android, iOS and Windows. The main feature is its fairly broad functionality, due to which the virus can penetrate the system quite deeply. This means that the threat level is quite high.

Such viruses are able to penetrate system files very quickly, and they can also masquerade as a regular file or application. However, antiviruses do not always warn about possible threats. Even a normal visit to the most harmless website can lead to infection with Trojans.

And what does all this mean?

The examples we've looked at demonstrate that the focus of some mobile device vendors can be shifted towards maximizing profits through all sorts of advertising tools. Even if these tools cause some inconvenience to the device owner. If advertising networks are willing to pay money for views, clicks and installs, regardless of their source, manufacturers are tempted to force advertising modules into devices - this will increase profits from each device sold.

Unfortunately, if a user purchased a device with such pre-installed “advertising,” it is often impossible to remove it without risk of damaging the system. We can only hope for enthusiasts creating alternative firmware for devices. But you need to understand that flashing the firmware can lead to loss of warranty and even damage the device.

In the case of those advertising modules that have not yet done anything malicious, the user can only hope that the developers will not accidentally, without knowing it, add advertising from some malicious affiliate network.

What does HEUR: Trojan do?

Like any virus, this family of Trojans has its own functions. So, for what purpose do they want to infect your device:

• Mass distribution of messages to numbers, especially to paid numbers, including confirmation of all kinds of subscriptions in order to intercept funds from accounts.
• Theft of personal data: passwords (mainly from bank cards and electronic wallets).

Sounds pretty dangerous? Fortunately, today many antivirus programs are already able to recognize this family of viruses. The most popular are Kaspersky, Dr.WEB, AVAST, etc.

Source localization

As a rule, most users learn about the installation of malware from the consequences: screen locking, loss of money from a linked bank card or SIM card, account theft, etc. At this stage, it is important to remember what events preceded your misfortune? Perhaps you received a link from a friend, an SMS message from an unknown contact, or perhaps you installed applications from unknown sources. You can read about the ways in which Trojans and other categories of malware get onto devices.

Where can you get the virus?

The most common cause of viruses is typical carelessness:

1. Downloading games that do not have a license, downloading media and audio files from dubious resources.
2. Visiting sites where there are many pictures, gif animations, and various links that are distributed like spam in email inboxes. In this case, catching a virus is as easy as shelling pears, since one click on the wrong button and the virus is activated immediately.
3. Transferring files between users, one of whom is already infected with a virus.
4. Clicking on suspicious links in SMS messages or emails.

What Trojans are most common:

• Agent.EB or Androidos.Boogr.Gsh allow you to install a special program that can introduce advertising into all third-party applications.
• AndroidOS.Agent is a type of virus that spreads via SMS, and it is used to create paid subscriptions to the same numbers.
• Generic.Miner.Gen is able to sell traffic, download various kinds of files and redirect to the desired address.
• Generic - this file is questioned by the virus system; this type also includes official applications in which programs that track information are found.

Unkillable xHelper and a Trojan matryoshka

It was the middle of last year that we detected the start of mass attacks by the xHelper Trojan on Android smartphones, but even now the malware remains as active as ever. The main feature of xHelper is entrenchment — once it gets into the phone, it somehow remains there even after the user deletes it and restores the factory settings. We conducted a thorough study to determine how xHelper's creators furnished it with such survivability.

Share of Kaspersky users attacked by the xHelper Trojan in the total number of attacks, 2019-2020 (download)

How does xHelper work?

Let's analyze the family's logic the currently active sample Trojan-Dropper.AndroidOS.Helper.h. The malware disguises itself as a popular cleaner and speed-up app for smartphones, but in reality there is nothing useful about it: after installation, the “cleaner” simply disappears and is nowhere to be seen either on the main screen or in the program menu. You can see it only by inspecting the list of installed apps in the system settings.

The Trojan's payload is encrypted in the file /assets/firehelper.jar (since its encryption is practically unchanged from earlier versions, it was not difficult to decrypt). Its main task is to send information about the victim's phone (android_id, manufacturer, model, firmware version, etc.) to https://lp.cooktracking[.]com/v1/ls/get…

Decrypting the URL for sending device information

…and downloading the next malicious module - Trojan-Dropper.AndroidOS.Agent.of.

This malware in turn decrypts and launches its payload using a bundled native library; this approach makes it difficult to analyze the module. At this stage, the next dropper, Trojan-Dropper.AndroidOS.Helper.b, is decrypted and launched. This in turn runs the malware Trojan-Downloader.AndroidOS.Leech.p, which further infects the device.

Leech.p is tasked with downloading our old friend HEUR:Trojan.AndroidOS.Triada.dd with a set of exploits for obtaining root privileges on the victim's device.

Decoding the URL of the Leech.p C&C

Downloading the Triada Trojan

Malicious files are stored sequentially in the app's data folder, which other programs do not have access to. This matryoshka-style scheme allows the malware authors to obscure the trail and use malicious modules that are known to security solutions. The malware can gain root access mainly on devices running Android versions 6 and 7 from Chinese manufacturers (including ODMs). After obtaining privileges, xHelper can install malicious files directly in the system partition.

Note here that the system partition is mounted at system startup in read-only mode. Armed with root rights, the Trojan remounts it in write mode and proceeds to the main job of starting the tellingly named script forever.sh. Triada employs its best-known tricks, including remounting the system partition to install its programs there. In our case, the package com.diag.patches.vm8u is installed, which we detect as Trojan-Dropper.AndroidOS.Tiny.d.

And several executable files get copied to the /system/bin folder:

• patches_mu8v_oemlogo - Trojan.AndroidOS.Triada.dd
• debuggerd_hulu —AndroidOS.Triada.dy
• kcol_ysy - HEUR:Trojan.AndroidOS.Triada.dx
• /.luser/bkdiag_vm8u_date – HEUR:Trojan.AndroidOS.Agent.rt

A few more files are copied to the /system/xbin folder:

• diag_vm8u_date
• patches_mu8v_oemlogo

A call to files from the xbin folder is added to the file install-recovery.sh, which allows Triada to run at system startup. All files in the target folders are assigned the immutable attribute, which makes it difficult to delete the malware, because the system does not allow even superusers to delete files with this attribute. However, this self-defense mechanism employed by the Trojan can be countered by deleting this attribute using the chattr command.

The question arises: if the malware is able to remount the system partition in write mode in order to copy itself there, can the user adopt the same strategy to delete it? Triada's creators also contemplated this question, and duly applied another protection technique that was involved modifying the system library /system/lib/libc.so. This library contains common code used by almost all executable files on the device. Triada substitutes its own code for the mount function (used to mount file systems) in libc, thereby preventing the user from mounting the /system partition in write mode.

On top of that, the Trojan downloads and installs several more malicious programs (for example, HEUR:Trojan-Dropper.AndroidOS.Necro.z), and deletes root access control applications, such as Superuser.

How to get rid of xHelper?

As follows from the above, simply removing xHelper does not entirely disinfect the system. The program com.diag.patches.vm8u, installed in the system partition, reinstalls xHelper and other malware at the first opportunity.

Installing programs without user participation

But if you have Recovery mode set up on your Android smartphone, you can try to extract the libc.so file from the original firmware and replace the infected one with it, before removing all malware from the system partition. However, it's simpler and more reliable to completely reflash the phone.

Bear in mind too that the firmware of smartphones attacked by xHelper sometimes contains preinstalled malware that independently downloads and installs programs (including xHelper). In this case, reflashing is pointless, so it would be worth considering alternative firmwares for your device. If you do use a different firmware, remember that some of the device's components might not operate properly.

In any event, using a smartphone infected with xHelper is extremely dangerous. The malware installs a backdoor with the ability to execute commands as a superuser. It provides the attackers with full access to all app data and can be used by other malware too, for example, CookieThief.

How to remove such viruses

The basic application from Sberbank may prompt you to remove the virus. However, even if the system sees the virus and offers to remove it, complete removal will not occur. A regular scan of antiviruses such as Dr.Web, AVG or Kaspersky will help solve the problem. These programs are suitable for both telephone and computer.

So what you need to do:

1. Delete applications that you did not download from the Play Market, and those that you no longer intend to use.
2. Download any anti-virus scanner, such as Kaspersky or Dr.Web.
3. Install the antivirus and run it so that the system scans the files.
4. We process all proposals for file deletion or treatment.
5. Launch the “Play Market Protection” option.

How to remove a Trojan from Android

Your antivirus detected a Trojan, but cannot remove it, or you noticed that the Android began to live its own life when it needs to shut down, often reboot, connect to Wi-Fi without permission, and constantly downloads something from the Internet. Maybe money is quickly disappearing from the account. However, it doesn’t matter, since you are here it means you need help removing the Trojan or detecting it.

Previously, it was possible to remove a Trojan from an Android only using a standard antivirus program, like all other viruses. Now, due to the rapidly growing number of fraud, virus attacks on mobile devices, narrow-profile computer programs, their developers began to remake them for Android systems. For the most common, open and not inherently unprotected system (a paradise for viruses), unlike the iPhone and Windows Phone. Such applications are focused on a specific type of Internet fraud (virus).

How to remove a Trojan virus

1. In addition to the standard antivirus, you can use a special application to identify and remove Trojans and spyware on your phone, the new Malwarebytes-Anti-Malware for Android.

2. Remove the Trojan with the Trojan Killer tool from the company CM (Cheetah Mobile), they also came up with Clean Master (cleaning and accelerating the system) and the antivirus CM Security. Like many Internet users, I am a fan of the developments of this company.