AVG Support Community
Share tips and solutions on AVG Products
Community topics
AllAVG Gurus
These community experts are here to help
-
Alan Binch
-
Borislav Angelov
-
Vladimir Bartl
-
Subhadeep Kanungo
-
Miloslav Serba
Olaf M Soyes Android detection ID information
Hello,
I have recently came across a Chinese device where AVG reports two threats.
The device is a phone: Soyes S23 Pro mini. (This is practically a known scam, the device and the company lies about everything about this device, malware preinstalled on this phone is not only known to happen but also expected. I have used a throwaway account to set this phone up, it does not have a SIM card and I do not intend to use it for anything unless I can remove the malware or reflash it.)
The threats AVG is reporting are:
Updater: Detection ID 417e59d96da9
MTK Thermal Manager as well ID d5f9698e6567
The application does not provide any additional info on what those are.
Can we get more information about these two malicious applications?
Thank you.
I have recently came across a Chinese device where AVG reports two threats.
The device is a phone: Soyes S23 Pro mini. (This is practically a known scam, the device and the company lies about everything about this device, malware preinstalled on this phone is not only known to happen but also expected. I have used a throwaway account to set this phone up, it does not have a SIM card and I do not intend to use it for anything unless I can remove the malware or reflash it.)
The threats AVG is reporting are:
Updater: Detection ID 417e59d96da9
MTK Thermal Manager as well ID d5f9698e6567
The application does not provide any additional info on what those are.
Can we get more information about these two malicious applications?
Thank you.
Thank you for reaching AVG support channel. We are sorry for the inconvenience caused. We will check and help you to know about the AVG detection.
Could you please share us the screenshot of the AVG detection? So, we can check and help you to resolve it. Also, please explain when do you receive those detections? While accessing any specific program (or) will it occur randomly?
You can post the screenshot here in your topic. Click on Answer & then click on the Image [mountain symbol] & follow the instructions. Thanks in advance.
Hello,
Thanks.
Here are the screenshots:
This is a brand new phone pulled out of the packaging. I did not install any additional software except the AVG app.
This malware comes pre-installed in the system by the manufacturer.
This is not a new information. Soyes phones are known to contain malware. Most commonly HiddenAds malware that seems to attempt to steal payment information and social media information.
All I did was download AVG app from the store and run a scan.
The malware can no be removed by the AVG app, it redirects me to the Settings asking me to disable the malware apps, but the disable button is well, disabled. :D It is grey and not clickable.
This is likely because the malware apps are system apps installed with elevated privileges by the manufacturer.
Are you able to find what the malware is based on the detection ids? I would like to know what we are dealing with here.
It is unlikely that it will be possible to remove them without rooting the device though.
AVG found 2 malware apps.
Eset did not find anything.
Avast can not be installed.
Malwarebytes can not be installed.
Norton Security can not run a free trial without a payment method. (Amazing work guys).
TotalAV found nothing, requires payment to scan for viruses (Great work guys).
McAfee can not be installed.
Bitdefender does not work without an account (Amazing).
Panda dome antivirus found nothing.
Avira nothing.
Kaspersky found nothing.
We understand that you are facing an issue with on mobile device.
We do have a specialized team who deals with mobile queries.
We have escalated your case to concern team and they will get back to you via email and help further.
Thank you and keep us updated.
I also have some news that I think others might find useful:
The threats AVG is reporting are: (The app is updated to the latest version, these are re-checked results from today after checking for updates.)
- Updater: Detection ID 417e59d96da9
- MTK Thermal Manager as well ID d5f9698e6567
The IDs above come from the first scan, the next IDs are from today. (I suppose these are not always the same.)
- Updater: Detection ID 8b0c6ac0a020
- MTK Thermal Manager: Detection ID 0b5d824d9cff
Following the steps in AVG guide here:
https://support.avg.com/SupportArticleView?l=en&urlName=Android-AVG-AntiVirus-remove-malware&supportType=home#idt_011
1. Approach: An app is installed on the system level
Try to disable the app:
Not possible, the disable button is greyed out and can not be clicked.
The guide is asking me to reboot to safe mode. How do you reboot in safe mode that allows app uninstallation on an Android device, I am not familiar with this on Android devices? (I work with linux in IT and I am willing to experiment with this device, I can try to unlock the bootloader, boot into recovery or use the ADB shell to get any information or remove the malware. If you have any tips for that, feel free to send them over.)
Notifying the manufacturer is pointless. It is a Chinese company who installs malware intentionally. This is known already.
2. Approach: An app received the Device administrator permission
Follow these steps to disable the Device administrator:
Device Admin Apps does not have Updater or MTK Thermal Manager in the list.
3. Approach: An app blocks uninstallation
On the Malware detected tile, tap Uninstall and OK to confirm uninstallation.
The Uninstall option is not offered by the AVG app.
I have granted AVG all possible permissions and granted Accessibility permissions to the AVG service.
New results from scans:
V3 Mobile security: Updater detected: Trojan that attempts to leak personal information. Downloader/Android.Agent.1220136
Anti-virus Dr.Web Light: Updater detected: Android.Downloader.812.origin
None of these apps can remove it.
I can see that your case was already in progress with mobile team and I added the additional information you have provided in your case.
Currently, they are working on this.
You will get an reply from them as soon as possible.
We appreciate your patience and understanding.
Thank you and keep us updated.
In an effort to find out as much as possible about this device I scanned it with more antiviruses.
In the case I eventually manage to clean it, I hope this information will be useful for someone else. Since these little phones are actually kinda cute and would be useful if they did not have preintsalled malware.
None of the scans picked up anything about the MTK Thermal Manager app. And AVG so far has not told me what the ID coresponds with.
Trend micro: Does not work.
Security master: Found nothing
Sophos: Found Updater
Microsoft defender: Needs account
Antivirus AI: Found Updater
Play protect: Nothing
C-Prot: Nothing
Bitdefender free: Nothing
TrustD: Nothing
I see that your concern was already escalated to our senior team.
Currently, they are working on your concern. Please expect an email from them as soon as possible.
We appreciate your patience and understanding.
A little bit more information about this phone. It does not have a virus scan, but it shows how much information the manufacturer provides is fake: https://www.youtube.com/watch?v=MNkMfap_LYo as well as construction.
This video is about a different Soyes phone that also comes with preinstalled malware. At 25:06 you can see the Updater screen (also seen in other reviews of Welcome devices) which is malware.
At 38:00 you can see Malwarebytes results with 5 detections. Including the updater. https://www.youtube.com/watch?v=RAeg1dxx8wI
Upon checking your AVG account, our senior team already working on your concern, and I have mentioned this additional information in your case.
You will get a response from them soon.
We're doing our best to provide efficient support and minimize the response time. However, delays do occasionally happen, despite our best efforts.
Thank you for your patience and understanding.
These are the unique detections it found:
Since I can not upload the whole report CSV file here, I put it on XDA developers forum along with the scripts and howto.
The report contains file names, device path, android package name, virustotal urls and detections.
https://xdaforums.com/t/soyes-s23-pro-mini-chinese-phone-from-aliexpress.4681069/#post-89710379
I would like to know what these strings mean and which are confirmed malware. Except the last longest string, because that has already been identified.
MTKThermalManager.apk has been detected as APK:RepMalware [PUP], Android.Riskware.TestKey.rB, AdLibrary:Generisk
https://www.virustotal.com/gui/file/7518b9a1d30901f7342adcae7ecad99e2c275d94051a66b856b12b1f67533d6e/detection/f-7518b9a1d30901f7342adcae7ecad99e2c275d94051a66b856b12b1f67533d6e-1726211467
I appreciate your efforts for sending us the information. I will certainly share this information with my Senior team. They will certainly analayze this information and get back to you via email as early as possible.
Thank you for your understanding.
Hello,
So my ticket was transferred to an AVG Senior Support member who sent it further to specialists to investigate the situation thoroughly. Thank you.
This is the answer I was later sent:
Let me inform you that our specialist checked the issue further, and I can confirm that the Updater app is correctly detected as malicious due to suspicious DNS requests to adware URLs.
Regarding the MTK Thermal Manager, we register this one as a potentially unwanted application.
I understand your effort to get rid of these applications for safe use of this device, but in the case of applications that are pre-installed by the manufacturer we have no possibility to remove them, only to warn about them.
Meanwhile I found out how to remove the malware myself.
I also produced a clean system.img with the Updater app deleted which can be flashed back to the device using fastboot. The guide also includes steps how to download the whole firmware, including the tools.
The same steps will likely work even on other Soyes or Welcome devices as long as they use MTK processors.
I asked the specialist to help identifying what the other detection strings mean in case there are other suspicious files that should be removed.
Now I am going to leave the phone connected to the internet for a month with a spare sim inserted, observe how it behaves and check whether any new apps have been installed. Which would mean some undetected malware has surived.
Thank you for writing back to us and update the status of you request. We see that you have already replied to our senior team. They will check and get back to you via email soon. If you need any further help with AVG, feel free to contact us at anytime. We are happy to help you. Have a great day!