My Sony Xperia recently slowed down and upon checking the Running apps, 2 suspicious services are on the background named Time Service and Monkey Test. Surely this has made a monkey out of me and I have gone nuts trying to get rid of it. Luckily my phone is rooted and I have a clockworkmod backup. I have decided to restore from it to end my woes.
I want to share this Tutorial as a guide to help those who are stuck with this "unbreakable" virus and whose phone security has been compromised. Top anti-virus like Avast won't help as of this writing.
Para sa mga nabiktima at para na din sa mga watchmodes, eto mga nakalap ko at na-experience sa virus na ito. Remember, prevention is still the best solution. Sana makatulong:
Anong pakana ng gumawa nito?
Nagdodownload ito ng kung ano anong apps sabi nila, for those apps to gain popularity through unsolicited downloads.
Saan ito nakuha?
Sa kaso ko, sa Popslide pa yata tumawid. The worm virus was disguised as points-earner, ironicallynamed "data protection.apk" . Nung install ko na, it asked for system accessibility. By granting that privilege, the malware became an administrator and got full access of my phone. The virus has also disabled the option to revoke admin privilege.
Anong danyos nito?
Dahil magdodownload ito ng kung ano anong apks sa phone, babagal ang internet aside from the phone itself once multiple apps are installed by it.
How does it work?
The virus copies itself in the data/app and system/app dir and make itself a persistent service. In mycase it was ThemeManags.apk on the system/app and at least 2 more suspicious apks I did not install myself on data/app dir.
The apks installed in the user data directory cannot be uninstalled coz android won't allow to remove apps with admin privileges. The virus has effectively exploited this Android loophole.
Though my phone is rooted, I cannot delete the apks manually using File Managers as deleting from one folder only triggers regeneration through the apks from the other infected directory.
Factory reset didn't help since only the user data are wiped out by it. The worm virus just regenerate through the system directory which is left untouched by the factory reset.
Remedies that may work?
Temporary fix / damage-control:
Disable installation from "unknown sources" and use a firewall to block the virus from doing its work. I use "Android Firewall" and "Mobiwol" for rooted / non-rooted phone respectively. You can also try the Titanium Backup freeze approach if your phone is rooted. Remember to freeze all apks related to the virus. This only stops the virus from downloading and installing apps. The phone is still on compromised state and depending on the other "tricks" that this virus has, it may manifest further threat.
For non-rooted phones and with no plans to root, I don't think there's any other choice but to update or reflash your firmware. Consult your phone manufacturer how to individually go about with this procedure.
For rooted phones, simplest way is a full restore (user + system) from low-level backup like CWM. This will effectively rollback to an earlier state before the virus was installed. If you don't have a backup, reflash your custom firmware through CWM or similar recovery mode.
Good luck ka-PDs!
P.S. They say that "360 security" can remove this virus for rooted and non rooted though hindi ko pa natry. Download nyo na lang sa Google Play.