Operating System
Android 6.0.1
Device model
Samsung Galaxy Amp 2 (Model #: SAMSUNG-SM-J120AZ)
Current issues and symptoms
Apps installing without notification or permission and keep installing until I either shut of my wireless LAN connection or run out of space on my phone. First app is an app called "Games"; icon is a blue Playstation-looking controller against a white background. Second app is always the Starbucks app. Other apps get installed from there. I was able to determine the installations start after connecting to my wireless network. As long as I stay on the cellular network nothing happens. The problem seems to have started after I installed an App called "SD Maid" but I'm not 100% sure this was the triggering event.
Steps taken in order to remove the infection
I have followed the troubleshooting here: How To Remove Adware, Pop-up Ads and Viruses from Android Phone Specifically, I have tried uninstalling the apps that were being installed but more keep getting installed. I looked through my app manager with "show system apps" turned on to try and find any rogue apps and was unable to find any. I have run anti-virus (Security Master and AVG) and malware (Malwarebytes) apps (all found no issues and Malwarebytes real-time protection finds no issues with the apps that are being spontaneously installed on my phone). I've disabled Chrome and the Samsung app store, and not provided login credentials for my Google account in order to neutralize the Google app store. I've factory reset both my phone (several times) and my router (once). I have changed my Google password as well as my router's login and wireless passwords. I also checked my router's activity log and didn't find anything suspcisous but I'm not a network security professional so I could be overlooking something.

Marchwarden

New Member
Hey folks,

Hoping I could get some help with this issue I'm having with my phone. I'm getting unwanted, un-notified, and un-permitted installations of various apps. Through trial and error I found the issue happens only when I connect to my home wireless network (I haven't been able to try it on any other wireless LANs) but I have 6 other devices connected to the network (PCs, another phone of the same model, a tablet, a TV, and Blu-ray player) and none of them are having issues so I don't *think* it's an issue with my network.

Any help is appreciated. Thank you for taking the time to read and respond!
 

Spawn

Administrator
Staff member
Verified
Can you check the following;

Go to Settings > Security
> Device Administrators > Check for any suspicious look apps (or share a thumbnail screenshot)
> Unknown Sources > Disabled
 

Marchwarden

New Member
Thank you for the reply!

Unknown Sources is Disabled. As for device administrators, three are listed:

- Cricket Wi-Fi Manager (carrier app)
- Find my Device
- Google Play

All are set to "Off". I tried to find an app that locates hidden device administrators, but my searches just turn up anti-virus and anti-malware apps. I'm not sure if that feature is integrated into most of them these days or not.

I *suspect* that whatever the malware is also jacked some of my login information. I infrequently use a social media service and I had their app on my phone. I tried to log into it today from my PC and it wouldn't accept my password (I use a password manager so it couldn't have been a fat-fingered entry). Not sure if that helps target what kind of malware might be infecting my phone, but I thought it was worth mentioning.
 

Spawn

Administrator
Staff member
Verified
If you "suspect", change your passwords as soon as possible on a non-compromised device.

On a trusted device, please change your login credentials and a password reset for your social media accounts. If you no longer use them, terminate your account to minimize future problems/data leaks.

Google Account:
Microsoft Account:
Apple (iCloud) Account:
I recommend using a password manager to manage your login credentials. It can also generate complex passwords, auto-change saved passwords on supported sites, check against leaked/hacked logins. For most part, the Free version is sufficient, whereas the Premium tier offers more advanced features.
LastPass offers their own Authenticator app that can be synced to your LP account.
LastPass - LastPass Authenticator
 

Marchwarden

New Member
Thanks for the info! I did reset all the impoartant passwords that I had used on my phone when my phone originally got infected. I didn't bother with the social media one as it's wasn't critical for me and isn't linked into anything important so it couldn't have been used to breach any of my other accounts. I do use a password manager as well, so no worries there.

Any thoughts on the malware itself and what to do about it? The only next step I can think of is flashing my phone with the factory ROM (if I can find it) or buying a new phone.
 

Marchwarden

New Member
Hey, just wanted to update. I decided to go ahead and get a new phone. I was already looking to upgrade and since a ROM flash can be an iffy proposition I figured getting a new phone was the best route. I do apprecaite the help.
 

Marchwarden

New Member
So, I got the new phone... exact same thing is happening on it. I've got no idea what could possibly be going on. I did not transfer any data from the old phone to the new one. Anyone have any ideas?
 
Last edited:

Marchwarden

New Member
Sorry for the fourth post in a row, but I started playing around with the new and old phones and my router. I don't think it's an issue with my home network or any non-phone devices on it. When I use the router's access control to block my phones from internet access, the unwanted apps don't self-install. I played around with a number of permission and update settings on my old phone, connected it to the wifi, unblocked internet access and bam, the Samsung app store updated. This had happened before and I think triggered the unwanted apps to install but this time, nothing happened. I then started to gradually dial back the permission/update settings that I had changed and... still no weird app installs. I then went through my new phone (still not activated with my carrier) and tried to replicate the permission/update restrictions I put on my old phone and connected to my network... nothing. I then unblocked the phone on my router and it immediately registered with something (not sure what, the notification just said "registering device") and then, when it had finished that, all the unwanted apps started flooding onto the new phone again. I'm still stumped but I suspect the issue has something to do with Samsung, I'm just not sure what.

As of now my old phone is still connected to my wireless network and I'm gradually updating all the built in apps. So far so good; no problems. The new phone, however, is still messed up. Anyone run into anything like this before?
 

Spawn

Administrator
Staff member
Verified
I highly recommend deleting those unused accounts, which may hold some valuable information, ie. email addresses, phone number, contacts, full name and addresses, and shared location, logged IP.
I didn't bother with the social media one as it's wasn't critical for me and isn't linked into anything important so it couldn't have been used to breach any of my other accounts.
I don't think it's an issue with my home network or any non-phone devices on it.
[..]
I then unblocked the phone on my router and it immediately registered with something (not sure what, the notification just said "registering device") and then, when it had finished that, all the unwanted apps started flooding onto the new phone again.
[..]
I'm still stumped but I suspect the issue has something to do with Samsung, I'm just not sure what.
[..]
As of now my old phone is still connected to my wireless network and I'm gradually updating all the built in apps. So far so good; no problems. The new phone, however, is still messed up. Anyone run into anything like this before?
What kind of Apps are being installed?
Are you sure they're not pre-installed apps getting updated (ie. Facebook)?

Did you create a new Google account for the phone? Perhaps your old one is compromised.

If you have a PC, I would check Malware Removal Assistance For Windows
 
  • Like
Reactions: harlan4096

Marchwarden

New Member
To answer your questions:

What kind of Apps are being installed?
Are you sure they're not pre-installed apps getting updated (ie. Facebook)?
The apps being installed are random apps. There's an app called "Games" that gets installed, the Starbucks app, Candy Crush, and a variety of other apps. Neither phone came with any of these apps and I have never downloaded them from either the Google or Samsung app stores, so I'm positive they're not updates. Random apps will keep installing on the device until I either shut off the wireless connection or there is no free space left on the phone. I don't even get install notifications for these apps.

Did you create a new Google account for the phone? Perhaps your old one is compromised.
I did not create a new Google account but I don't think the Google account is the issue because this happens even when I do not link my phone to my Google account during initial set up after a reset. On both my old phone and new phone, starting from a fresh reset, I have skipped all setup steps relating to connecting to WiFi connections and adding accounts. Once I'm in my phone, if I connect to my wireless network (without adding any accounts to it) the apps will start downloading. In addition, when I look at my Google play account to see the list of apps that I've ever installed at one point or another, none of the self-installing apps show up. To me this indicates they're not coming through my Google account, but please correct me if I'm mistaken.

Just a quick recap here since I kinda machine-gunned out several posts in succession. At this point in time my old phone is working just fine. After keeping it disconnected from my wireless LAN for a couple of days, I reconnected it and re-linked my Google account. So far, since doing this, I've had no problems with apps self-installing. Right now it's the new phone that's having the issues. I have a third phone connected to the wireless LAN that is identical to my old phone. It has never had this problem and continues to function normally. I have two PCs connected to my LAN as well, both are 100% fine. No issues, no problems, no detected malware (I've got Avira on both PCs and it scans them weekly and has real-time protection turned on). I have a TV and a Blu-ray player connected to my network too, also no problems.

Strangely enough, I took the new phone with me while I was shopping the other day, connected it to the wireless network at a local Target, and just left it on and connected while I shopped. No apps were installed beyond a few updates to existing apps on the phone.

The only ideas I can come up with are:

1. There's some app or setting on these phones that prompted the downloads and I somehow managed to deactive it on my old phone but haven't figured it out on the new phone. - Seems most likely but doesn't explain why these apps didn't get installed when I connected to a different wireless network on my new phone.

2. Someone breached my router's firewall and is pushing these installs to my phone via my internet connection. - Possible but doesn't explain why 2 of my 3 phones are fine and just the one is having issues.

3. Some device on my network has some kind of hidden malware on it and is pushing it to my phone. - Also possible but still doesn't explain the selective device targeting.
 
Last edited:

upnorth

Level 29
Content Creator
Trusted
Verified
I normally don't intervene or disturb a case like this when others are working on it, but I do feel a small hint/tip about a very good Router Security site could at this time perhaps be helpful.
 
Last edited: